No syslog/auth logs present on OS
22 views
Skip to first unread message
Vinod Bele
Jun 24, 2024, 11:39:03 AM (9 days ago) Jun 24
to Wazuh | Mailing List
We have installed Wazuh agents on a Container-Optimized OS image, but we are facing a problem because it does not have syslog or audit logs present. Consequently, Wazuh is not able to get the OS authentication logins and other details since the logs are not present.
Do we have any solutions to overcome this?
Do we have any solutions to overcome this?
Emiliano Jorge Bottazzi
Jun 24, 2024, 7:22:51 PM (8 days ago) Jun 24
to Wazuh | Mailing List
Hi Vinod.
Wazuh works by reading coming logs and consequently, triggering alerts if they match with any rule.
Let me do some research and I will get back to you as soon as possible if there is any option available for this scenario.
Best regards,
EJ
Emiliano Jorge Bottazzi
Jul 2, 2024, 4:56:13 PM (11 hours ago) Jul 2
to Wazuh | Mailing List
Hi Vinod.
After doing some research, there are two ways to monitor a docker environment.
The first approach involves using Docker Listener to monitor Docker events on an endpoint hosting Docker containers. This method provides alerts related to various Docker engine activities, such as container creation, container removal, and network attachments. These alerts are generated based on how the endpoint manages the containers. In this case, audit or system logs are not necessary, but the information about the Docker engine not about what you run inside the container. You can find more information in the use case "Monitoring Docker Events" (https://documentation.wazuh.com/current/proof-of-concept-guide/monitoring-docker.html)
The second approach involves sharing a volume where applications, such as Apache or any other installed software, write their logs (from the container to the endpoint).
This setup allows the Wazuh agent to analyze these logs from any specified endpoint path. However, it is crucial to ensure that logs are being generated and made available so that Wazuh can receive them and apply its rules to trigger alerts. You can find a similar use case in "Monitoring Docker container logs with Wazuh" (https://wazuh.com/blog/monitoring-docker-container-logs-with-wazuh/).
To recap, as mentioned, Wazuh operates by reading incoming logs and triggering alerts based on predefined rules. Therefore, if you are seeking specific information, it is essential to ensure that this information is being logged in a file. Without these logs, Wazuh cannot process the data or generate the corresponding alerts.
Best regards,
EJ
Reply all
Reply to author
Forward
0 new messages