{"id":7222,"date":"2020-10-28T10:23:40","date_gmt":"2020-10-28T07:23:40","guid":{"rendered":"https:\/\/kifarunix.com\/?p=7222"},"modified":"2024-03-14T23:22:46","modified_gmt":"2024-03-14T20:22:46","slug":"visualize-wordpress-user-activity-logs-on-elk-stack","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/visualize-wordpress-user-activity-logs-on-elk-stack\/","title":{"rendered":"Visualize WordPress User Activity Logs on ELK Stack"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to visualize WordPress user activity logs on ELK stack. WordPress do not provide an easy way to have an overview of user activity or log any user activity on a server log file. Logging is paramount in detecting, preventing or minimizing the impact of any security breach. There are a thousand various WordPress plugins that have been developed to enable WordPress logging. Some of these plugins provides the ability to log any WordPress user activity logs on the local system log files for easy analysis. In this setup however, we use <a aria-label=\"Sucuri (opens in a new tab)\" class=\"rank-math-link\" href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Sucuri<\/a> WordPress plugin to enable WordPress logging to a local system file which we will then read with Filebeat and process it with Logstash before sending the data to Elasticsearch for indexing and later visualize on Kibana interface.<\/p>\n\n\n\n<p>Are you using WordPress and looking for a professional WordPress website builder? Look no further since <a href=\"https:\/\/trk.elementor.com\/8uczdzzsxgza-webcreatorsred\" target=\"_blank\" rel=\"noreferrer noopener\">Elementor can help you create beautiful pages<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#monitoring-word-press-user-activity-logs-on-elk-stack\">Monitoring WordPress User Activity Logs on ELK Stack<\/a><ul><li><a href=\"#install-and-setup-word-press\">Install and Setup WordPress<\/a><\/li><li><a href=\"#install-word-press-security-auditing-file-integrity-monitoring-plugin\">Install WordPress Security Auditing\/File Integrity Monitoring Plugin<\/a><\/li><li><a href=\"#monitor-word-press-user-activity-logs-on-elk-stack\">Monitor WordPress User Activity Logs on ELK Stack<\/a><ul><li><a href=\"#install-and-setup-elk-stack\">Install and Setup ELK Stack<\/a><\/li><li><a href=\"#configure-logstash-to-process-word-press-user-activity-logs\">Configure Logstash to Process WordPress User Activity Logs<\/a><\/li><li><a href=\"#test-logstash-configuration\">Test Logstash Configuration<\/a><\/li><li><a href=\"#running-logstash\"> Running Logstash<\/a><\/li><li><a href=\"#install-and-setup-filebeat\">Install and Setup Filebeat<\/a><ul><li><a href=\"#configure-filebeat\">Configure Filebeat<\/a><\/li><li><a href=\"#verify-filebeat-configuration\">Verify Filebeat Configuration<\/a><\/li><\/ul><\/li><\/ul><\/li><li><a href=\"#monitoring-word-press-user-activity-logs-on-elk-stack-1\">Monitoring WordPress User Activity Logs on ELK Stack<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"monitoring-word-press-user-activity-logs-on-elk-stack\">Monitoring WordPress User Activity Logs on ELK Stack<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-setup-word-press\">Install and Setup WordPress<\/h3>\n\n\n\n<p>Of course you must be having an already running WordPress if you are here. However, you might as well want to check the links below on how to install and setup WordPress site;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-latest-wordpress-with-lamp-stack-on-ubuntu-20-04\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install latest WordPress with LAMP Stack on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-wordpress-with-nginx-and-mysql-8-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install WordPress with Nginx and MySQL 8 on CentOS 8<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-wordpress-5-with-nginx-on-debian-10-buster\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install WordPress 5 with Nginx on Debian 10 Buster<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-word-press-security-auditing-file-integrity-monitoring-plugin\">Install WordPress Security Auditing\/File Integrity Monitoring Plugin<\/h3>\n\n\n\n<p>As stated above, there are a thousand plugins that can be used to audit and record every WordPress user activity. You can use any plugin of your reference. But just so we can be on the same page, have used the Sucuri plugin in this setup.<\/p>\n\n\n\n<p>We cannot dive deeper into the installation and setup of the Sucuri plugin. You can visit the <a aria-label=\"Sucuri plugin installation page (opens in a new tab)\" href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\/#installation\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Sucuri plugin installation page<\/a> for that.<\/p>\n\n\n\n<p>Now assuming you have installed and activated your plugin, create a local system log file directory where to write the WordPress audit events to.<\/p>\n\n\n\n<p>We use, <code><strong>\/var\/log\/wordpress\/<\/strong><\/code>, in this setup. Might be different in your case.