Log files monitoring
706 views
Skip to first unread message
YASHWANTH S
Nov 9, 2023, 3:11:15 AM11/9/23
to Wazuh | Mailing List
Hi
I need to monitor a log for (e.g) auth.log file on my remote server and will it be able to send alerts when changes to existing log entries as well as the addition of new entries by someone and not generate alerts for default logs that are printed as usual???
I need to monitor a log for (e.g) auth.log file on my remote server and will it be able to send alerts when changes to existing log entries as well as the addition of new entries by someone and not generate alerts for default logs that are printed as usual???
Olusegun Adenrele Oyebo
Nov 9, 2023, 6:00:42 AM11/9/23
to Wazuh | Mailing List
Hello Yashwanth,
Thank you for using Wazuh.
You can use file integrity module (FIM) to monitor changes to files and directories. You can set which paths or files to monitor in the configuration of the Wazuh agents and manager.
FIM stores the files checksums and other attributes in a local FIM database. Upon a scan, the Wazuh agent reports any changes the FIM module finds in the monitored paths to the Wazuh server. The FIM module looks for file modifications by comparing the checksums of a file to its stored checksums and attribute values. It generates an alert if it finds discrepancies. You can check this link for more information on how it works.
To configure the FIM module, you'll need to specify the directories where the FIM module must monitor the creation, modification, and deletion of files or configure the specific files you need to monitor. You can specify the file or directory to monitor on the Wazuh server and the Wazuh agent configuration file. You can also configure this capability remotely using the centralized configuration file.
You have to set the files and directories to monitor with the directories options. You can also include multiple files and directories using comma-separated entries or adding entries on multiple lines. You can configure FIM directories using * and ? wildcards in the same way you would use them in a shell or Command prompt (cmd) terminal. For example, C:\Users\*\Downloads.
Anytime the FIM module runs a scan, it triggers alerts if it finds modified files and depending on the changed file attributes. You can view these alerts on the Wazuh dashboard. You can check this link for more information on its configurations. I'm also add more links below which will help on how you can configure it:
Thank you for using Wazuh.
You can use file integrity module (FIM) to monitor changes to files and directories. You can set which paths or files to monitor in the configuration of the Wazuh agents and manager.
FIM stores the files checksums and other attributes in a local FIM database. Upon a scan, the Wazuh agent reports any changes the FIM module finds in the monitored paths to the Wazuh server. The FIM module looks for file modifications by comparing the checksums of a file to its stored checksums and attribute values. It generates an alert if it finds discrepancies. You can check this link for more information on how it works.
To configure the FIM module, you'll need to specify the directories where the FIM module must monitor the creation, modification, and deletion of files or configure the specific files you need to monitor. You can specify the file or directory to monitor on the Wazuh server and the Wazuh agent configuration file. You can also configure this capability remotely using the centralized configuration file.
You have to set the files and directories to monitor with the directories options. You can also include multiple files and directories using comma-separated entries or adding entries on multiple lines. You can configure FIM directories using * and ? wildcards in the same way you would use them in a shell or Command prompt (cmd) terminal. For example, C:\Users\*\Downloads.
Anytime the FIM module runs a scan, it triggers alerts if it finds modified files and depending on the changed file attributes. You can view these alerts on the Wazuh dashboard. You can check this link for more information on its configurations. I'm also add more links below which will help on how you can configure it:
- https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/basic-settings.html
- https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/creating-custom-fim-rules.html
- https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/advanced-settings.html
- https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/use-cases/index.html
Best regards.
YASHWANTH S
Nov 14, 2023, 12:20:48 AM11/14/23
to Wazuh | Mailing List
Hi,
i have tried FIM for my above logs but it seems to alert me for every default logs generated and added, i cant differentiate it between default additions and suspicious file changes
Can the log be monitored and alerted for changes and addition of logs by someone and not for default logs which are generated?
e.g nginx logs and other audit logs.. where the default addition of logs should not be alerted and should be alerted for changes or adding or tampering the files with addition of other logs?
i have tried FIM for my above logs but it seems to alert me for every default logs generated and added, i cant differentiate it between default additions and suspicious file changes
Can the log be monitored and alerted for changes and addition of logs by someone and not for default logs which are generated?
e.g nginx logs and other audit logs.. where the default addition of logs should not be alerted and should be alerted for changes or adding or tampering the files with addition of other logs?
