How to Monitor Linux Event Logs Using Wazuh

Linux systems generate thousands of log entries every day, recording everything from user logins and authentication attempts to service failures, kernel events, scheduled jobs, and application activity.

These logs provide one of the most valuable sources of security telemetry because they document exactly what is happening across your infrastructure in real time.

Monitoring Linux event logs is essential for detecting unauthorized access attempts, identifying malware activity, troubleshooting operational issues, and maintaining compliance with industry regulations.

Organizations that rely on manual log reviews often struggle to keep pace with the sheer volume of events generated by modern Linux servers, containers, and cloud workloads.

Wazuh provides a centralized platform that automatically collects, normalizes, analyzes, and correlates Linux event logs from multiple endpoints.

Instead of logging into each server individually to inspect files such as /var/log/auth.log or /var/log/syslog, administrators can monitor every Linux system from a single dashboard while receiving real-time alerts whenever suspicious activity occurs.

In this guide, you’ll learn how Linux event log monitoring works, how Wazuh collects and analyzes Linux logs, which log sources should be monitored, how to configure event collection, and best practices for building an efficient monitoring strategy that improves both security visibility and operational awareness.


What Is Linux Event Log Monitoring?

Linux event log monitoring is the continuous collection, analysis, and alerting of system-generated log events to detect security incidents, operational problems, and abnormal system behavior.

Every Linux component, from the kernel and authentication services to background daemons and applications, records events that describe what is happening on the system.

These event logs serve as a historical timeline of system activity.

Security teams use them to investigate incidents, identify malicious behavior, and reconstruct attack timelines after a compromise.

Unlike application logs, Linux event logs primarily record operating system and infrastructure-level events.

Application logs focus on software-specific activities such as web requests, database queries, or API errors, while system event logs capture authentication events, privilege escalations, kernel messages, service starts and stops, hardware failures, network activity, and scheduled task execution.

For example:

Linux Event LogsApplication Logs
SSH login attemptsApache access requests
User account creationWeb application errors
sudo privilege usageDatabase query logs
Kernel warningsAPI request logs
System service failuresBusiness application events

Monitoring Linux event logs is important for several reasons:

  • Detecting brute-force login attacks
  • Identifying privilege escalation attempts
  • Discovering unauthorized account creation
  • Tracking configuration changes
  • Investigating system crashes
  • Troubleshooting service failures
  • Meeting compliance requirements such as PCI DSS, HIPAA, ISO 27001, and NIST

The importance of centralized log management has been emphasized by the National Institute of Standards and Technology (NIST) in Special Publication 800-92, which recommends automated log collection and continuous analysis as foundational security practices.

Some of the most common Linux log sources include:

  • /var/log/auth.log (Debian/Ubuntu authentication events)
  • /var/log/secure (RHEL/CentOS authentication logs)
  • /var/log/syslog
  • /var/log/messages
  • /var/log/kern.log
  • systemd-journald
  • Cron logs
  • Auditd logs
  • SSH logs
  • Package manager logs
  • Kernel audit events
  • Application-specific log files

Collectively, these logs provide comprehensive visibility into system behavior and are often the first place incident responders look when investigating suspicious activity.

Related Guide: How to Configure Wazuh as a Centralized Syslog Server


How Wazuh Monitors Linux Event Logs

Wazuh continuously collects Linux logs using lightweight agents installed on monitored endpoints.

The platform analyzes every incoming event through a multi-stage processing pipeline that transforms raw log entries into structured security alerts.

At a high level, the Wazuh architecture consists of four primary components:

  • Wazuh Agent
  • Wazuh Manager
  • Wazuh Indexer
  • Wazuh Dashboard

The monitoring process begins on each Linux endpoint, where the Wazuh agent watches configured log files in real time.

Whenever a new event is written, the agent immediately captures it and securely forwards it to the Wazuh manager for analysis.

Role of the Wazuh Agent

The Wazuh agent acts as the local collector running on each monitored Linux machine.

Its responsibilities include:

  • Monitoring configured log files
  • Detecting new log entries
  • Compressing and encrypting events
  • Sending logs securely to the manager
  • Performing local integrity checks
  • Collecting inventory and system information

Unlike traditional polling solutions, the agent streams events almost immediately after they are written, enabling near real-time detection of security incidents.

For example, if an attacker performs multiple failed SSH login attempts, the authentication logs are forwarded to the manager within seconds.