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/var\/log\/wordpress\/<\/code><\/pre>\n\n\n\n<p>Set the proper ownership of the logging directory. For example, set the user and group to <code>www-data<\/code> or <code>nginx<\/code> depending on the HTTP server you are using.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R www-data: \/var\/log\/wordpress<\/code><\/pre>\n\n\n\n<p>Next, navigate to the <strong><code>Sucuri Security &gt; Settings &gt; General Settings &gt; Log Exporter<\/code><\/strong> and enter the full path to your WordPress audit logging file, in this setup we use <strong>\/var\/log\/wordpress\/kifarunix-demo.com.log<\/strong>.<\/p>\n\n\n\n<p>Once you have entered entered the path, click <strong>Submit<\/strong> to save and create the log file.<\/p>\n\n\n\n<p>From now henceforth, any WordPress activity is logged to <strong>\/var\/log\/wordpress\/kifarunix-demo.com.log<\/strong>.<\/p>\n\n\n\n<p>Just to demonstrate how Sucuri does the audit logging;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/wordpress\/kifarunix-demo.com.log<\/code><\/pre>\n\n\n\n<p>Successful and failed login attempt to the WordPress site;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\n2020-11-12 04:15:10 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Error: 192.168.57.1; User authentication failed: demouser\n2020-11-12 04:15:24 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: 192.168.57.1; User authentication succeeded: gentoo\n<\/code><\/pre>\n\n\n\n<p>WordPress plugins activation and deactivation logs;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\n2020-11-12 04:17:04 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; Plugin activated: Hello Dolly (v1.7.2; hello.php)\n2020-11-12 04:17:13 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; Plugin deactivated: Hello Dolly (v1.7.2; hello.php)\n<\/code><\/pre>\n\n\n\n<p>WordPress Blogs Posts Management logs;<\/p>\n\n\n\n<p>New draft post\/page;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\n2020-11-12 04:30:02 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: auto-draft,New status: draft,Title: My new post\n2020-11-12 04:45:53 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Page status has been changed; details: ID: 9,Old status: auto-draft,New status: draft,Title: sample page\n<\/code><\/pre>\n\n\n\n<p>Updating Existing draft post\/page;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\n2020-11-12 04:31:22 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Revision status has been changed; details: ID: 7,Old status: new,New status: inherit,Title: My new post\n2020-11-12 04:47:16 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Revision status has been changed; details: ID: 11,Old status: new,New status: inherit,Title: sample page\n<\/code><\/pre>\n\n\n\n<p>Publish a blog post\/page;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\n2020-11-12 04:32:49 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: draft,New status: publish,Title: My new post\n2020-11-12 04:32:49 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Post was created; ID: 5; name: My new post\n2020-11-12 04:47:49 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Page status has been changed; details: ID: 9,Old status: draft,New status: publish,Title: sample page\n2020-11-12 04:47:49 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Page was created; ID: 9; name: sample page\n<\/code><\/pre>\n\n\n\n<p>Delete published blog post;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\n2020-11-12 04:33:54 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: publish,New status: trash,Title: My new post\n2020-11-12 04:48:24 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Page status has been changed; details: ID: 9,Old status: publish,New status: trash,Title: sample page\n<\/code><\/pre>\n\n\n\n<p>Restore trashed post;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:35:04 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: trash,New status: publish,Title: My new post<\/code><\/pre>\n\n\n\n<p>Draft published blog post;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:36:19 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Post status has been changed; details: ID: 5,Old status: publish,New status: draft,Title: My new post<\/code><\/pre>\n\n\n\n<p>User Account Creation;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:38:22 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; User account created; ID: 2; name: demouser; email: demo@kifarunix-demo.com; roles: editor<\/code><\/pre>\n\n\n\n<p>User account changes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:39:52 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; User account edited; ID: 2; name: demouser; old_name: demouser; email: demo@kifarunix-demo.com; old_email: demo@kifarunix-demo.com; roles: editor; old_roles: editor<\/code><\/pre>\n\n\n\n<p>User Account deletion;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:41:44 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; User account deleted; ID: 2<\/code><\/pre>\n\n\n\n<p>File