Olusegun Adenrele Oyebo
Nov 16, 2023, 8:49:09 AM11/16/23
to Wazuh | Mailing List
Hello Yashwanth,
Thanks for reaching out again.
If there are specific files or folders you do not want the FIM module to scan, you can create exclusions. For example, if you set Wazuh to scan a directory but want to exclude a particular file in the directory from being scanned, you can create an exclusion for that file (reference). It can be done in either of two methods:
Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
macOS: /Library/Ossec/etc/ossec.conf
<syscheck>
<ignore>FILEPATH/OF/MONITORED/FILE</ignore>
<ignore type="sregex">.log$|.tmp$</ignore>
</syscheck>
Restart the Wazuh agent with admin privilege to apply any configuration change:
Linux: systemctl restart wazuh-agent
Windows: Restart-Service -Name wazuh
macOS: /Library/Ossec/bin/wazuh-control restart
<directories>/var/www/htdocs</directories>
</syscheck>
On the Wazuh server, create the fim_ignore.xml file in the /var/ossec/etc/rules/ directory on the Wazuh server:
touch /var/ossec/etc/rules/fim_ignore.xml
Thanks for reaching out again.
If there are specific files or folders you do not want the FIM module to scan, you can create exclusions. For example, if you set Wazuh to scan a directory but want to exclude a particular file in the directory from being scanned, you can create an exclusion for that file (reference). It can be done in either of two methods:
- Using the ignore option: It allows one entry of either file or directory per line. However, you can use multiple lines to add exclusions for multiple paths. The example below shows how you can ignore the regex match for the file extensions .log and .tmp. Replace FILEPATH/OF/MONITORED/FILE with your own filepaths. Add the below settings to the Wazuh agent configuration file:
Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
macOS: /Library/Ossec/etc/ossec.conf
<syscheck>
<ignore>FILEPATH/OF/MONITORED/FILE</ignore>
<ignore type="sregex">.log$|.tmp$</ignore>
</syscheck>
Restart the Wazuh agent with admin privilege to apply any configuration change:
Linux: systemctl restart wazuh-agent
Windows: Restart-Service -Name wazuh
macOS: /Library/Ossec/bin/wazuh-control restart
- Using custom rules: Another alternative is using rules of alert level 0. This method ignores the alerting of specific files and directories scanned by the FIM module. Alerts for level 0 rules are silent and the Wazuh server doesn't report them. In the configuration example below, you can see how to monitor the /var/www/htdocs/ directory on a Linux endpoint and use silent alerts for the /var/www/htdocs/private.html file. On a linux endpoint endpoint for example, add the below settings to the Wazuh agent /var/ossec/etc/ossec.conf configuration file:
<directories>/var/www/htdocs</directories>
</syscheck>
Restart the Wazuh agent with the administrator privilege to apply any configuration change:
systemctl restart wazuh-agent.
On the Wazuh server, create the fim_ignore.xml file in the /var/ossec/etc/rules/ directory on the Wazuh server:
touch /var/ossec/etc/rules/fim_ignore.xml
Add the below rules to the fim_ignore.xml file:
<group name="syscheck">
<rule id="100345" level="0">
<if_group>syscheck</if_group>
<field name="file">/var/www/htdocs/private.html</field>
<description>Ignore changes to $(file)</description>
</rule>
</group>
The rule silences the FIM alert for the /var/www/htdocs/private.html file.
<group name="syscheck">
<rule id="100345" level="0">
<if_group>syscheck</if_group>
<field name="file">/var/www/htdocs/private.html</field>
<description>Ignore changes to $(file)</description>
</rule>
</group>
The rule silences the FIM alert for the /var/www/htdocs/private.html file.
Restart the Wazuh manager to apply the configuration changes:
systemctl restart wazuh-manager
systemctl restart wazuh-manager
I'd also share some links below which could be helpful too:
I hope this was helpful. Do not hesitate to reach out again if you still need any other thing.
Best regards.
Reply all
Reply to author
Forward
0 new messages