Related Guide: How to Add Linux Endpoints to Wazuh

Log Collection Workflow

The log collection process follows a straightforward pipeline:

  1. A Linux service generates a log event.
  2. The event is written to a monitored log file or the systemd journal.
  3. The Wazuh agent detects the new entry.
  4. The event is securely transmitted to the Wazuh manager.
  5. The manager decodes and analyzes the event.
  6. Matching security rules are evaluated.
  7. Alerts are generated if detection conditions are met.
  8. Alerts are indexed for searching and visualization.

Because collection happens continuously, administrators receive alerts quickly rather than waiting for scheduled scans.

Event Processing Pipeline

After reaching the Wazuh manager, every event passes through several analysis stages designed to extract useful security information.

The processing pipeline typically includes:

  • Log normalization
  • Decoder selection
  • Field extraction
  • Rule evaluation
  • Threat classification
  • Severity assignment
  • Alert generation
  • Storage and indexing

This layered approach allows Wazuh to understand events from many different Linux distributions and log formats without requiring manual parsing for common services.

According to the MITRE ATT&CK framework, many attacker techniques, including credential access, persistence, privilege escalation, and defense evasion, leave detectable artifacts in operating system logs, making continuous log monitoring a key component of threat detection.

Decoding, Rule Matching, and Alert Generation

One of Wazuh’s most powerful capabilities is its decoder and rules engine.

A decoder identifies the log format and extracts structured fields such as:

  • Username
  • Source IP
  • Destination IP
  • Process name
  • Service
  • Command executed
  • Event ID
  • Timestamp

After decoding, the extracted data is evaluated against Wazuh’s extensive library of detection rules.

For example, Wazuh can detect:

  • Multiple failed SSH login attempts
  • Successful root logins
  • Unauthorized sudo usage
  • User account creation
  • Privilege escalation
  • Service crashes
  • Kernel errors
  • Malware indicators
  • Suspicious cron modifications

Each matching rule assigns a severity level, descriptive message, MITRE ATT&CK mapping (when applicable), and recommended response information.

The creator of Linux, Linus Torvalds, has frequently emphasized that observability and detailed system diagnostics are essential for understanding and maintaining complex Linux systems.

While this principle extends beyond security, comprehensive logging forms the foundation of effective monitoring and incident response.

If built-in rules do not meet your organization’s requirements, Wazuh also allows administrators to create custom decoders and detection rules tailored to proprietary applications or unique environments.

Related Guide: How to Test Wazuh Rules


Prerequisites

Before configuring Wazuh to monitor Linux event logs, verify that your environment meets the necessary requirements.

Proper setup ensures reliable log collection, minimizes troubleshooting, and guarantees that alerts reach the Wazuh manager without interruption.

Wazuh Manager Installed

The Wazuh manager is responsible for receiving log events from agents, decoding them, matching them against detection rules, and generating alerts.

Ensure that:

  • The Wazuh manager is installed and running.
  • The manager can accept agent connections.
  • Required services are healthy.
  • The Wazuh dashboard and indexer are operational (if installed).

You can verify the manager status using:

sudo systemctl status wazuh-manager

If the manager is not functioning correctly, agents may appear connected while logs never reach the analysis engine.

Wazuh Agent Installed on Linux Systems

Every Linux endpoint that you want to monitor must have the Wazuh agent installed.

The agent performs several tasks, including:

  • Reading monitored log files
  • Monitoring system activity
  • Collecting security events
  • Forwarding logs securely to the manager

Verify the agent is running:

sudo systemctl status wazuh-agent

If the service is stopped, start it with:

sudo systemctl start wazuh-agent

If the service refuses to start, investigate configuration or service-related issues before continuing.

Related Guides:

How to Install a Wazuh Agent on Windows Server (for Windows endpoints in mixed environments)

How to Add Linux Endpoints to Wazuh

Supported Linux Distributions

Wazuh supports virtually all major Linux distributions, including:

  • Ubuntu
  • Debian
  • CentOS
  • Red Hat Enterprise Linux (RHEL)
  • Rocky Linux
  • AlmaLinux
  • Fedora
  • Oracle Linux
  • Amazon Linux
  • SUSE Linux Enterprise Server (SLES)

Most distributions store logs in similar locations, although filenames may differ.

For example:

DistributionAuthentication Log
Ubuntu/Debian/var/log/auth.log
RHEL/CentOS/var/log/secure

Modern distributions that rely heavily on systemd may also store events within the systemd journal rather than traditional log files.

