You can find the decoders for the events collected by Wazuh macOS agents in the /var/ossec/ruleset/decoders/0580-macos_decoders.xml file on the Wazuh server. If you want to apply the default configuration, you can include the configuration above in your agent configuration file (for Wazuh 4.3.0 and above ) or uninstall and install the agent. Note: Upgrading the Wazuh agent from a version that does not include this enhancement to a supported version will not update the configuration. The log collection configuration supports only sudo, SSH, security sessions, and authentication events. You can find the configuration in the /Library/Ossec/etc/nf file on macOS endpoints. The agent runs the log tool and passes the included filters to specify the monitored processes. This configuration is included by default and allows the Wazuh agent to collect logs that support different event types. (process = "sudo") or (process = "sessionlogoutd" and message contains "logout is complete.") or (process = "sshd") or (process = "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process = "screensharingd" and message contains "Authentication") or (process = "securityd" and eventMessage contains "Session" and subsystem = "") Using the same technique, the Wazuh agent uses the following configuration included in macOS agents to collect only relevant logs: The command uses filters to ensure that the log tool shows only the events of interest. For example, to see only sudo events, you can run the command below: % log stream -process="sudo" The log tool generates a lot of events, so it is necessary to filter for only important events. For example, running the command below will display all the logs the operating system generates: % log stream You can use the log tool in the Terminal, followed by options filters to control what logs you want to see. The Wazuh agent uses the log tool to collect logs. Figure 1: Wazuh log collection and analysis process for macOS endpoints.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |