Configure integration with Wazuh SIEM system

If you do not have a Wazuh server installed, install it.
Create a service user.
Generate an IAM token for the account.
Get the script for exporting audit logs.
Configure and run the script.
Configure audit log ingestion in Wazuh.

1. Install Wazuh server

You can install a Wazuh server from a distribution on any available server, or deploy a cloud server with Wazuh from a prepared image in the Control Panel.

Install from distribution
Install from a prepared image

Open the CLI.
Install the Wazuh server:
```
curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
```
Learn more about installing a Wazuh server from a distribution in the Quickstart section of the official Wazuh documentation.

2. Create a service user

Add a service user with the audit_logs.admin.

Users can be added by the Account Owner or users with the iam.admin.

3. Get an IAM token for the account

Obtain an IAM token for the account for the service user you created in step 2.

4. Get the script for exporting audit logs

We have prepared a script for exporting audit logs—it allows you to export logs to a file, as well as send them to a specified IP address or endpoint via the syslog or HTTP/HTTPS protocol.

Open the CLI.
Clone the script repository:
```
git clone https://github.com/t-rex-general/auditlog-integration.git
```
The script files will be saved in the working directory to the auditlog-integration folder.

5. Configure and run the script

Open the CLI.
Create a virtual environment:
```
python3 -m venv .venv
```
Activate the virtual environment:
```
source .venv/bin/activate
```
Navigate to the script directory:
```
cd auditlog-integration
```
Install the required dependencies:
```
pip3 install -r requirements.txt
```
Create a configuration file .env:
```
touch .env
```
Open the configuration file .env:
```
nano .env
```
Fill in the configuration file .env:

8.1. Add a block with authentication parameters for the Audit Logs service API:
```
AUDIT_LOGS_URL=<base_url>/v1/logs
USERNAME=<username>
PASSWORD=<password>
ACCOUNT_ID=<account_id>
```
Specify:
- <base_url> — URL for accessing the Audit Logs API in the required pool. The list of URLs can be found in the URL list;
- <username> — the name of the service user you created in step 2;
- <password> — service user password. If the password contains symbols [ ] \ ^ $. |? * + (), escape them — place a backslash \;
- <account_id> — account ID, which can be found in the Control Panel in the top right corner.
8.2. Set the transport type to file to export audit logs to a file:
```
TRANSPORT_TYPE=file
```
8.3. Set the API request interval:
```
POLL_INTERVAL=<poll_interval>
```
Specify <poll_interval> — the API request interval in seconds (default is 30).

8.4. Exit and save the file by pressing Ctrl+X → Y → Enter.
Run the script:
```
python3 main.py
```

6. Configure audit log reception in Wazuh

Add the path to the audit log export file to Wazuh. To do this, in the main configuration file /var/ossec/etc/ossec.conf, add the following to the <ossec_config> block:
```
<localfile>
    <log_format>json</log_format>
    <location><path></location>
</localfile>
```
Specify <path> — the path to the audit log file. By default, files are saved to the script folder as events.txt. You can change the filename by updating the self.filename field in the class FileSaver block in the savers.py file.
Add a new rule to Wazuh to display the uploaded events. To do this, add the following entry to the /var/ossec/etc/rules/local_rules.xml file:
```
<group name="audit_logs">
    <rule id="100001" level="3">
    <decoded_as>json</decoded_as>
    <description>Audit log event from Selectel</description>
    <field name="event_type">audit_logs.audit_logs.download</field>
    <options>no_full_log</options>
    <group>audit_logs</group>
    </rule>
</group>
```
Where:
- group name="audit_logs" — rule group name;
- rule id="100001" — unique rule ID;
- level="3" — event criticality level;
- <decoded_as>json</decoded_as> — specifies that the event should be parsed as JSON;
- <description>Audit log event from Selectel</description> — event description in the Wazuh interface;
- <field name="event_type">audit_logs.log.download</field> — rule trigger condition based on the event_type field value;
- <options>no_full_log</options> — disables saving the full event text in the alert;
- <group>audit_logs</group> — additional group the event is added to after the rule is triggered.

Optional: check if the rule works:

3.1. Open the CLI.

3.2. Pass the content of the audit log file as input to the /var/ossec/bin/wazuh-logtest executable:

cat /var/ossec/logs/audit.log | /var/ossec/bin/wazuh-logtest

The response will show the event parsing result in JSON format, for example:

**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
    name: 'json'
    event_id: 'ed253073-75ea-4563-919a-f01427f5a4a8'
    event_saved_time: '2025-12-09T11:43:14Z'
    event_time: '2025-12-09T11:42:22Z'
    event_type: 'audit_logs.log.download'
    request.remote_address: '185.55.58.180'
    request.type: 'http'
    request.user_agent: 'Python/3.12 aiohttp/3.13.2'
    request_id: '9604fd73-2225-4946-85bf-c9a47fa6359f'
    resource.account_id: '517043'
    resource.details: 'null'
    resource.id: '517043'
    resource.new_values: 'null'
    resource.old_values: 'null'
    resource.type: 'audit_logs'
    schema_version: '1.0'
    source_type: 'audit_logs'
    status: 'success'
    subject.auth_provider: 'keystone'
    subject.authorized_by: '[]'
    subject.id: 'logs'
    subject.is_authorized: 'true'
    subject.type: 'user'

Restart the wazuh-manager service:

4.1. Open the CLI.

4.2. Restart the service:
```
systemctl restart wazuh-manager
```
In the Wazuh web interface, go to Explore → Discover.
In the search bar, specify the rule you created in step 2: rule.id:100001. Events from the Audit Logs service will be displayed in the Wazuh web interface.