Monitoring system calls

Monitoring system calls on Linux endpoints provides information for security auditing purposes. Collecting and analyzing system call data helps security teams identify patterns of suspicious behavior and investigate potential security incidents on time.

The Linux Audit system is a powerful tool for collecting security and non-security events on Linux endpoints. However, the sheer volume of data generated by the audit logs can make it difficult for system administrators to identify potential security threats and violations.

Wazuh uses the Linux Audit system to monitor system calls on Linux endpoints. The Wazuh agent installs and configures audit rules on monitored endpoints to collect system call events and sends them to the Wazuh server for analysis. These audit rules capture events relevant to security monitoring. Wazuh provides out-of-the-box detection rules that use the system call events to detect multiple activities, including file access, command execution, privilege escalation, malware, and more. Security teams can customize these rules to meet specific security requirements or compliance standards, thereby obtaining real-time insights into potential security incidents.

By providing a centralized view of audit events, Wazuh simplifies the task of monitoring system activities and helps organizations comply with regulatory requirements. Overall, the Wazuh auditing capability provides a robust and comprehensive security monitoring solution for Linux systems, helping organizations improve their security posture and protect against cyber threats.