Unable to see sshd logs in wazuh
1,541 views
Skip to first unread message
Chen Guan Sai
Jun 21, 2022, 6:15:37 AM6/21/22
to Wazuh mailing list
I have my ossec.conf config file set to default in my linux client. and added all the sshd rules to the local_rules.xml from https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0095-sshd_rules.xml.
Is there anything i need to add to my ossec.conf file so it appears on my wazuh dashboard? THank you.
Andres Micalizzi
Jun 21, 2022, 7:55:21 AM6/21/22
to Wazuh mailing list
Hi Chen,
Thanks for using Wazuh.
In order for rules located in the /var/ossec/ruleset/rules you don't need to copy them to local_rules.xml. Your alerts should appear normally on the dashboard normally.
For example, using a clean all-in-one installation of wazuh, I try to ssh with a wrong user into the machine with: ssh fake...@192.168.56.3, I get the following alert:
** Alert 1655812245.503904: - syslog,sshd,authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7$
2022 Jun 21 11:50:45 c3->/var/log/secure
Rule: 5710 (level 5) -> 'sshd: Attempt to login using a non-existent user'
Src IP: 192.168.56.1
Src Port: 55702
Jun 21 11:50:43 c3 sshd[7136]: Invalid user fake-user from 192.168.56.1 port 55702
Thanks for using Wazuh.
In order for rules located in the /var/ossec/ruleset/rules you don't need to copy them to local_rules.xml. Your alerts should appear normally on the dashboard normally.
For example, using a clean all-in-one installation of wazuh, I try to ssh with a wrong user into the machine with: ssh fake...@192.168.56.3, I get the following alert:
** Alert 1655812245.503904: - syslog,sshd,authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7$
2022 Jun 21 11:50:45 c3->/var/log/secure
Rule: 5710 (level 5) -> 'sshd: Attempt to login using a non-existent user'
Src IP: 192.168.56.1
Src Port: 55702
Jun 21 11:50:43 c3 sshd[7136]: Invalid user fake-user from 192.168.56.1 port 55702
With de alert appearing on the dashboard on security events, as you can see in the attached image.
If you have a different result, on the dashboard. have you checked that the alert is generated in the alerts.log file?
Cheers.
Cheers.
Chen Guan Sai
Jun 21, 2022, 9:31:39 PM6/21/22
to Wazuh mailing list
Hi sir,
I am unable to see the alert in my /var/ossec/alerts/alerts.log file in wazuh manager. I can only see login attempts to my wazuh-manager.
I am unable to see any events from my Linux endpoint.
Do i have to change anything in order to see? Thanks!
Andres Micalizzi
Jun 27, 2022, 8:59:19 AM6/27/22
to Wazuh mailing list
Hi Chen,
Sorry for the late reply.
The Linux endpoint you are trying to monitor has the agent currently installed and running? if that is the case, have you checked the agent's status? you can use /var/ossec/bin/wazuh-control status to check all modules are properly running.
Also I would recommend you check the agent's ossec.log file, in order to see if it is properly connecting to the manager. You can also check this from the manager from /var/ossec/bin/manage_agents to check all registered agents or /var/ossec/bin/agent_control -l to list all agents and their current status, you should check that your Linux endpoint is registered and it's status is active (or at least it has changed from never_connected).
Check that out, so we can try to debug where the issue is.
Sorry for the late reply.
The Linux endpoint you are trying to monitor has the agent currently installed and running? if that is the case, have you checked the agent's status? you can use /var/ossec/bin/wazuh-control status to check all modules are properly running.
Also I would recommend you check the agent's ossec.log file, in order to see if it is properly connecting to the manager. You can also check this from the manager from /var/ossec/bin/manage_agents to check all registered agents or /var/ossec/bin/agent_control -l to list all agents and their current status, you should check that your Linux endpoint is registered and it's status is active (or at least it has changed from never_connected).
Check that out, so we can try to debug where the issue is.
Reply all
Reply to author
Forward
0 new messages