How do I set up wazuh-dashboard logging?

[Bitemir Myrzash]

Hello! How to set up wazuh-dashboard logging to record user entry and exit, create a dashboard user, and upgrade privileges?

Who can help me?
Thanks everyone and wazuh teams! 

[Md. Nazmur Sakib]

Hi Bitemir,

If you are looking to monitor Wazuh dashboard user activities, it is possible to do so in Wazuh. You can follow the below steps:

  1. Enable Audit Logging  

Audit logging is disabled by default. To enable it:

• Add the following line to /etc/wazuh-indexer/opensearch.yml on each Wazuh indexer node:

plugins.security.audit.type: internal_opensearch

• Save and restart the Wazuh indexer:  

systemctl restart wazuh-indexer

  2. Enable Audit Logs in Wazuh Dashboard  

• On the Wazuh dashboard, click on the hamburger icon (top left).

• Navigate to: Indexer Management > Security > Audit Logs.

• Make sure audit logging is enabled. If not, enable it.

• From this page, you can also edit the settings for audit logs.

  • For example, if you want Authenticated Events to appear, ensure this option is not disabled in General Settings.

For a full list of event types, check this documentation: https://opensearch.org/docs/1.2/security-plugin/audit-logs/index/#tracked-events

3. Create a New Index Pattern

• On the Wazuh dashboard, click the hamburger icon (top left).

• Go to: Dashboard Management > Index Patterns > Create Index Pattern.

• Add this index pattern: security-auditlog-*

• Click Next > Select @timestamp as the Time Field > Click Create Index.  

4. View Audit Logs in Discover

• On the Wazuh dashboard, click the hamburger icon (top left).

• Go to: Explore > Discover.

• On the top left, change the index from wazuh-alerts-* to security-auditlog-*.

• This will show the dashboard user activity events.

Let me know if you need any further information on this.

[Bitemir Myrzash]

Hello! Thanks a lot!

понедельник, 9 февраля 2026 г. в 13:53:16 UTC+5, Md. Nazmur Sakib: