{"id":394,"date":"2016-02-03T18:02:00","date_gmt":"2016-02-03T18:02:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=394"},"modified":"2020-07-03T18:16:24","modified_gmt":"2020-07-03T18:16:24","slug":"import-wordpress-events-to-ossec","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2016\/02\/import-wordpress-events-to-ossec\/","title":{"rendered":"Import WordPress Events to OSSEC"},"content":{"rendered":"\n<p>WordPress is a very popular in the enterprise world, but a common issue that security administrators have is with visibility into platform events. System administrators want to know what is happening inside WordPress and how those events can be&nbsp;&nbsp;incorporated into their log management and&nbsp;<a rel=\"noreferrer noopener\" href=\"http:\/\/dcid.me\/oldtexts\/log-analysis-for-intrusion-detection.txt\" target=\"_blank\">log-based intrusion detection<\/a>&nbsp;plan.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h3>WordPress Security Audit Log Trail<\/h3>\n\n\n\n<p>A great way to help address this issue can be found in our&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Free WordPress Security plugin<\/a>, which is available in the WordPress repository and is also open-source. Our&nbsp;plugin focuses on providing the desired&nbsp;visibility within the WordPress platform.&nbsp;The plugin will hook into multiple WordPress actions and log sensitive actions, such as:<\/p>\n\n\n\n<ul><li>Successful logins<\/li><li>Failed logins<\/li><li>Post or Pages being published<\/li><li>Plugins or themes being installed or removed<\/li><li>Files being modified<\/li><li>Categories being created<\/li><\/ul>\n\n\n\n<p>These and many other CMS-specific activities would just be lost without the audit trail.<\/p>\n\n\n\n<h5>Install the WordPress Plugin<\/h5>\n\n\n\n<p>Installing the plugin is easy. We\u2019ve put together a&nbsp;<a href=\"https:\/\/sucuri.net\/wordpress-security\/wordpress-security-plugin-installation\" target=\"_blank\" rel=\"noreferrer noopener\">quick guide here<\/a>&nbsp;that will that help in the process of using it.<\/p>\n\n\n\n<ol><li>Log into your WordPress dashboard (or&nbsp;<strong>wp-admin<\/strong>).<\/li><li>Navigate&nbsp;to&nbsp;<strong>Plugins<\/strong>&nbsp;and click&nbsp;<strong>Add New.<\/strong><\/li><li>Search for&nbsp;<strong>\u201csucuri-scanner\u201d<\/strong>&nbsp;in the search box.<\/li><li>Find the plugin and click&nbsp;<strong>Install Now<\/strong>&nbsp;on&nbsp;<strong><a href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Sucuri Security \u2013 Auditing, Malware Scanner and Security Hardening<\/a>.<\/strong><\/li><\/ol>\n\n\n\n<p>The name of the plugin is a bit unrelated, as it used to be a front-end for our free malware scanner,&nbsp;<a href=\"https:\/\/sitecheck.sucuri.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">SiteCheck<\/a>. The audit trail is what provides us the visibility we\u2019ll be focusing on in this article.<\/p>\n\n\n\n<p>Once installed, the audit logs will populate within the Sucuri&nbsp;dashboard in your WordPress installation.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.sucuri.net\/wp-content\/uploads\/2016\/01\/Screen-Shot-2016-01-27-at-7.24.42-PM-1.png\"><img src=\"https:\/\/blog.sucuri.net\/wp-content\/uploads\/2016\/01\/Screen-Shot-2016-01-27-at-7.24.42-PM-1-650x325.png\" alt=\"Audit logs in WordPress via Plugin\" class=\"wp-image-14633\"\/><\/a><figcaption>Audit logs in WordPress via Plugin<\/figcaption><\/figure>\n\n\n\n<h3>Integrating OSSEC with WordPress<\/h3>\n\n\n\n<p>Having basic visibility is not enough though. Most system administrators have existing log management tools and systems in place that are designed to aggregate information. Until now, this capability has been limited.<\/p>\n\n\n\n<p>In our latest release however, we have introduced a new way to&nbsp;<strong>export all those event activities<\/strong>&nbsp;so that you transfer that visibility from within your WordPress dashboard into your OSSEC installation (or other log management tool). For once, you can get visibility into WordPress itself, and you can export data to a log file that can be read by OSSEC or any other log management tool.<\/p>\n\n\n\n<h5>How to Export WordPress Logs to OSSEC<\/h5>\n\n\n\n<p>Navigate to the plugin&nbsp;<strong>Settings -&gt; Log Exporter<\/strong>&nbsp;page and provide a path to export the audit trails as they happen.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.sucuri.net\/wp-content\/uploads\/2016\/01\/Screen-Shot-2016-01-27-at-7.47.52-PM.png\"><img src=\"https:\/\/blog.sucuri.net\/wp-content\/uploads\/2016\/01\/Screen-Shot-2016-01-27-at-7.47.52-PM-650x306.png\" alt=\"WordPress security Log Exporter\" class=\"wp-image-14622\"\/><\/a><figcaption>WordPress security Log Exporter<\/figcaption><\/figure>\n\n\n\n<p>In the&nbsp;example above, the location&nbsp;<em>\/var\/log\/wordpress.log<\/em>&nbsp;was set, which means all events will be captured at that location on the server.<\/p>\n\n\n\n<p>From there, add the log file to OSSEC to be monitored in real time and restart OSSEC:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p># \/var\/ossec\/bin\/util.sh addfile \/var\/log\/wordpress.log<br># \/var\/ossec\/bin\/ossec-control restart<\/p><\/blockquote>\n\n\n\n<p>That\u2019s&nbsp;it. Now all&nbsp;WordPress-related activity will start populating the log file and consumed by OSSEC. &nbsp;For example, on the Sucuri blog, I can see when I am logging in:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>** Alert 1453833644.78336: \u2013 syslog,wordpress,authentication_success,<br>2016 Jan 26 13:40:41 (blog.sucuri.net) HIDDEN-&gt;\/var\/log\/wordpress.log<br>Rule: 9502 (level 3) -&gt; \u2018WordPress authentication succeeded.\u2019<br>Src IP: HIDDEN \/ USA<br>2016-01-26 13:40:41 WordPressAudit blog.sucuri.net HIDDEN : Notice: 1.2.3.4; User authentication succeeded: danielcid<\/p><\/blockquote>\n\n\n\n<p>I can also see when someone is failing at entering their password or editing anything inside WordPress.<\/p>\n\n\n\n<p>If you&nbsp;leverage&nbsp;Slack or PagerDuty, be sure to&nbsp;<a href=\"https:\/\/blog.sucuri.net\/2016\/01\/server-security-integrating-ossec-with-slack-and-pagerduty.html\" target=\"_blank\" rel=\"noreferrer noopener\">update your OSSEC install with the latest integrator daemon<\/a>, it&nbsp;pushes all alerts to either medium per your configuration:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.sucuri.net\/wp-content\/uploads\/2016\/01\/Screen-Shot-2016-01-27-at-7.13.15-PM-1.png\"><img src=\"https:\/\/blog.sucuri.net\/wp-content\/uploads\/2016\/01\/Screen-Shot-2016-01-27-at-7.13.15-PM-1-650x169.png\" alt=\"User authentication error log from WordPress in OSSEC\" class=\"wp-image-14631\"\/><\/a><figcaption>Exported user authentication error log from WordPress to Slack or Pagerduty<\/figcaption><\/figure>\n\n\n\n<h2>Need Help with OSSEC?<\/h2>\n\n\n\n<p>We leverage&nbsp;<a rel=\"noreferrer noopener\" href=\"http:\/\/dcid.me\/ossec\" target=\"_blank\">OSSEC<\/a>&nbsp;extensively across all our products to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); with a powerful correlation and analysis engine that integrates log analysis, file integrity monitoring, rootkit detection, real-time alerting, and active response.<\/p>\n\n\n\n<p>It provides complete coverage if you are looking for an endpoint (server) security solution. <\/p>\n\n\n\n<ul><li>If you have not used OSSEC before, I recommend reading my guide&nbsp;to get started:&nbsp;<a rel=\"noreferrer noopener\" href=\"http:\/\/dcid.me\/texts\/my-ossec-setup-manual.html\" target=\"_blank\">http:\/\/dcid.me\/texts\/my-ossec-setup-manual.html<\/a><\/li><li>If you need help with your OSSEC implementation, we provide professional consultation at <a href=\"https:\/\/coldpath.net\/ossec-support\/\">ColdPath<\/a><\/li><\/ul>\n\n\n\n<p><em>Note that OSSEC requires root access to your servers and is meant for network \/ server administrators with Linux skills.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress is a very popular in the enterprise world, but a common issue that security administrators have is with visibility into platform events. System administrators want to know what is happening inside WordPress and how those events can be&nbsp;&nbsp;incorporated into their log management and&nbsp;log-based intrusion detection&nbsp;plan.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[16],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/394"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=394"}],"version-history":[{"count":2,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/394\/revisions"}],"predecessor-version":[{"id":401,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/394\/revisions\/401"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}