Prematch not working for custom syslog decoder
684 views
Skip to first unread message
LuG
Mar 7, 2024, 10:53:00 AM3/7/24
to Wazuh | Mailing List
Hi, I have a WORKING configuration for a custom syslog decoder but would like to fine-tune it and I can't make it work with "prematch".I'm probably missing something and counting on experts to point me to the right direction.
The full log sent by an Aruba switch looks like this:
Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down
It comes from a Syslog server which runs a Wazuh agent.
My current WORKING decoder looks like this:
<decoder name="arubaos">
<program_name>intfd</program_name>
</decoder>
<decoder name="arubaos-fields">
<parent>arubaos</parent>
<regex>(\S+)\|(\d+)\|LOG_(\S+)\|(\S+)\|(\S+)\|(\.*)$</regex>
<order>event_type,event_id,event_severity,daemon,module,event_message</order>
</decoder>
When testing with wazuh-logtest, it works as expected and extracts exactly what I want:
Starting wazuh-logtest v4.7.3
Type one log per line
Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down
**Phase 1: Completed pre-decoding.
full event: 'Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down'
timestamp: 'Feb 13 15:33:03'
hostname: 'GSM-YUL-SW-STK2'
program_name: 'intfd'
**Phase 2: Completed decoding.
name: 'arubaos'
daemon: 'UKWN'
event_id: '404'
event_message: 'Link status for interface 2/1/52 is down - Administratively down'
event_severity: 'INFO'
event_type: 'Event'
module: '1'
**Phase 3: Completed filtering (rules).
id: '101004'
level: '3'
description: 'Link status for interface 2/1/52 is down - Administratively down'
groups: '['Aruba_Switch']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
So far so good!
Now, the problem:
I would like the parent decoder to be broader and just set my alerts on different fields extracted at "Phase 2".
For now I'm using "program_name" for the decoder, but because there could be a bunch of different "program_name", I would rather make a match according to the structure of the log, which is always the same for the Aruba logs.
I know I could use multiple "program_name" for the decoder like "<program_name>^log-proxyd|^intfd|^lldpd|^lacpd|^hpe-sysmond|^-vtysh|^hpe-config</program_name>" and its works fine as well, but again, I don't want to list all possible processes (programs).
As shown above, the regex string "(\S+)\|(\d+)\|LOG_(\S+)\|(\S+)\|(\S+)\|(\.*)$" works perfectly to extract all fields and the logs are ALWAYS structured that way, so I would like to use that as the parent decoder.
I tried the following, but it doesn't work:
<decoder name="arubaos">
<prematch>\S+\|\d+\|LOG_\S+\|\S+\|\S+\|\.*$</prematch>
</decoder>
Wazuh-logtest gives me:
**Phase 2: Completed decoding.
No decoder matched.
I also tried other "prematch" strings, for example <prematch>LOG_</prematch>, because that is also present in all logs, but still not luck.
I think I almost tried all possible "prematch" combinations but can't make it work.
So I'm thinking I just can't use "prematch" for a syslog decoder, which is too bad, or I am missing something and hope someone here could help.
Thanks.
The full log sent by an Aruba switch looks like this:
Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down
It comes from a Syslog server which runs a Wazuh agent.
My current WORKING decoder looks like this:
<decoder name="arubaos">
<program_name>intfd</program_name>
</decoder>
<decoder name="arubaos-fields">
<parent>arubaos</parent>
<regex>(\S+)\|(\d+)\|LOG_(\S+)\|(\S+)\|(\S+)\|(\.*)$</regex>
<order>event_type,event_id,event_severity,daemon,module,event_message</order>
</decoder>
When testing with wazuh-logtest, it works as expected and extracts exactly what I want:
Starting wazuh-logtest v4.7.3
Type one log per line
Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down
**Phase 1: Completed pre-decoding.
full event: 'Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down'
timestamp: 'Feb 13 15:33:03'
hostname: 'GSM-YUL-SW-STK2'
program_name: 'intfd'
**Phase 2: Completed decoding.
name: 'arubaos'
daemon: 'UKWN'
event_id: '404'
event_message: 'Link status for interface 2/1/52 is down - Administratively down'
event_severity: 'INFO'
event_type: 'Event'
module: '1'
**Phase 3: Completed filtering (rules).
id: '101004'
level: '3'
description: 'Link status for interface 2/1/52 is down - Administratively down'
groups: '['Aruba_Switch']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
So far so good!
