General Query | no_full_log

[John Carry]

Hello Wazuh Team,

Hopefully you are doing well, Just want to know the logic and the purpose behind using field and value <options>no_full_log</options> as per the official documentation the main purpose is not to show the full log, so please answer my below queries regarding this field and value:

1) Is it mean that the actual raw payload received from log-source will not be shown and only the limited information or sub-part of entire log is shown ?

2) What's the logic or purpose behind using <options>no_full_log</options>  ? I am assuming it is to keep the performance intact and not causing overloading due to large sized raw payload.

[Juan Carlos Tello]

Hello John,

This is so the original event is not duplicated in the full_log field and only information extracted in decoding or added by Wazuh's enrichment is included in the logged alert.

The purpose of this is to reduce storage consumed, specially in cases where an implicit decoder such as the JSON decoder or the Windows Event Channel that automatically store all values from an event into their respective fields.

For example, take the event:

{"type":"scan_info","scan_id":75459013,"cis":{"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","hostname":"ubuntu","timestamp":"2017-12-21T03:16:54.431-08:00","score":76}}

This will trigger rule 87422 which uses the no_full_log option, so the resulting event in /var/ossec/log/alerts/alerts.json is:

{"timestamp":"2017-12-21T03:16:54.431-08:00","rule":{"level":5,"description":"CIS-CAT Report overview: Score less than 80% (76)","id":"87422","firedtimes":1,"mail":false,"groups":["ciscat"],"pci_dss":["2.2"],"nist_800_53":["CM.1"]},"agent":{"id":"007","name":"smith"},"manager":{"name":"wazuh-manager"},"id":"1677847155.6027","decoder":{"name":"json"},"data":{"type":"scan_info","scan_id":"75459013","cis":{"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","hostname":"ubuntu","timestamp":"2017-12-21T03:16:54.431-08:00","score":"76"}},"location":"/var/log/messages"}

Which on Wazuh dashboard will look like:

Note how all the information from the original event is available under decoder.data and if it didn't have the no_full_log option the alert would also include the original event in the alert such as:

{"timestamp":"2017-12-21T03:16:54.431-08:00","rule":{"level":5,"description":"CIS-CAT Report overview: Score less than 80% (76)","id":"87422","firedtimes":1,"mail":false,"groups":["ciscat"],"pci_dss":["2.2"],"nist_800_53":["CM.1"]},"agent":{"id":"007","name":"smith"},"manager":{"name":"wazuh-manager"},"id":"1677847155.6027","full_log":"{\"type\":\"scan_info\",\"scan_id\":75459013,\"cis\":{\"benchmark\":\"CIS Ubuntu Linux 16.04 LTS Benchmark\",\"hostname\":\"ubuntu\",\"timestamp\":\"2017-12-21T03:16:54.431-08:00\",\"score\":76}}","decoder":{"name":"json"},"data":{"type":"scan_info","scan_id":"75459013","cis":{"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","hostname":"ubuntu","timestamp":"2017-12-21T03:16:54.431-08:00","score":"76"}},"location":"/var/log/messages"}

This in turn when indexed is seen:

This will also reduce the probability of larger events reaching the maximum document size to be indexed on the Wazuh Indexer.

Let me know if this help solve your query or if you have any other questions we can help with.

Best regards,

Juan C. Tello

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1552ccb6-1a07-47a1-b64e-2f7fdda43d32n%40googlegroups.com.