Required Permissions

The Wazuh agent must have sufficient privileges to read the log files you intend to monitor.

Depending on the log source, this may require access to:

  • /var/log
  • /etc
  • /var/log/audit
  • systemd journal
  • Application log directories

Some security-sensitive logs, such as audit logs, are readable only by the root user or authorized system groups.

Running the Wazuh agent with the default installation permissions is typically sufficient for collecting standard system logs.

Network Connectivity Between Agent and Manager

The agent must be able to communicate with the Wazuh manager over the network.

Before configuring log monitoring, verify:

  • The manager is reachable.
  • Firewalls permit communication.
  • Required ports are open.
  • DNS resolution works correctly (if using hostnames).
  • TLS certificates are valid.

A network interruption prevents collected logs from reaching the manager, resulting in delayed or missing alerts.

If you’re troubleshooting connectivity issues, start by confirming that the agent remains registered and connected.


Linux Log Sources You Can Monitor with Wazuh

One of Wazuh’s biggest strengths is its ability to monitor virtually any Linux log source.

Whether the logs originate from the operating system, security framework, web server, database, or custom application, Wazuh can collect and analyze them in real time.

Below are the most common Linux log sources that organizations monitor.

System Logs

System logs provide a broad view of operating system activity, including service events, daemon messages, startup processes, and hardware notifications.

Common system logs include:

  • /var/log/syslog (Ubuntu/Debian)
  • /var/log/messages (RHEL/CentOS)

These logs are useful for detecting:

  • Service failures
  • Unexpected reboots
  • Daemon crashes
  • Network configuration changes
  • Hardware problems
  • General operating system events

Authentication Logs

Authentication logs are among the most valuable security log sources because they record user authentication activity.

Common files include:

  • /var/log/auth.log
  • /var/log/secure

Typical events include:

  • Successful logins
  • Failed login attempts
  • sudo usage
  • User creation
  • Password changes
  • SSH authentication
  • PAM authentication failures

These logs are essential for detecting brute-force attacks, credential abuse, and unauthorized access attempts.

Kernel Logs

Kernel logs record low-level operating system events generated by the Linux kernel.

Common sources include:

  • /var/log/kern.log
  • dmesg

These logs can reveal:

  • Driver failures
  • Hardware faults
  • Kernel panics
  • Filesystem errors
  • Security module events
  • Boot diagnostics

Kernel logs are particularly useful when investigating stability issues or suspicious kernel-level behavior.

Audit Logs

The Linux Audit Framework (auditd) records detailed security events that standard system logs often miss.

Examples include:

  • File access
  • File deletion
  • Process execution
  • Permission modifications
  • System call monitoring
  • SELinux activity
  • Privilege escalation

Audit logs provide deep visibility into user activity and are commonly used in forensic investigations and compliance reporting.

Many compliance standards, including PCI DSS and HIPAA, recommend centralized monitoring of audit logs.

Cron Logs

Cron logs record scheduled task execution.

These events help administrators monitor:

  • Scheduled scripts
  • Backup jobs
  • Maintenance tasks
  • Unexpected cron modifications
  • Suspicious scheduled commands

Attackers frequently establish persistence by creating malicious cron jobs, making these logs valuable for threat detection.

Package Management Logs

Package managers record software installation, updates, and removals.

Depending on the Linux distribution, these may include:

  • APT (Ubuntu/Debian)
  • YUM (CentOS/RHEL 7)
  • DNF (Fedora, RHEL 8+, Rocky Linux, AlmaLinux)

Monitoring package management logs allows administrators to detect:

  • Unauthorized software installation
  • Unexpected package upgrades
  • Security patch failures
  • Repository changes

SSH Logs

SSH logs provide detailed information about remote access activity.

Common events include:

  • Successful logins
  • Failed authentication attempts
  • Invalid usernames
  • Public key authentication
  • Session termination
  • Root login attempts
  • Privilege escalation events

These logs are one of the first places security analysts look during incident investigations.

Related Guide: How to Monitor Failed SSH Login Attempts Using Wazuh

Web Server Logs

Web server logs help identify attacks targeting internet-facing applications.

Supported web servers include:

  • Apache
  • Nginx

These logs commonly reveal:

  • SQL injection attempts
  • Directory traversal attacks
  • HTTP errors
  • Suspicious user agents
  • Excessive requests
  • Exploitation attempts

Related Guide: How to Monitor Apache Logs with Wazuh

Database Logs

Wazuh can also monitor database logs.

