Set up integration with the Wazuh SIEM system
- If you do not have a Wazuh server installed, install one.
- Create a service user.
- Issue an IAM token for the account.
- Get a script to export audit logs.
- Set up and run the script.
- Set up audit log acceptance in Wazuh.
1. Install the Wazuh server
You can install the Wazuh server from the distribution on any available server or deploy a cloud server with Wazuh from a ready-made image in the control panel.
Install from the distribution
Install from a ready-made image
-
Open the CLI.
-
Install the Wazuh server:
curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh && sudo bash ./wazuh-install.sh -aRead more about installing Wazuh server from the distribution in the Quickstart article of the official Wazuh documentation.
Use the instructions Cloud Server with Wazuh.
2. Create a service user
Add a service user with permission in the access area Account and role member.
Users can be added by the Account Owner or users with the role of iam.admin.
3. Get an IAM token for the account
Get an IAM token for the account for the service user you created in step 2.
4. Get a script for exporting audit logs
We have prepared a script for exporting audit logs - it allows you to upload logs to a file and send them to a specified IP address or endpoint via syslog or HTTP/HTTPS.
-
Open the CLI.
-
Clone the script repository:
git clone https://github.com/t-rex-general/auditlog-integration.gitThe script files will be saved to the
auditlog-integrationfolder in the working directory.
5. Set up and run the script
-
Open the CLI.
-
Create a virtual environment:
python3 -m venv .venv -
Activate the virtual environment:
source .venv/bin/activate -
Go to the script folder:
cd auditlog-integration -
Install the necessary dependencies:
pip3 install -r requirements.txt -
Create an
.envconfiguration file:touch .env -
Open the
.envconfiguration file:nano .env -
Fill in
the .envconfiguration file:8.1 Add a block with parameters for authentication in the API of the Audit-Logs service:
AUDIT_LOGS_URL=<base_url>/v1/logs
USERNAME=<username>
PASSWORD=<password>
ACCOUNT_ID=<account_id>Specify:
<base_url>- URL to access the audit logs API in the required pool. You can see the list of URLs in the instructions List of URLs;<username>- the name of the service user you created in step 2;<password>- password of the service user. If the password contains the characters[]\^$.|?*+()and escape them by putting a backslash in front of the character.\;<account_id>- account number, can be viewed in control panel in the upper right corner.
8.2 Set the
filetransport type for exporting audit logs to a file:TRANSPORT_TYPE=file8.3 Set the interval for API access:
POLL_INTERVAL=<poll_interval>Specify
<poll_interval>- interval of API call in seconds (default is 30).8.4. Exit the save file by successively pressing Ctrl+X → Y → Enter.
-
Run the script:
python3 main.py
6. Set up audit logs reception in Wazuh
-
Add to Wazuh the path to the audit log upload file. To do this, add an entry in the main configuration file
/var/ossec/etc/ossec.confin the block<ossec_config>:<localfile>
<log_format>json</log_format>
<location><path></location>
</localfile>Specify
<path>- the path to the file with audit logs. By default, the files are saved in the script folder in theevents.txtfile . You can change the name of the file, for this in the script folder in the filesavers.pyin the blockclass FileSaverchange the value in the fieldself.filename. -
Add a new rule to Wazuh to display downloaded events. To do this, add an entry in
/var/ossec/etc/rules/local_rules.xml:<group name="audit_logs">
<rule id="100001" level="3">
<decoded_as>json</decoded_as>
<description>Audit log event from Selectel</description>
<field name="event_type">audit_logs.audit_logs.download</field>
<options>no_full_log</options>
<group>audit_logs</group>
</rule>
</group>Here:
group name="audit_logs"- name of the rule group;rule id="100001"- unique identifier of the rule;level="3"- level of criticality of the event;<decoded_as>json</decoded_as>- specifies that the event should be recognized as JSON;<description>Audit log event from Selectel</description>- description of the event in the Wazuh interface;<field name="event_type">audit_logs.log.download</field>- rule triggering condition by field valueevent_type;<options>no_full_log</options>- disables saving the full text of the event in the alert;<group>audit_logs</group>- additional group to which the event is included after the rule is triggered.
-
Optional: check the operation of the rule:
3.1 Open the CLI.
3.2 Pass the contents of the
audit-logfile as input to the/var/ossec/bin/wazuh-logtestexecutable:cat /var/ossec/logs/audit.log | /var/ossec/bin/wazuh-logtestThe response will show the result of event parsing in JSON format, for example:
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
event_id: 'ed253073-75ea-4563-919a-f01427f5a4a8'
event_saved_time: '2025-12-09T11:43:14Z'
event_time: '2025-12-09T11:42:22Z'
event_type: 'audit_logs.log.download'
request.remote_address: '185.55.58.180'
request.type: 'http'
request.user_agent: 'Python/3.12 aiohttp/3.13.2'
request_id: '9604fd73-2225-4946-85bf-c9a47fa6359f'
resource.account_id: '517043'
resource.details: 'null'
resource.id: '517043'
resource.new_values: 'null'
resource.old_values: 'null'
resource.type: 'audit_logs'
schema_version: '1.0'
source_type: 'audit_logs'
status: 'success'
subject.auth_provider: 'keystone'
subject.authorized_by: '[]'
subject.id: 'logs'
subject.is_authorized: 'true'
subject.type: 'user' -
Restart the
wazuh-managerservice:4.1 Open the CLI.
4.2 Restart the service:
systemctl restart wazuh-manager -
In the Wazuh web interface, go to Explore → Discover.
-
In the search bar, enter the rule you created in step 2:
rule.id:100001. The Wazuh web interface will display the events from the Audit Logs service.