5. Visualizing web access alerts

13.10.2025

My first accomplishment so far with my Wazuh SIEM has been to see where the IPs of automatic exploits are being run from. So I made a dashboard and filtered for any WebAccess attempts to my webserver. If I understand correctly, Wazuh already has an automated filter that takes logs from my Apache web-access log (I added the <localfile> entry to the agent ossec.conf file that points to my /var/www/html directory). Wazuh then decodes those logs, filters using its decoding rules, and creates an alert. 

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/luke.yt-access.log</location>
</localfile>

I left Wazuh running since this morning and then was able to generate a global map of access attempts.

Global map

Now I know IP Geolocation is rarely accurate, but it still paints an interesting picture.

Since my homelab is Japanese themed, I dug deeper into the attempted exploit from Japan. Zooming into Japan I found the full log: 

43.132.196.160 - - [13/Oct/2025:16:27:19 +0000] "GET /search/s.php?i=1&id=APOX8NWOV42320 HTTP/1.1" 404 491 "-" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36"

It looks like an automatic probe sending a GET request to search for a seemingly random PHP script on my webserver. Maybe trying to exploit a known pattern in common web apps that create scripts on their search directory using similar or the same naming convention.

I tried digging more into where this address is located physically. It looks like there's a mismatch with how my SIEM is grabbing geolocation data. According to WHOIS the IP is coming from Hong Kong, but it was physically registered in Singapore. Looking up the physical address points to a random large building that houses several unnamed businesses.

No matter where these access attempts are coming from, this is interesting. My inconspicuous website with nothing of interest is constantly being probed, poked, and prodded by IP addresses all around the world.

The internet is truly a dangerous place.

← Blog
© 2025 A project by Luke Jacobson