Wazuh configuration "internal audit"
221 views
Skip to first unread message
Francis Duval
Dec 2, 2020, 2:46:49 PM12/2/20
to Wazuh mailing list
Maybe I've overlook something but is their an internal audit log to log user modification to rules or settings to the Wazuh server?
Jose Luis Carreras Marin
Dec 3, 2020, 3:51:28 AM12/3/20
to Wazuh mailing list
Hello fduvalbl,
Different points that can help you:
- The audit log can be found at /var/log/audit/audit.log
- If you activate in the internal configuration of the agent (/var/ossec/etc/local_internal_options.conf) the debug mode for syscheck (syscheck.debug=2, you need to restart after that), you could see in the wazuh log (/var/ossec/logs/ossec.log) some messages indicating that a new rule has been added to audit, for example:
2020/12/03 09:38:23 ossec-syscheckd [3603] syscheck_audit.c:1127 at audit_reload_rules(): DEBUG: (6275): Reloading Audit rules.
2020/12/03 09:38:23 ossec-syscheckd [3603] audit_op.c:74 at audit_print_reply(): DEBUG: Audit rule loaded: -w /testdir -p wa -k wazuh_fim
- It is also possible to see a list of all active rules in audit, with the command auditctl -l
- You can read related and interesting information in this blog about how to monitor root actions with audit:
I hope I have been helpful, and any other questions you may have do not hesitate to ask,
greetings, Jose
greetings, Jose
Jose Luis Carreras Marin
Dec 3, 2020, 5:09:16 AM12/3/20
to Wazuh mailing list
I've read your question again, and now I'm not sure if that was the answer you were looking for.
If you are interested in having alerts for Wazuh server configuration files and rules, you should monitor with our FIM module (syscheck) the configuration and rule files with report_changes, something like that:
<syscheck>
<syscheck>
<directories whodata="yes" report_changes="yes">/var/ossec/etc</directories>
</syscheck>
In manager's side.On Wednesday, December 2, 2020 at 8:46:49 PM UTC+1 fduv...@gmail.com wrote:
Francis Duval
Dec 3, 2020, 1:40:30 PM12/3/20
to Wazuh mailing list
It was mostly to know it there was an option to activate like in elastic to get the audit log. Since this is the way to go I implement your second option, with the FIM.
Thanks for your quick answer
Reply all
Reply to author
Forward
0 new messages