Authentication Logs Not Appearing in Wazuh Index
151 views
Skip to first unread message
Wazuh Mail
Feb 25, 2025, 11:42:34 AM2/25/25
to Wazuh | Mailing List
I hope you are doing well.
I am currently working on setting up an index pattern in Wazuh 4.10 to capture only authentication logs. However, I am unable to find any logs that contain user authentication details in Elasticsearch.
have already verified the following:
- Audit logging is enabled in Wazuh.
- Authentication category is enabled
Despite these steps, I am still unable to retrieve authentication logs. Could you please assist me in troubleshooting this issue? I would appreciate any guidance or recommendations.
Best regards,
Message has been deleted
Wazuh Mail
Feb 26, 2025, 5:13:07 AM2/26/25
to Wazuh | Mailing List
Any solutions please !!
Chukwudalu Chisimdi Okonkwo
Feb 26, 2025, 7:36:19 AM2/26/25
to Wazuh | Mailing List
Hello,
There is a separate index "security-auditlog" that will contain authentication logs and other action performed against the Wazuh Indexer. Kindly follow the betlow steps to get this rolled out
Click on next and choose @timestamp as the timestamp.
4. After that you can view the logs in Discover for this index. Click on the Drop down arrow to select security-auditlog-* index pattern to view logs such as the authenticated events
This contains the list of events that can be viewed; https://opensearch.org/docs/latest/security/audit-logs/index/
There is a separate index "security-auditlog" that will contain authentication logs and other action performed against the Wazuh Indexer. Kindly follow the betlow steps to get this rolled out
1. Login in to your Wazuh GUI, Under Index Manager, click on Security --> Audit logs and check if Enable audit logging is enabled or not. If not then please enable it.
2. Thereafter, login into the Wazuh Indexer Server terminal and add the below line to /etc/wazuh-indexer/opensearch.yml file.
2. Thereafter, login into the Wazuh Indexer Server terminal and add the below line to /etc/wazuh-indexer/opensearch.yml file.
Restart the wazuh Indexer components to apply the changes. (systemctl restart wazuh-indexer)
3. Then, go to the UI and in Dashboard Manager, click on Index Patterns -> Create index patterns. Add the following name and click on the next step: security-auditlog-*
3. Then, go to the UI and in Dashboard Manager, click on Index Patterns -> Create index patterns. Add the following name and click on the next step: security-auditlog-*
Click on next and choose @timestamp as the timestamp.
4. After that you can view the logs in Discover for this index. Click on the Drop down arrow to select security-auditlog-* index pattern to view logs such as the authenticated events
This contains the list of events that can be viewed; https://opensearch.org/docs/latest/security/audit-logs/index/
Regards,
Chuks Okonkwo
Message has been deleted
Wazuh Mail
Feb 26, 2025, 10:22:02 AM2/26/25
to Wazuh | Mailing List
Thanks, it's working, but I want to detect failed authentication attempts when they exceed a certain threshold and send an email alert in this case. Should I create a custom rule to do this by activating the email alert option, or is there another way to handle it? Please note that email notifications are already configured and working; I just want to add an e-mail notification alert for authentication failures exceeding a certain threshold.
Regards,
Regards,
Message has been deleted
Message has been deleted
Chukwudalu Chisimdi Okonkwo
Feb 28, 2025, 1:01:13 PM2/28/25
to Wazuh | Mailing List
Hello,
Wazuh already contains rules to detect failed login event across several log sources. One of which is a rule.id 60122.
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<options>no_full_log</options>
<description>Logon failure - Unknown user or bad password.</description>
</rule>
This is a rule that tracks windows event ID 4625 or 529 that is associated with failed login. To improve on this rule as example to trigger when it hits a certain threshold, then you can create a custom rule to reference the failed login rule as a parent rule eg
<rule id="120000" level="5" timeframe="60" frequency="10">
<if_matched_sid>60122</if_matched_sid>
<options>alert_by_email</options>
<description>failed login has occured 10 times in 60seconds.</description>
</rule>
This will trigger if the parent rule that tracks logon failure 10 times in 60 seconds and will also send an alert by email. By default, wazuh sets the email alert to 12 in the ossec.conf, so configuring this on a per rule basis gives this rule a higher precedence over the global email setting.
Here is the docs to the rule syntax to aid your customizatio: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Regards,
Chuks Okonkwo
Wazuh already contains rules to detect failed login event across several log sources. One of which is a rule.id 60122.
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<options>no_full_log</options>
<description>Logon failure - Unknown user or bad password.</description>
</rule>
This is a rule that tracks windows event ID 4625 or 529 that is associated with failed login. To improve on this rule as example to trigger when it hits a certain threshold, then you can create a custom rule to reference the failed login rule as a parent rule eg
<rule id="120000" level="5" timeframe="60" frequency="10">
<if_matched_sid>60122</if_matched_sid>
<options>alert_by_email</options>
<description>failed login has occured 10 times in 60seconds.</description>
</rule>
This will trigger if the parent rule that tracks logon failure 10 times in 60 seconds and will also send an alert by email. By default, wazuh sets the email alert to 12 in the ossec.conf, so configuring this on a per rule basis gives this rule a higher precedence over the global email setting.
Here is the docs to the rule syntax to aid your customizatio: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Regards,
Chuks Okonkwo
Reply all
Reply to author
Forward
0 new messages