This document explains how to integrate WP Security Audit Log with Splunk. The scope of the integration is to export the WordPress security alerts generated by the security plugin to a centralized logging system.
Centralization of logs and monitoring of network and user activity are two vital security operations. Such solutions, typically used in enterprise and large organization networks enable systems administrators to monitor all the network, servers, software and users’ activity from a centralized location, thus easing the process of keeping their network secure and pinpointing any suspicious behaviour.
Note: Even though this document explains how to integrate WP Security Audit Log with Splunk, the same concept can be applied to integrate WP Security Audit Log plugin with other similar logging and auditing systems.
Integrating WP Security Audit Log with Splunk
Splunk is a centralized logging and auditing solution which systems administrator use to centralize the logs and other relevant data from all the components (such as software, websites, servers etc) on the network.
- Download the Splunk DB Connect App and install it on the Splunk Indexer server. The DB Connect App requires Java JDK.
- Allow read only access to the Splunk DB Connect App to the wp_wordpress_auditlog table, where all the WP Security Audit Log security alerts are stored.
Note: To grant remote access to a user or system to the WordPress database or table, refer to the article How to Grant Remote Access Privileges to a WordPress MySQL Database.
- Download the MySQL JDBC driver to enable the Splunk DB Connect App to query a MySQL Database from here.
Note: The driver will automatically install if you unzip the tar file, copy all *.jar files to $SPLUNK_HOME/etc/apps/dbx/bin/lib and restart Splunk.
- Once the driver is installed, create a new database connection with Splunk DB Connect App. In this step you simply choose the database type to query by entering the respective MySQL server host, port, username and password, and WordPress database name. The connection will be automatically tested upon clicking the save button.
Note: At this point you can already query the WordPress database from the Splunk DB Connect App interface. The next step explains how to automatically fetch the WordPress security alerts from the wp_wordpress_auditlog table in the WordPress MySQL database.
- Create a new Database data input (Manager -> Data Input -> Database) in Splunk and select the WordPress database which is available through the database connection you created in the previous step.
- As per the below screenshot, in this step you have to define the following:
- Input Type (table name): wp_wordpress_auditlog
- Rising Column (key column providing the increase value): EventNumber
- Source type and Output Format: for this integration “key-value” worked perfectly (there are more sophisticated ways to do such importation which would require you to define splunk-internal source types with a corresponding regular expression parser).
At this stage the integration is ready. This means that SPLUNK is indexing all new entries from your wp_wordpress_auditlog, i.e. the table where WP Security Audit Log stores all the WordPress security alerts.
You can now search for these eventlog entries using Splunk’s search and create whichever alerts or dashboards you desire. (EXAMPLES: Alert if more than 5 failed logins per user / Critical alert if more than 5 failed logins followed by 1 successful login by the same user within 5 mins – possible brute force success / Dashboard showing the “top” users in termins of new posts or post edits or whatever.
Note: In this example we are simply retrieving the WordPress security alert numbers, which then you can match them to a specific action using the List of All WordPress Security Audit Log Events.
If you need to extract the full-text description of the alert numbers you can define an SQL query within the database input definition and join the wp-wordpress_auditlog_details table, where the alerts description is available.
Integrate WP Security Audit Log with Your Centralized Logging & Auditing Solution
Rather than having another log to analyse, by integrating WP Security Audit Log with a network’s centralized logging and auditing solution systems administrators can also monitor what is happening on their WordPress blogs and websites without the need to login to WordPress.
The integration between WP Security Audit and Splunk documented in this article was tested and implemented by a master’s student at the University of Applied Science in Austria as part of an Enterprise Security Intelligence project. If you tried something similar, i.e. integrated WP Security Audit Log to a centralized logging system, we would be more than glad to hear about it, so get in touch!