How to Get Audit Logs from Linux into Wazuh

Linux machines collect audit logs via the Linux Audit system. The system listens to events based on pre-configured rules to keep track of what is occurring within the operating system.

When a Linux agent is added to Wazuh, audit logs are not automatically collected and this has to be configured. Using Wazuh, we can analyze the CLI command execution by root and other users generate alerts when required.

Prerequisites

• A Linux system with root access

• Wazuh agent installed on the Linux system

• Wazuh manager set up and running

Install Auditd

If Auditd is not already installed on your system, install it using your package manager:

For Debian/Ubuntu:

sudo apt-get install auditd

For CentOS/RHEL:

sudo yum install audit

Add the log file to the Wazuh Configuration

• Navigate to the ossec.conf file on your agent.

nano /var/ossec/etc/ossec.conf

• The audit log file is stored in the /var/log/audit directory. Scroll to the last section of the file <ossec_config> and add the audit log file.

    <localfile>
        <log_format>audit</log_format>
        <location>/var/log/audit/audit.log</location>
      </localfile>
  

Configure Audit Rules

• Edit the audit rules file:

nano /etc/audit/audit.rules

• Add your desired audit rules at the end of the audit.rules To log for Root, use these rules:

    -a exit,always -F arch=b64 -F euid=0 -S execve -k  audit-wazuh-c
    -a exit,always -F arch=b32 -F euid=0 -S execve -k  audit-wazuh-c
  

• On the left pane of your Wazuh dashboard, navigate to CDB Lists under Server Management. You should see the audit-wazuh-c key-value pair in Audit-Keys.

• 

  Next, reload the rules.

•   auditctl -R /etc/audit/audit.rules
  

• Restart Auditd:

    sudo service auditd restart
  

• Restart the Wazuh agent:

    sudo systemctl restart wazuh-agent
  

• Test logging to the dashboard by running the netstat command as root.

You have now successfully configured Auditd to send logs to Wazuh. This integration enhances your system's security monitoring capabilities, allowing you to track important system events and changes through the Wazuh dashboard.