ossec-logtest and kibana outputs are different

[Pierre Gremaud]

I'm trying to decode syslog messages sent by pfsence

The log received in archives.log is the following :

2020 Jan 05 22:02:05 LAN-HIDS->192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php: webConfigurator authentication error for user 'admin' from: 192.168.85.1

The alert shown in kibana is the following :

I created a custom decoder in local_decoder.xml

<decoder name="pfsense">

     <prematch>\.+ php-fpm</prematch>

</decoder>

 

<decoder name="pfsense-auth-error">

  <parent>pfsense</parent>

  <regex>^(\d+.\d+.\d+.\d+) \.+ webConfigurator authentication error \.+ user '(\w+)' from: (\d+.\d+.\d+.\d+)</regex>

  <order>srcip, user, dstip</order>

</decoder>

I created a custom rule in local_rules.xml

<group name="local, windows, syslog, ">

  <!--

  Pfsense authentication error

  -->

  <rule id="100040" level="6">

<if_sid>2501</if_sid>

<decoded_as>pfsense</decoded_as>

<description>Pfsense authentication error</description>

<options>no_full_log</options>

</rule>

</group> 

The output from ossec-test is the following :

**Phase 1: Completed pre-decoding.

       full event: '192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php: webConfigurator authentication error for user 'admin' from: 192.168.85.1'

       timestamp: '(null)'

       hostname: 'LAN-HIDS'

       program_name: '(null)'

       log: '192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php: webConfigurator authentication error for user 'admin' from: 192.168.85.1'

**Phase 2: Completed decoding.

       decoder: 'pfsense'

       srcip: '192.168.85.40'

       dstuser: 'admin'

       dstip: '192.168.85.1'

**Phase 3: Completed filtering (rules).

       Rule id: '100040'

       Level: '6'

       Description: 'Pfsense authentication error'

**Alert to be generated.

The alert generated in kibana still shows rule id 2501 and not 100040

Any suggestions ?

[dan (ddp)]

On Mon, Jan 6, 2020 at 6:09 AM Pierre Gremaud <pgre...@gmail.com> wrote:
>
> I'm trying to decode syslog messages sent by pfsence
>
> The log received in archives.log is the following :
>
> 2020 Jan 05 22:02:05 LAN-HIDS->192.168.85.40 Jan 5 21:02:05 php-fpm[338]: /index.php: webConfigurator authentication error for user 'admin' from: 192.168.85.1
>

So stripping the archives header from the log file, the log message
you need to test against is:

Jan 5 21:02:05 php-fpm[338]: /index.php: webConfigurator
authentication error for user 'admin' from: 192.168.85.1

Later in your message you're testing against:

192.168.85.40 Jan 5 21:02:05 php-fpm[338]: /index.php:
webConfigurator authentication error for user 'admin' from:
192.168.85.1

So when the message comes into OSSEC it looks like the first one
(starting with Jan), but you're developing based on the second
(starting with the IP address).

Your decoders should look more like:

<decoder name="pfsense">
<program_name>php-fpm</program_name>

</decoder>

<decoder name="pfsense-auth-error">
<parent>pfsense</parent>

<regex>webConfigurator authentication error \.+ user '(\w+)' from:

(\d+.\d+.\d+.\d+)</regex>

<order>user, dstip</order>
</decoder>

>
> The alert shown in kibana is the following :
>
>

> Any suggestions ?
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/5aca1f7e-0367-46cc-8067-fd881a495008%40googlegroups.com.