One of the key objectives of a Security Operations Center (SOC) is monitoring process execution, especially when privileged users execute commands that could indicate privilege escalation, persistence mechanisms, malware activity, or unauthorized administrative actions.
In this Proof of Concept (PoC), we configure Auditd on a Wazuh Agent to monitor command execution performed by the root user. These events are then forwarded to Wazuh, where they can be investigated through the Threat Hunting module.
The goal of this lab is to:
- Install and configure Auditd on the Wazuh Agent.
- Forward Auditd logs to Wazuh.
- Create audit rules to monitor command execution by privileged users.
- Generate activity on the endpoint.
- Visualize the resulting alerts and events in the Wazuh Dashboard.
Auditd is the Linux Audit Daemon responsible for recording security-relevant system events such as:
- Process execution
- File access
- User activity
- Privilege escalation attempts
- System calls
Update the system and install Auditd:
sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install auditdBy default, Auditd stores logs in:
/var/log/audit/audit.logVerify that the log file exists and contains events:
cd /var/log/audit/
cat /var/log/audit/audit.logThe following screenshot shows the Auditd log file being accessed.
For day-to-day analysis, viewing the entire log file is often unnecessary. Instead, it is more practical to display only the most recent events.
tail -n50 audit.logThis command displays the last 50 entries generated by Auditd.
Although Auditd is now collecting events locally, Wazuh does not automatically process these logs. We must explicitly tell the Wazuh Agent where the Auditd log file is located.
Open the Wazuh Agent configuration file:
nano /var/ossec/etc/ossec.confBefore the closing </ossec_config> tag, add the following configuration:
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>log_formattells Wazuh that the source is Auditd.locationspecifies the Auditd log file.- Wazuh Agent will continuously monitor this file and forward events to the Wazuh Manager.
After saving the configuration, restart the Wazuh Agent:
systemctl restart wazuh-agent.serviceFor this PoC, we want to monitor commands executed by the root user.
Open the Auditd rules file:
nano /etc/audit/audit.rulesAdd the following rules:
-a exit,always -F euid=0 -F arch=64 -S execve -k audit-wazuh-c
-a exit,always -F euid=0 -F arch=32 -S execve -k audit-wazuh-c-a exit,alwaysRecords the event whenever the monitored system call completes.
-F euid=0Targets processes running with an effective UID of 0 (root).
-F arch=64Monitors 64-bit system calls.
-F arch=32Monitors 32-bit system calls.
-S execveThe execve syscall is responsible for launching programs and commands. Monitoring this syscall allows us to track command execution on the system.
-k audit-wazuh-cAssigns a custom key to help identify and search for matching events.
Reload the Auditd rules:
auditctl -R /etc/audit/audit.rulesThis applies the new monitoring configuration without requiring a reboot.
To verify that monitoring is functioning correctly, execute a command as root.
For this PoC, we use:
netstatThe netstat command displays active network connections, listening ports, and routing information.
From a security perspective, attackers frequently enumerate network connections during reconnaissance and post-exploitation activities. Therefore, observing command execution events such as netstat can provide valuable visibility into endpoint activity.
netstatNavigate to:
Wazuh Dashboard
└── Target Agent
└── Threat Hunting
└── Events
You should now see Auditd events being forwarded from the agent.
These events contain useful information such as:
- Executed command
- User context
- Process details
- Timestamp
- Audit key
- Host information
This enables security analysts to investigate potentially suspicious command execution activity directly from the Wazuh interface.
Command Executed
│
▼
Auditd
│
▼
audit.log
│
▼
Wazuh Agent
│
▼
Wazuh Manager
│
▼
Threat Hunting
│
▼
Analyst Investigation
In this PoC, we successfully integrated Auditd with Wazuh to monitor command execution performed by privileged users.
By creating custom Auditd rules and forwarding the resulting logs to Wazuh, we gained visibility into process execution events that could indicate privilege escalation attempts, attacker reconnaissance, malware execution, or unauthorized administrative actions.
While this demonstration uses a simple command (netstat) to generate events, the same approach can be expanded to monitor sensitive binaries, detect suspicious behavior, and enhance endpoint visibility within real-world SOC environments.
This foundational technique is widely applicable to:
- Security Operations Centers (SOC)
- Threat Hunting
- Detection Engineering
- Incident Response
- Endpoint Monitoring
- Linux Security Monitoring
If this walkthrough helped you, feel free to connect with me:
GitHub: https://github.com/AdityaBhatt3010
LinkedIn: https://www.linkedin.com/in/adityabhatt3010/
Medium: https://medium.com/@adityabhatt3010
More writeups soon. Cleaner, deeper and built from too many late-night labs.
If you found this useful, consider starring the repository and following my cybersecurity journey.