Common examples include:

  • MySQL
  • PostgreSQL

Useful events include:

  • Authentication failures
  • Unauthorized queries
  • Slow queries
  • Database crashes
  • Replication failures
  • Privilege changes

Monitoring database logs improves visibility into both security incidents and operational problems.

Application Logs

In addition to system logs, Wazuh can monitor virtually any custom application log.

Examples include:

  • Java applications
  • Python applications
  • Node.js services
  • Go applications
  • Custom enterprise software
  • Containerized workloads

Because Wazuh supports custom decoders and rules, organizations can build detections specifically for proprietary applications.

Related Guide: How to Create Custom Detection Rules in Wazuh (With Examples)


Configuring Wazuh to Monitor Linux Event Logs

Wazuh uses the agent configuration file (ossec.conf) to define which log sources should be monitored.

By adding log collection entries, you can monitor everything from standard system logs to custom application logs and the systemd journal.

Locate the Agent Configuration File

On Linux, the primary agent configuration file is:

/var/ossec/etc/ossec.conf

Open the file using your preferred text editor:

sudo nano /var/ossec/etc/ossec.conf

Most log monitoring settings are defined inside one or more <localfile> blocks.

If the agent fails to start after editing the configuration, validate the XML syntax before restarting the service.

Related Guide: How to Fix ossec.conf Syntax Errors in Wazuh Agents

Configure Local Log Collection

To monitor a log file, add a <localfile> entry.

Example:

<localfile>
  <location>/var/log/auth.log</location>
  <log_format>syslog</log_format>
</localfile>

This instructs the agent to continuously monitor the authentication log and forward new events to the manager.

Monitor Multiple Log Files

You can monitor multiple logs by defining additional <localfile> blocks.

Example:

<localfile>
  <location>/var/log/syslog</location>
  <log_format>syslog</log_format>
</localfile>

<localfile>
  <location>/var/log/auth.log</location>
  <log_format>syslog</log_format>
</localfile>

<localfile>
  <location>/var/log/kern.log</location>
  <log_format>syslog</log_format>
</localfile>

This approach enables centralized monitoring of several important log sources simultaneously.

Monitor Custom Log Files

Applications often store logs outside the /var/log directory.

For example:

<localfile>
  <location>/opt/myapp/logs/application.log</location>
  <log_format>syslog</log_format>
</localfile>

If the application uses a non-standard log format, you can create a custom decoder to properly parse its events.

Configure Wildcard Log Monitoring

Wildcard patterns simplify monitoring when applications create multiple rotating log files.

Example:

<localfile>
  <location>/var/log/myapp/*.log</location>
  <log_format>syslog</log_format>
</localfile>

This configuration automatically includes every .log file within the specified directory.

Configure Journald Log Collection

Many modern Linux distributions rely on systemd-journald instead of traditional log files.

Wazuh can collect events directly from the systemd journal, allowing you to monitor services that write exclusively to journald. This is particularly useful on newer distributions where important system and service events are not duplicated in /var/log.

Refer to the official Wazuh documentation for the exact journald configuration options supported by your installed version.

Exclude Unnecessary Logs

Not every log source provides useful security information.

Monitoring low-value or extremely verbose logs can increase storage consumption, processing overhead, and alert fatigue.

Consider excluding:

  • Temporary application logs
  • Debug logs
  • Frequently changing cache logs
  • Large archive files
  • Rotated logs that no longer receive updates

A focused collection strategy improves detection quality and overall system performance.

Restart the Wazuh Agent

After saving the configuration, restart the agent to apply the changes.

sudo systemctl restart wazuh-agent

Then verify that the service is running:

sudo systemctl status wazuh-agent

If the service fails to restart, review the agent logs and configuration for errors before proceeding.

Verify Configuration

Finally, confirm that log events are reaching the Wazuh manager.

You can verify this by:

  • Generating a test event (for example, an SSH login).
  • Opening the Wazuh Dashboard.
  • Searching for the event in the Security Events view.
  • Confirming that the expected rule matched.
  • Reviewing extracted fields such as username, source IP, and log file.

If events are not appearing, verify the agent configuration, network connectivity, file permissions, and manager status before continuing with further troubleshooting.

Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes


Example Wazuh Log Collection Configurations

The flexibility of Wazuh’s log collection engine allows you to monitor nearly any text-based log generated on a Linux system.

Whether you’re collecting authentication events, audit logs, web server logs, or custom application logs, the configuration follows the same basic pattern using <localfile> entries in the agent’s ossec.conf file.

