Additional Linux configuration for dhound-agent

Some security events requires additional linux configuration. If you select Autodetect security events on server or selected the rules below, you need to make some additional configuration on server that will allow dhound-agent collecting these security events.

Apache events

Make sure that default Apache log format is vhost_combined (default apache log level). It will allow to add additional information (a domain name) for the following security events:

Wordpress success login (sid: 10031)
Wordpress failed login (sid: 10032)

This is usefull information when several sites installed on the server.

Make sure that apache virtual servers configs (Ubuntu/Debian:/etc/apache2/sites-enabled/*.conf) does not contain CustomLog option or it has the following view:

CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined

Restart apache if any changes.

On This Page

Additional Linux configuration for dhound-agent

Apache events

See Also