IP addresses who viewed and uploaded files

[premnath R]

Hi Team,

     How to find the IP addresses who viewed and uploaded files to my server in Wazuh, Can I get any reference please.

[Md. Nazmur Sakib]

Hi Premnath,

Hope you are doing well. Thank you for using Wazuh.

Your server needs to log the information about IP addresses who viewed and uploaded files on your server. If there is any file where your server keeps this log, for example web access log or IP FTP uploads data log, you can forward those log files to Wazuh server. 

For this you need to have an agent installed on your server. To get help with agent install check this document:

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html

Next inside the ossec.conf of the agent configure localfile option read the log file of your server.

Ex:

<localfile>

  <log_format>syslog</log_format>

  <location>/var/log/access.log</location>

</localfile>

Check this document for local file:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html

Check this document for different log format:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format

Next, check if relevant logs are forwarded to your Wazuh manager.

For this, You can try the following steps:

Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall

This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.

Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.

Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.

cat /var/ossec/logs/archives/archives.log | grep Keywoard

Test those logs using log-test to find out if logs are decoded by decodes and rules.

Check this document to get help with the logtest tool.

https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

Based on the findings of your logtest write custom decoders and rules.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Check this document for Ruleset XML syntax:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/inde

I hope this helps. Please let me know if you need any further information.

Regards

Md. Nazmur Sakib