uploads;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:43:32 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Notice: gentoo, 192.168.57.1; Media file added; ID: 8; name: linuxtux; type: image\/jpeg<\/code><\/pre>\n\n\n\n<p>File deletion;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:44:23 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; Post deleted: (multiple entries): Post id: 8<\/code><\/pre>\n\n\n\n<p>Theme Activation;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:49:31 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; Theme activated: Twenty Nineteen<\/code><\/pre>\n\n\n\n<p>Widget changes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2020-11-12 04:50:37 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; Widget recent-posts (recent-posts-3) added to sidebar-2 (#2; size 250x200)\n2020-11-12 04:51:39 WordPressAudit kifarunix-demo.com gentoo@kifarunix-demo.com : Warning: gentoo, 192.168.57.1; Widget recent-posts (recent-posts-4) deleted from sidebar-2 (#2; size 250x200)<\/code><\/pre>\n\n\n\n<p>And the list goes on.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"monitor-word-press-user-activity-logs-on-elk-stack\">Monitor WordPress User Activity Logs on ELK Stack<\/h3>\n\n\n\n<p>In this setup, we will collect the logs using Filebeat and ship them to Logstash where we will further process to extract specific log fields after which they are send to Elasticsearch for storage and indexing and hence visualization on Kibana.<\/p>\n\n\n\n<p>Follow the links below to install and setup Filebeat as well as ELK stack;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-and-setup-elk-stack\">Install and Setup ELK Stack<\/h4>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-elastic-elk-stack-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install ELK Stack on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/installing-elk-stack-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Installing ELK Stack on CentOS 8<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-logstash-to-process-word-press-user-activity-logs\">Configure Logstash to Process WordPress User Activity Logs<\/h4>\n\n\n\n<p>Assuming you already setup ELK stack, you need to configure Logstash to receive the WordPress user activity logs and processes them.<\/p>\n\n\n\n<p>&nbsp;Logstash data processing pipeline has three sections;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>INPUT<\/strong>: input section is used to ingest data from different endpoints into Logstash. <strong>We use Filebeat in this setup<\/strong>.<\/li>\n\n\n\n<li><strong>FILTERS<\/strong>: which processes and transform the data received. <strong>We use grok patterns to extract the fields from the WordPress User activity logs.<\/strong><\/li>\n\n\n\n<li><strong>OUTPUT<\/strong>: which stashes processed data into a specified destination, which can be Elasticsearch. <strong>We use Elasticsearch in this guide<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>You can read more about Logstash Pipeline&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/7.0\/pipeline.html\" target=\"_blank\">here<\/a>.<\/p>\n\n\n\n<p>Below is our Logstash configuration file with the Filebeat input, grok filters to process the WordPress log activity and Elasticsearch output defined.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/logstash\/conf.d\/wordpress.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ninput {\n  beats {\n    port =&gt; 5044\n  }\n}\nfilter {\n\t# Extract Authentication Logs\n\tgrok { \n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;.*):\\s(?&lt;user_name&gt;\\w+)\" }\n\t\tadd_tag =&gt; \"authentication\"\n\t}\n\t# plugins activation and deactivation logs;\n\tgrok { \n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;user_name&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;Plugin.*):\\s(?&lt;plugin&gt;.*)\" }\n\t\tadd_tag =&gt; \"plugins\"\n\t}\n\t# Blogs Posts Management\n\t## New draft post\/page, publish post\/pages, delete\/restore posts\/pages, \n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;user_name&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;Post.*|Page.*);\\s.*Old\\sstatus:\\s(?&lt;old_status&gt;\\w.+),New\\sstatus:\\s(?&lt;new_status&gt;\\w.+),Title:\\s(?&lt;title&gt;.*)\" }\n\t\tadd_tag =&gt; \"posts_pages\"\n\t}\n\t## Updating Existing draft post\/page;\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;user_name&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;Revision.*);\\s.*Old\\sstatus:\\s(?&lt;old_status&gt;\\w.+),New\\sstatus:\\s(?&lt;new_status&gt;\\w.+),Title:\\s(?&lt;title&gt;.*)\" }\n\t\tadd_tag =&gt; \"posts_pages\"\n\t}\n\t## User Account Created\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;created_by&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;User account created);.*name:\\s(?&lt;user_name&gt;\\w+);\\semail:\\s(?&lt;email_address&gt;[a-zA-Z0-9_.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})));\\sroles:\\s(?&lt;user_role&gt;\\w.