Log collector

In many cases, evidence of an attack can be found in the log messages of devices, systems, and applications. The Wazuh log collector can receive logs through text files or Windows event logs. It can also directly receive logs via remote syslog which is useful for firewalls and other such devices. This log data can then be used for management and analysis to accelerate threat detection.

The log collector module can help meet the following PCI DSS requirement:

  • Requirement 10 - Log and Monitor All Access to System Components and Cardholder Data: This control requires that user activities, including those by employees, contractors, consultants, internal and external vendors, and other third parties are logged and monitored, and the log data stored for a specified period of time.

To achieve this, the Wazuh agent can collect logs from the endpoints it is deployed on. Logs can also be collected via Syslog for network and other syslog enabled devices. Wazuh can also hold logs of events that do not generate an alert using the archive feature and the indexer long term storage. For more information on configuring log collection, see the Log data collection section.

Use cases

PCI DSS Requirement 10.2.2 requires that audit logs record the following details for each auditable event:

  • User identification.

  • Type of event.

  • Date and time.

  • Success and failure indication.

  • Origination of event.

  • Identity or name of affected data, system component, resource, or service (for example, name and protocol).

The following are some Wazuh rules that help achieve this requirement:

  • Rule 5710 - sshd: attempt to login using a non-existent user: This rule generates an alert when a non-existent user tries to log in to a system via SSH. The generated alert contains the information required by requirement 10.2.2 (user identification, type of event, date and time, success and failure indication, origination of event and identity or name of affected data, system component, resource, or service). The screenshot below shows the alert generated on the dashboard:

  • Rule 5715 - sshd: authentication success: This rule generates an alert when a user successfully logs into a system via SSH. The generated alert contains the information required by requirement 10.2.2 (user identification, type of event, date and time, success and failure indication, origination of event and identity or name of affected data, system component, resource, or service). The screenshot below shows the alert generated on the dashboard:

  • PCI DSS requirement 10.5.1 requires that audit log history is retained for at least 12 months, with at least the most recent three months immediately available for analysis. This can be achieved by enabling Wazuh log archives and configuring index management policies. To enable Wazuh log archives, follow the instructions below.

Enable archives monitoring in the Wazuh indexer:

  1. Set <logall_json>yes</logall_json> in /var/ossec/etc/ossec.conf.

  2. Set archives enabled to true in /etc/filebeat/filebeat.yml.

    archives:
    enabled: true
    
  3. Restart Filebeat.

    # systemctl restart filebeat
    
    # service filebeat restart
    
  4. Restart the Wazuh manager.

    # systemctl restart wazuh-manager
    
    # service wazuh-manager restart
    
  5. Open the dashboard menu and select Stack Management under Management.

  6. Choose Index Patterns and select Create index pattern. Use wazuh-archives-* as the index pattern name.

  7. Select timestamp as the primary time field for use with the global time filter then proceed to create the index pattern.

  8. Open the menu and select Discover under OpenSearch Dashboards. Events should be getting reported there.