Audit Wazuh Dahboard users
Майкл Миколайович
Hello,
Could you please help me разобраться with the following issue?
I am using Wazuh 4.13.1. I need to configure logging for successful and unsuccessful login attempts, as well as user actions performed during authentication in the Wazuh Dashboard. Specifically, I need to log the following events to a file:
-
Successful login attempts
-
Failed login attempts
-
Attempts to escalate privileges or modify permissions
I have made the following changes:
/etc/wazuh-indexer/opensearch.yml
plugins.security.audit.type: log4j
plugins.security.audit.config.enable_rest: true
plugins.security.audit.config.enable_transport: true
plugins.security.audit.config.disabled_rest_categories: [NONE]
plugins.security.audit.config.disabled_transport_categories: [NONE]
plugins.security.audit.config.ignore_users: [ ]
plugins.security.audit.config.log_request_body: false
/etc/wazuh-indexer/log4j2.properties
appender.audit.type = RollingFile
appender.audit.name = AUDIT_FILE
appender.audit.fileName = /var/log/wazuh-indexer/opensearch_audit.log
appender.audit.filePattern = /var/log/wazuh-indexer/opensearch_audit-%d{yyyy-MM-dd}.log.gz
appender.audit.layout.type = PatternLayout
appender.audit.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %m%n
appender.audit.policies.type = Policies
appender.audit.policies.time.type = TimeBasedTriggeringPolicy
appender.audit.policies.time.interval = 1
appender.audit.policies.time.modulate = true
logger.audit.name = audit
logger.audit.level = info
logger.audit.appenderRef.audit.ref = AUDIT_FILE
logger.audit.additivity = false
In the opensearch_audit.log file, I can only see failed_login events. However, I do not see any successful authentication events or events triggered when attempting to change permissions.
Could you please help me understand what I am doing wrong and how this mechanism works?
Thank you in advance
juan.c...@wazuh.com
```
curl -k -u admin:password \
https://localhost:9200/_plugins/_security/api/audit
```