+)\" }\n\t\tadd_tag =&gt; \"account_created\"\n\t}\n\t## User Account Changes\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;edited_by&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;User account edited);.*name:\\s(?&lt;user_name&gt;\\w+);\\sold_name:\\s(?&lt;old_name&gt;\\w+);\\semail:\\s(?&lt;email_address&gt;[a-zA-Z0-9_.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})));\\sold_email:\\s(?&lt;old_email_address&gt;[a-zA-Z0-9_.+=:-]+@[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})));\\sroles:\\s(?&lt;user_role&gt;\\w.+);\\sold_roles:\\s(?&lt;old_role&gt;\\w.+)\" } \n\t\tadd_tag =&gt; \"account_edited\"\n\t}\n\t## User account deletion\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;deleted_by&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;User account deleted);\\sID:\\s(?&lt;deleted_user_id&gt;\\d+)\" }\n\t\tadd_tag =&gt; \"account_deleted\"\n\t}\n\t## File Uploads\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;user_name&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;Media file added);\\sID:\\s(?&lt;file_id&gt;\\d+);\\sname:\\s(?&lt;file_name&gt;\\w+);\\stype:\\s(?&lt;file_type&gt;\\w.+)\" }\n\t\tadd_tag =&gt; \"file_added\"\n\t}\n\t## File Deletion\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;user_name&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;Post deleted).*Post\\sid:\\s(?&lt;file_id&gt;\\d+)\" }\n\t\tadd_tag =&gt; \"file_deleted\"\n\t}\n\t## Theme Activations\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;user_name&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;Theme.*):\\s(?&lt;theme_name&gt;\\w.+)\" }\n\t\tadd_tag =&gt; \"theme_changes\"\n\t}\n\t## Widget management\n\tgrok {\n\t\tmatch =&gt; { \"message\" =&gt; \"(?&lt;event_time&gt;%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\\s%{TIME})\\s\\w+\\s%{HOSTNAME:host_name}\\s.*\\s:\\s(?&lt;log_level&gt;\\w+):\\s(?&lt;user_name&gt;\\w+),\\s%{IPORHOST:src_ip};\\s(?&lt;msg&gt;Widget.*)\" }\n\t\tadd_tag =&gt; \"widget_changes\"\n\t}\n}\noutput {\n   elasticsearch {\n     hosts =&gt; [\"192.168.57.30:9200\"]\n     index =&gt; \"wordpress-%{+YYYY.MM.dd}\"\n   }\n  #stdout { codec =&gt; rubydebug }\n<\/code><\/pre>\n\n\n\n<p>Feel free to adjust the grok patterns to suit your needs. You can utilize the Kibana Grok Debugger (<strong>Kibana &gt; Dev Tools &gt; Grok Debugger<\/strong>) or <a aria-label=\"Herokuapp Grok Debugger (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/grokdebug.herokuapp.com\/\" target=\"_blank\" class=\"rank-math-link\">Herokuapp Grok Debugger<\/a> to create your grok patterns. <\/p>\n\n\n\n<p>If you need to debug Logstash Grok Filters to confirm that they can actually parse your logs into the required fields, see the link below on how to debug Logstash Grok filters.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" class=\"rank-math-link\" href=\"https:\/\/kifarunix.com\/how-to-debug-logstash-grok-filters\/\" target=\"_blank\">How to Debug Logstash Grok Filters<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"test-logstash-configuration\">Test Logstash Configuration<\/h4>\n\n\n\n<p>Once you are done with configurations, run the command below to verify the Logstash configuration before you can start it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/share\/logstash\/bin\/logstash --path.settings \/etc\/logstash -t<\/code><\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>\nSending Logstash logs to \/var\/log\/logstash which is now configured via log4j2.properties\n[2020-11-13T19:58:51,616][INFO ][org.reflections.Reflections] Reflections took 76 ms to scan 1 urls, producing 21 keys and 41 values \nConfiguration OK\n[2020-11-13T19:58:54,815][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash\n<\/code><\/pre>\n\n\n\n<p>Well, if you get&nbsp;<strong>Configuration OK<\/strong>&nbsp;then you are good to go.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"running-logstash\"> Running Logstash<\/h4>\n\n\n\n<p>Now, start and enable logstash to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now logstash<\/code><\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status logstash<\/code><\/pre>\n\n\n\n<p>Verify the port is opened;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ss -antlp | grep :5044<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>LISTEN 0 128 *:5044 *:* users:((\"java\",pid=3273,fd=99))<\/code><\/pre>\n\n\n\n<p>Open the port on firewall to allow remove beats to connect to it;<\/p>\n\n\n\n<p>On RHEL based derivatives;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-port=5044\/tcp --permanent<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --reload<\/code><\/pre>\n\n\n\n<p>On Debian based derivatives;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow 5044\/tcp<\/code><\/pre>\n\n\n\n<p>On IPtables;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>iptables -A INPUT -p tcp --dport 5044 -j ACCEPT<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-and-setup-filebeat\">Install and Setup Filebeat<\/h4>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-filebeat-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install and Configure Filebeat on CentOS 