Wazuh dashboard login logs
Nepolean
Md. Nazmur Sakib
Hi Nepolean,
Hope you are doing well. Thank you for using Wazuh.
If you are using OpenSearch, you will need to add the following line to /etc/wazuh-indexer/opensearch.yml :
plugins.security.audit.type: internal_opensearch
Next, go to vi /etc/wazuh-indexer/opensearch-security/audit.yml
Remove the - AUTHENTICATED from exclude
# Categories to exclude from REST API auditing
disabled_rest_categories:
- GRANTED_PRIVILEGES
# Categories to exclude from Transport API auditing
disabled_transport_categories:
- GRANTED_PRIVILEGES
Save the configuration
AUTHENTICATED allows logs for A user successfully authenticated.
Restart wazuh-indexer and wazuh-manager
Next, from the web interface go to Security > Audit logs
Check if Enable audit logging is enabled
Next, go to Index Management > Indices
And search audit
you will be able the see new indices related to security auditing. Check the screenshot for reference.
To get the logs on dashboard
you need to add these indices to Wazuh. You can do this, by following next steps:
Click the upper-left menu icon ☰ to open the options, and go to Stack Management:
Then click on Index patterns:
Once here, click on Create index pattern:
In the Index pattern name, you need to use the auditlog indices that were created.
After this, it's important that you refresh this index, to properly show the fields' information.
You can then visualize the audit logs on the Discover tab on the dashboard.
For further information related to this topic, please refer to OpenSearch official documentation:
I hope this helps. Please let me know if you need further information.
Regards
Md. Nazmur Sakib
