Unable to see auth.log events in Dashboard
492 views
Skip to first unread message
Mitchell Kingsley
Aug 16, 2022, 8:38:54 AM8/16/22
to Wazuh mailing list
Hey!
I am fairly new to Wazuh, so please bear with me.
I currently have a `wazuh-monitor` set up with a single `wazuh-agent`. They are configured as such:
- agent:
- FreeBSD 13.1-Release
- v4.1.5
- Installed through pkg
- monitor:
- Debian 10
- Installed through apt.
The issue that I have been having is that the `agent` seems to be able to connect to the `monitor` without any issues, and I am able to see certain alerts, such as
Host-based anomaly detection event (rootcheck).
I am fairly new to Wazuh, so please bear with me.
I currently have a `wazuh-monitor` set up with a single `wazuh-agent`. They are configured as such:
- agent:
- FreeBSD 13.1-Release
- v4.1.5
- Installed through pkg
- monitor:
- Debian 10
- Installed through apt.
The issue that I have been having is that the `agent` seems to be able to connect to the `monitor` without any issues, and I am able to see certain alerts, such as
Host-based anomaly detection event (rootcheck).
or
System Audit event
However, I am failing to see anything in the monitor from my `auth.log` logcollector rule. In my agent's `ossec.conf` I have the following stanza:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
Any guidance on what kind of steps I could take to get these logs to show up on the dashboard would be greatly appreciated, I am fairly stumped.
Thanks!
System Audit event
However, I am failing to see anything in the monitor from my `auth.log` logcollector rule. In my agent's `ossec.conf` I have the following stanza:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
and I can see the following log output on the agent's `ossec.log` whenever I make an authentication attempt:
2022/08/15 19:09:13 ossec-logcollector[71163] read_syslog.c:97 at read_syslog(): DEBUG: Reading syslog message: 'Aug 15 19:09:13 <authpriv.notice> test-agent sudo[71465]: '...
2022/08/15 19:09:13 ossec-logcollector[71163] read_syslog.c:134 at read_syslog(): DEBUG: Read 1 lines from /var/log/auth.log
Looking at the `ossec.log` file on the monitor side, I don't see any movement or alerts when an authentication attempt is made, and it seems to me like the messages are not making it there. I have confirmed that a connection between the agent and monitor is made on service restart on the agent:
2022/08/15 19:11:31 ossec-agentd: INFO: Trying to connect to server (REDACTED:1514/tcp).
2022/08/15 19:11:31 ossec-agentd: INFO: (4102): Connected to the server (REDACTED:1514/tcp).
and I can see the following log output on the agent's `ossec.log` whenever I make an authentication attempt:
2022/08/15 19:09:13 ossec-logcollector[71163] read_syslog.c:97 at read_syslog(): DEBUG: Reading syslog message: 'Aug 15 19:09:13 <authpriv.notice> test-agent sudo[71465]: '...
2022/08/15 19:09:13 ossec-logcollector[71163] read_syslog.c:134 at read_syslog(): DEBUG: Read 1 lines from /var/log/auth.log
Looking at the `ossec.log` file on the monitor side, I don't see any movement or alerts when an authentication attempt is made, and it seems to me like the messages are not making it there. I have confirmed that a connection between the agent and monitor is made on service restart on the agent:
2022/08/15 19:11:31 ossec-agentd: INFO: Trying to connect to server (REDACTED:1514/tcp).
2022/08/15 19:11:31 ossec-agentd: INFO: (4102): Connected to the server (REDACTED:1514/tcp).
Any guidance on what kind of steps I could take to get these logs to show up on the dashboard would be greatly appreciated, I am fairly stumped.
Thanks!
Tomas Benitez Vescio
Aug 16, 2022, 9:57:16 AM8/16/22
to Wazuh mailing list
Hello. Thanks for using Wazuh!
I will be looking for more information about this and will return as soon as I have more information. In the meantime, you can ensure that the time is correctly configured in the Wazuh manager, if not, set the correct time and refresh the dashboard. Also, I understand that you want to see an alert when an authentication attempt is made, you can check out this page of the documentation and see how the log collection works and how you can set up an alert with rule matching in the case of an authentication attempt.
Regards.
I will be looking for more information about this and will return as soon as I have more information. In the meantime, you can ensure that the time is correctly configured in the Wazuh manager, if not, set the correct time and refresh the dashboard. Also, I understand that you want to see an alert when an authentication attempt is made, you can check out this page of the documentation and see how the log collection works and how you can set up an alert with rule matching in the case of an authentication attempt.
Regards.
Mitchell Kingsley
Aug 16, 2022, 2:26:15 PM8/16/22
to Wazuh mailing list
Thanks for looking into it!
As far as I can tell the time is correctly configured.
I currently have log-all enabled, So I would expect the authentication rule would be visible.
As far as I can tell the time is correctly configured.
I currently have log-all enabled, So I would expect the authentication rule would be visible.
Tomas Benitez Vescio
Sep 12, 2022, 11:43:11 AM9/12/22
to Wazuh mailing list
Sorry for the delay,
Do you have any updates on the issue? Did you get it working?
Regards
Reply all
Reply to author
Forward
0 new messages