Below are several common examples.

Monitoring Authentication Logs

Authentication logs are one of the highest-value sources for security monitoring because they capture login attempts, privilege escalation, password changes, and SSH activity.

On Ubuntu and Debian systems:

<localfile>
  <location>/var/log/auth.log</location>
  <log_format>syslog</log_format>
</localfile>

On RHEL-based distributions:

<localfile>
  <location>/var/log/secure</location>
  <log_format>syslog</log_format>
</localfile>

This configuration enables Wazuh to detect events such as:

  • Failed SSH logins
  • Successful remote logins
  • Invalid usernames
  • Root login attempts
  • sudo execution
  • Authentication failures

Monitoring Syslog

Many Linux services write operational messages to the system log.

Example:

<localfile>
  <location>/var/log/syslog</location>
  <log_format>syslog</log_format>
</localfile>

On distributions that use /var/log/messages:

<localfile>
  <location>/var/log/messages</location>
  <log_format>syslog</log_format>
</localfile>

Monitoring system logs helps identify:

  • Service failures
  • Unexpected daemon restarts
  • Network issues
  • Boot events
  • General operating system activity

Monitoring Auditd Logs

The Linux Audit Framework records detailed security events that are useful for compliance, forensics, and threat detection.

Example:

<localfile>
  <location>/var/log/audit/audit.log</location>
  <log_format>audit</log_format>
</localfile>

Auditd logs commonly include:

  • File access
  • Process execution
  • System calls
  • Permission changes
  • SELinux events
  • User account modifications

Because audit logs contain highly structured security data, they often produce richer alerts than traditional system logs.

Monitoring Apache Logs

Web server logs can reveal attacks against internet-facing applications.

Example:

<localfile>
  <location>/var/log/apache2/access.log</location>
  <log_format>apache</log_format>
</localfile>

<localfile>
  <location>/var/log/apache2/error.log</location>
  <log_format>syslog</log_format>
</localfile>

These logs can help detect:

  • Directory traversal attempts
  • SQL injection probes
  • HTTP 500 errors
  • Suspicious user agents
  • Excessive requests
  • Web application attacks

Monitoring Nginx Logs

Nginx logs can be monitored in a similar way.

Example:

<localfile>
  <location>/var/log/nginx/access.log</location>
  <log_format>syslog</log_format>
</localfile>

<localfile>
  <location>/var/log/nginx/error.log</location>
  <log_format>syslog</log_format>
</localfile>

These logs are useful for identifying:

  • Suspicious HTTP requests
  • Failed requests
  • Reverse proxy errors
  • Scanning activity
  • Denial-of-service attempts

Monitoring Custom Application Logs

Many organizations run internally developed applications that generate their own log files.

For example:

<localfile>
  <location>/opt/company/application/logs/app.log</location>
  <log_format>syslog</log_format>
</localfile>

If your application’s log format differs from standard formats, you can create a custom decoder and corresponding detection rules to extract meaningful fields and generate alerts.

Monitoring Multiple Log Sources

Most production environments monitor several log sources simultaneously.

Example:

<localfile>
  <location>/var/log/auth.log</location>
  <log_format>syslog</log_format>
</localfile>

<localfile>
  <location>/var/log/syslog</location>
  <log_format>syslog</log_format>
</localfile>

<localfile>
  <location>/var/log/audit/audit.log</location>
  <log_format>audit</log_format>
</localfile>

<localfile>
  <location>/var/log/nginx/access.log</location>
  <log_format>syslog</log_format>
</localfile>

<localfile>
  <location>/opt/app/logs/app.log</location>
  <log_format>syslog</log_format>
</localfile>

This configuration gives Wazuh visibility into operating system activity, authentication events, web traffic, security auditing, and application behavior from a single Linux endpoint.


Understanding How Wazuh Processes Linux Events

Collecting Linux logs is only the first step.

Wazuh transforms raw log entries into meaningful security alerts through a multi-stage event processing pipeline.

Each stage enriches the data, making it easier for analysts to identify suspicious activity and respond quickly.

Log Collection

The process begins on the monitored Linux endpoint.

The Wazuh agent continuously watches configured log files for new entries.

Unlike scheduled polling, the agent monitors logs in near real time, forwarding new events to the Wazuh manager almost immediately after they are written.

This approach minimizes detection delays and reduces the risk of missing short-lived events.

Decoding

Raw log entries are often unstructured and vary widely between services.