8<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-filebeat-on-fedora-30-fedora-29-centos-7\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install Filebeat on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-configure-filebeat-7-on-ubuntu-18-04-debian-9-8\/\" target=\"_blank\" class=\"rank-math-link\">Install and Configure Filebeat 7 on Ubuntu 18.04\/Debian 9.8<\/a><\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"configure-filebeat\">Configure Filebeat<\/h5>\n\n\n\n<p>Assuming you have already installed Filebeat and is running on a server running WordPress, you can configure it to read the WordPress user activity logs as follows. In this setup, the plugin has been configure to write WordPress user activity logs to the local file, <strong>\/var\/log\/wordpress\/kifarunix-demo.com.log<\/strong>.<\/p>\n\n\n\n<p>Open Filebeat configuration for editing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/filebeat\/filebeat.yml<\/code><\/pre>\n\n\n\n<p>Enable the Filebeat input type log and configure it to read the WordPress user activity log file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code># ============================== Filebeat inputs ===============================\n\nfilebeat.inputs:\n- type: log\n<strong>  enabled: true<\/strong>\n  paths:\n<strong>    - \/var\/log\/wordpress\/kifarunix-demo.com.log<\/strong>\n...<\/code><\/pre>\n\n\n\n<p>Configure Filebeat to sent logs to Logstash instead of Elasticsearch.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n# ================================== Outputs ===================================\n\n# Configure what output to use when sending the data collected by the beat.\n\n<strong># ---------------------------- Elasticsearch Output ----------------------------\n#output.elasticsearch:\n  # Array of hosts to connect to.\n  #hosts: [\"localhost:9200\"]<\/strong>\n...\n<strong># ------------------------------ Logstash Output -------------------------------\noutput.logstash:\n  # The Logstash hosts\n  hosts: [\"192.168.57.30:5044\"]<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the configuration file.<\/p>\n\n\n\n<p>Ensure that you can connect to Logstash Port 5044\/tcp;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>telnet 192.168.57.30 5044<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.57.30...\nConnected to 192.168.57.30.\nEscape character is '^]'.<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"verify-filebeat-configuration\">Verify Filebeat Configuration<\/h5>\n\n\n\n<p>Run Filebeat in foreground to redirect the output to standard error instead so as to check if it connects to Logstash successfully or not before you can start it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>filebeat -e<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n2020-11-13T17:36:08.735Z\tINFO\tlog\/input.go:157\tConfigured paths: [\/var\/log\/wordpress\/kifarunix-demo.com.log]\n2020-11-13T17:36:08.736Z\tINFO\t[crawler]\tbeater\/crawler.go:141\tStarting input (ID: 13913356589683053536)\n2020-11-13T17:36:08.737Z\tINFO\t[crawler]\tbeater\/crawler.go:108\tLoading and starting Inputs completed. Enabled inputs: 1\n2020-11-13T17:36:08.738Z\tINFO\tcfgfile\/reload.go:164\tConfig reloader started\n2020-11-13T17:36:08.739Z\tINFO\tcfgfile\/reload.go:224\tLoading of config files completed.\n2020-11-13T17:36:08.738Z\tINFO\tlog\/harvester.go:302\tHarvester started for file: \/var\/log\/wordpress\/kifarunix-demo.com.log\n2020-11-13T17:36:11.648Z\tINFO\t[add_cloud_metadata]\tadd_cloud_metadata\/add_cloud_metadata.go:89\tadd_cloud_metadata: hosting provider type not detected.\n2020-11-13T17:36:12.649Z\tINFO\t[publisher_pipeline_output]\tpipeline\/output.go:143\tConnecting to backoff(async(tcp:\/\/192.168.57.30:5044))\n2020-11-13T17:36:12.651Z\tINFO\t[publisher]\tpipeline\/retry.go:219\tretryer: send unwait signal to consumer\n2020-11-13T17:36:12.654Z\tINFO\t[publisher]\tpipeline\/retry.go:223\t  done\n<strong>2020-11-13T17:36:12.653Z\tINFO\t[publisher_pipeline_output]\tpipeline\/output.go:151\tConnection to backoff(async(tcp:\/\/192.168.57.30:5044)) established<\/strong>\n<\/code><\/pre>\n\n\n\n<p>If you see such a line as <strong>Connection to backoff(async(tcp:\/\/192.168.57.30:5044)) established<\/strong>, then all if fine.<\/p>\n\n\n\n<p>Proceed to start and enable filebeat to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start filebeat<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"monitoring-word-press-user-activity-logs-on-elk-stack-1\">Monitoring WordPress User Activity Logs on ELK Stack<\/h3>\n\n\n\n<p>Next, verify the Elasticsearch data reception from Logstash and create Kibana index to enable you visualize user activity.<\/p>\n\n\n\n<p>You can check this guide on how to create Kibana index;<\/p>\n\n\n\n<p><a aria-label=\"Create Kibana Index to Visualize Event Data (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-filebeat-7-on-ubuntu-18-04-debian-9-8\/#verify-elasticsearch-data-reception\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Create Kibana Index to Visualize Event Data<\/a><\/p>\n\n\n\n<p>Next, perform some WordPress site activities and you should be able see events populated on Kibana;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1895\" height=\"769\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/wordpress-logs-kibana.png\" alt=\"Visualize WordPress User Activity Logs on ELK Stack\" class=\"wp-image-7233\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/wordpress-logs-kibana.png?v=1605291986 1895w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/wordpress-logs-kibana-768x312.png?v=1605291986 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/wordpress-logs-kibana-1536x623.png?v=1605291986 1536w\" sizes=\"(max-width: 1895px) 100vw, 1895px\" \/><\/figure>\n\n\n\n<p>Based on the Extracted fields, you can create visualization dashboards. Below are sample dashboards;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1895\" height=\"439\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/user-authentications.png\" alt=\"\" class=\"wp-image-7234\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/user-authentications.png?v=1605297851 1895w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/user-authentications-768x178.png?v=1605297851 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/user-authentications-1536x356.png?v=1605297851 1536w\" sizes=\"(max-width: 1895px) 100vw, 1895px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1904\" height=\"516\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/account-activity.png\" alt=\"\" class=\"wp-image-7235\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/account-activity.png?v=1605297870 1904w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/account-activity-768x208.png?v=1605297870 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/account-activity-1536x416.png?v=1605297870 1536w\" sizes=\"(max-width: 1904px) 100vw, 1904px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1881\" height=\"330\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/posts-pages-activity.png\" alt=\"\" class=\"wp-image-7238\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/posts-pages-activity.png?v=1605298265 1881w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/posts-pages-activity-768x135.png?v=1605298265 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2020\/11\/posts-pages-activity-1536x269.png?v=1605298265 1536w\" sizes=\"(max-width: 1881px) 100vw, 1881px\" \/><\/figure>\n\n\n\n<p>Those are just but a sample dashboards we were able to make in this guide in regards to WordPress user activity based on the logs generated by the Sucuri plugin. You can do more, :).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/restrict-access-to-wordpress-login-page-to-specific-ips-with-libmodsecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Restrict Access to WordPress Login Page to Specific IPs with libModSecurity<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-fix-wordpress-could-not-establish-a-secure-connection-to-wordpress-org\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">How to fix WordPress could not establish a secure connection to WordPress.org<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/process-and-visualize-modsecurity-logs-on-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Process and Visualize ModSecurity Logs on ELK Stack<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/deploy-a-single-node-elastic-stack-cluster-on-docker-containers\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Deploy a Single Node Elastic Stack Cluster on Docker Containers<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/create-kibana-visualization-dashboards-for-modsecurity-logs\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Create Kibana Visualization Dashboards for ModSecurity Logs<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to visualize WordPress user activity logs on ELK stack. WordPress do not provide an easy way to have<\/p>\n","protected":false},"author":3,"featured_media":16073,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[910,121,72],"tags":[1852,2865,2871,2866,2867,2869,2868,2870],"class_list":["post-7222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-elastic-stack","category-howtos","category-monitoring","tag-elk-stack","tag-monitor-wordpress-logs-with-elk","tag-monitor-wordpress-logs-with-elk-stack","tag-visualize-wordpress-logs-with-elk","tag-wordpress-elk-stack","tag-wordpress-logging","tag-wordpress-logs","tag-wordpress-logs-to-file","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/7222"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=7222"}],"version-history":[{"count":11,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/7222\/revisions"}],"predecessor-version":[{"id":21528,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/7222\/revisions\/21528"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16073"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=7222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=7222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=7222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}