Phase 6: Logging, SIEM, and Alerting¶
This phase integrates centralized logging and monitoring using Wazuh, providing visibility into authentication, file changes, system events, and potential threats.
๐ Phase 6 โ Logging and Monitoring (Wazuh)¶
๐งฐ Tools Used¶
- Wazuh Server
- Wazuh Agent (deployed to all hosts)
- Podman containerized dashboard (Kibana-like)
- Optional forwarding to external SIEM (e.g., Elastic, Splunk)
๐ฆ Events to Monitor¶
| Source | Example Events |
|---|---|
| Keycloak | Failed logins, MFA bypass attempts |
| Step-CA | Cert issuance and revocation logs |
| Mailcow | SMTP errors, login attempts |
| OS (auditd) | User creation, sudo, file changes |
| Wazuh Agent | File integrity, process activity |
๐งช Sample Ansible Task to Deploy Wazuh Agent¶
- name: Install and enroll Wazuh agent
hosts: all
become: yes
tasks:
- name: Add Wazuh repo and install agent
apt:
name: wazuh-agent
state: present
- name: Configure agent to connect to Wazuh server
lineinfile:
path: /var/ossec/etc/ossec.conf
regexp: '<address>'
line: ' <address>wazuh.kell.local</address>'
๐ Dashboards & Alerts¶
- Customize alerts by severity, category
- Send critical alerts via email to admin
- Monitor login anomalies across all apps
- Schedule daily integrity scans (AIDE + Wazuh)
๐ Secure the Monitoring Plane¶
- Use TLS between agents and server
- Lock access to Wazuh dashboards via Keycloak SSO
- Store logs long-term in immutable backup or cold storage
โ Output of This Phase¶
- Full observability over system activity
- Live dashboards and audit trails for incident response
- Real-time alerting based on policy or behavioral anomalies
โ Proceed to Phase 7: Validation and Reporting