For example, an SSH authentication log looks very different from an Apache access log or an Auditd event.

Wazuh uses decoders to:

  • Identify the log source
  • Parse the message
  • Extract structured fields
  • Normalize event data

Common extracted fields include:

  • Username
  • Source IP address
  • Destination IP address
  • Process name
  • Command executed
  • Service name
  • Timestamp
  • Event type

Structured data enables the rules engine to evaluate events accurately, regardless of the original log format.

Rule Matching

After decoding, the event is evaluated against Wazuh’s extensive library of built-in detection rules.

These rules identify behaviors such as:

  • Brute-force attacks
  • SSH login failures
  • Privilege escalation
  • Malware indicators
  • Configuration changes
  • File integrity violations
  • Web application attacks
  • Policy violations

Organizations can also create custom rules for proprietary applications or unique security requirements.

Alert Generation

When a rule matches, Wazuh generates an alert containing detailed contextual information.

A typical alert includes:

  • Rule ID
  • Rule description
  • Severity level
  • Timestamp
  • Agent name
  • Source log file
  • Decoded fields
  • MITRE ATT&CK technique mapping (when applicable)

This enriched information helps analysts understand what happened without manually reviewing the original log.

Dashboard Visualization

Generated alerts are stored in the Wazuh Indexer and displayed through the Wazuh Dashboard.

Security analysts can:

  • Search alerts
  • Filter by severity
  • Investigate individual endpoints
  • Build dashboards
  • Visualize attack trends
  • Create reports
  • Analyze historical activity

The centralized dashboard provides a unified view of events across every monitored Linux system.

Active Response (Optional)

In addition to detecting threats, Wazuh can automatically respond to certain security events using Active Response.

Depending on your configuration, Wazuh can:

  • Block malicious IP addresses
  • Disable compromised user accounts
  • Terminate malicious processes
  • Remove malicious files
  • Execute custom response scripts

Automated response reduces the time between detection and containment, limiting the impact of an attack.

Because automatic actions can disrupt legitimate users if configured too broadly, they should be thoroughly tested before being deployed in production.

Related Guide: How to Configure Wazuh Active Response


Viewing Linux Events in the Wazuh Dashboard

Once Wazuh begins collecting Linux logs, you can use the Wazuh Dashboard to search, filter, and investigate events.

The dashboard provides powerful search capabilities that allow analysts to quickly locate authentication events, kernel messages, application logs, and other security-relevant information.

Navigate to Security Events

Log in to the Wazuh Dashboard and open the Security Events section.

This view displays all events received from monitored endpoints, including Linux, Windows, network devices, and cloud services.

Each event typically includes:

  • Timestamp
  • Agent
  • Rule description
  • Severity level
  • Source IP
  • Event category
  • Original log message

Filter by Linux Agent

If your environment contains many monitored systems, filtering by agent helps narrow the results.

For example, you can filter events for:

  • A specific Linux server
  • A production environment
  • A development environment
  • A web server
  • A database server

This makes investigations significantly faster during incident response.

Search by Log File

You can also search events based on the originating log file.

Examples include:

  • /var/log/auth.log
  • /var/log/syslog
  • /var/log/messages
  • /var/log/audit/audit.log
  • /var/log/nginx/access.log

Searching by log source is particularly useful when investigating issues related to a specific service or subsystem.

Search by Event Type

The dashboard also supports searching by event type or rule description.

Examples include:

  • Failed SSH logins
  • Successful authentication
  • sudo execution
  • User creation
  • Kernel warnings
  • Audit events
  • File modifications
  • Service failures

Combining multiple filters, such as agent name, severity, and event type, can significantly reduce the number of results during an investigation.

Investigate Alert Details

Selecting an alert opens a detailed view containing the decoded event data.

Depending on the event, you may see:

  • Original log message
  • Parsed fields
  • Rule ID
  • Rule description
  • Severity
  • Source IP
  • Username
  • Process name
  • File path
  • MITRE ATT&CK mapping

Reviewing these details helps analysts determine whether the event represents normal activity or a potential security incident.

Create Saved Searches

If you routinely investigate the same types of events, consider creating saved searches within the dashboard.

Examples include searches for:

  • Failed SSH authentication attempts
  • Root logins
  • Auditd events
  • Apache errors
  • Nginx access logs
  • High-severity alerts
  • Events from production servers

Saved searches allow security teams to quickly return to commonly used views, reducing investigation time and ensuring consistency across recurring monitoring tasks.


Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *