Audit Wazuh Dahboard users

63 views
Skip to first unread message

Майкл Миколайович

unread,
Mar 2, 2026, 7:47:57 AMMar 2
to Wazuh | Mailing List

Hello,

Could you please help me разобраться with the following issue?

I am using Wazuh 4.13.1. I need to configure logging for successful and unsuccessful login attempts, as well as user actions performed during authentication in the Wazuh Dashboard. Specifically, I need to log the following events to a file:

  • Successful login attempts

  • Failed login attempts

  • Attempts to escalate privileges or modify permissions

I have made the following changes:

/etc/wazuh-indexer/opensearch.yml
plugins.security.audit.type: log4j
plugins.security.audit.config.enable_rest: true
plugins.security.audit.config.enable_transport: true
plugins.security.audit.config.disabled_rest_categories: [NONE]
plugins.security.audit.config.disabled_transport_categories: [NONE]
plugins.security.audit.config.ignore_users: [ ]
plugins.security.audit.config.log_request_body: false
  /etc/wazuh-indexer/log4j2.properties
appender.audit.type = RollingFile
appender.audit.name = AUDIT_FILE
appender.audit.fileName = /var/log/wazuh-indexer/opensearch_audit.log
appender.audit.filePattern = /var/log/wazuh-indexer/opensearch_audit-%d{yyyy-MM-dd}.log.gz
appender.audit.layout.type = PatternLayout
appender.audit.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %m%n
appender.audit.policies.type = Policies
appender.audit.policies.time.type = TimeBasedTriggeringPolicy
appender.audit.policies.time.interval = 1
appender.audit.policies.time.modulate = true
logger.audit.name = audit
logger.audit.level = info
logger.audit.appenderRef.audit.ref = AUDIT_FILE
logger.audit.additivity = false    

In the opensearch_audit.log file, I can only see failed_login events. However, I do not see any successful authentication events or events triggered when attempting to change permissions.

Could you please help me understand what I am doing wrong and how this mechanism works?

Thank you in advance

juan.c...@wazuh.com

unread,
Mar 2, 2026, 8:30:05 AMMar 2
to Wazuh | Mailing List
Hi Майкл, it's possible that some of the audit categories required for login, privilege escalation or permissions change might be disabled in opensearch by defualt.
You should be able to check which configurations are enabled for the plugin with an API request:
```
curl -k -u admin:password \
https://localhost:9200/_plugins/_security/api/audit
```

juan.c...@wazuh.com

unread,
Mar 6, 2026, 3:39:19 PMMar 6
to Wazuh | Mailing List
Hi Майкл, to add to my previous answer, having 
`plugins.security.audit.config.enable_rest: true` 
`plugins.security.audit.config.enable_transport: true` 
 does not guarantee that all authentication-related events are logged.

Successful logins are controlled by audit categories like AUTHENTICATED and GRANTED_PRIVILEGES

That's why taking a look at the current configurations via the API can help you determine if any of the authenticated categories are missing and, in that case, update audit configuration via API or config to explicitly enable them.

Here also i a link to the documentation on how the audit configuration works that you might find useful: https://docs.opensearch.org/latest/security/audit-logs/index/

Reply all
Reply to author
Forward
0 new messages