Now, the problem:
I would like the parent decoder to be broader and just set my alerts on different fields extracted at "Phase 2".
For now I'm using "program_name" for the decoder, but because there could be a bunch of different "program_name", I would rather make a match according to the structure of the log, which is always the same for the Aruba logs.
I know I could use multiple "program_name" for the decoder like "<program_name>^log-proxyd|^intfd|^lldpd|^lacpd|^hpe-sysmond|^-vtysh|^hpe-config</program_name>" and its works fine as well, but again, I don't want to list all possible processes (programs).
As shown above, the regex string "(\S+)\|(\d+)\|LOG_(\S+)\|(\S+)\|(\S+)\|(\.*)$" works perfectly to extract all fields and the logs are ALWAYS structured that way, so I would like to use that as the parent decoder.
I tried the following, but it doesn't work:
<decoder name="arubaos">
<prematch>\S+\|\d+\|LOG_\S+\|\S+\|\S+\|\.*$</prematch>
</decoder>
Wazuh-logtest gives me:
**Phase 2: Completed decoding.
No decoder matched.
I also tried other "prematch" strings, for example <prematch>LOG_</prematch>, because that is also present in all logs, but still not luck.
I think I almost tried all possible "prematch" combinations but can't make it work.
So I'm thinking I just can't use "prematch" for a syslog decoder, which is too bad, or I am missing something and hope someone here could help.
Thanks.
Message has been deleted
Luciano Gorza
Mar 8, 2024, 1:47:36 PM3/8/24
to Wazuh | Mailing List
Hi!
The decoders are divided into 2 lists of decoders: those that have a program name and those that do not.
The decoders are divided into 2 lists of decoders: those that have a program name and those that do not.
So when a log comes in, it goes through the pre-decoder. If it manages to extract the program name, it uses the list of decoders that have a program name; if they do not have a program name, it goes through the other list of decoders.
Therefore, since the example log has a program name and the pre-decoder identifies it, the "program_name" tag must appear in the parent decoder.
If it has multiple program names, you can use os_regex or pcre2 and match them with a list of programs.
On the other hand, you can modify the log that is sent to add a header and thus achieve a better match. To do this, you can use the <out_format> option within <localfile> in the ossec.conf file of the endpoint that sends the logs. The documentation contains the fields you can use: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format.
I hope this information is helpful to you.
Lu G
Mar 12, 2024, 10:20:42 AM3/12/24
to Luciano Gorza, Wazuh | Mailing List
Hi Luciano,
Thanks very much for taking the time to reply.
Your explanation makes it more clear on how the pre-decoder works, and it makes more sense to me now.
I will take some time to experiment with the "out_format" option, as you suggested, and I think I will be good to go with that.
I still have a question related to that though:
In my previous tests, I also tried to use "hostname" instead of "program_name", as it is correctly extracted by the pre-decoder, and which would be a perfect solution to create decoders and rules, but for some reason it didn't work either.
So is there a reason for that, and can we only use "program_name" and nothing else for this type of logs?
Thanks.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/aeRzqoBYIKU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/45eb0071-23da-4891-b6d9-54a8ef45088cn%40googlegroups.com.
Luciano Gorza
Mar 13, 2024, 9:08:23 AM3/13/24
to Wazuh | Mailing List
Hi Lu G,
root@wazuh:/# /var/ossec/bin/wazuh-logtest-legacy
2024/03/13 12:49:15 wazuh-testrule: INFO: Started (pid: 2473).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
wazuh-testrule: Type one log per line.
Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down
**Phase 1: Completed pre-decoding.
full event: 'Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down'
timestamp: 'Feb 13 15:33:03'
hostname: 'GSM-YUL-SW-STK2'
program_name: 'intfd'
**Phase 2: Completed decoding.
No decoder matched.
About your question regarding the hostname and the decoder, please note that there isn't a tag to filter by hostname. You can consult the decoder syntax in the documentation: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Additionally, when the pre-decoder encounters the program_name field, it will search for that value to find a parent decoder.
Here's an example where I analyzed the log you sent to understand which fields the pre-decoder identifies and which portion of the log it subsequently analyzes.
Additionally, when the pre-decoder encounters the program_name field, it will search for that value to find a parent decoder.
Here's an example where I analyzed the log you sent to understand which fields the pre-decoder identifies and which portion of the log it subsequently analyzes.
root@wazuh:/# /var/ossec/bin/wazuh-logtest-legacy
2024/03/13 12:49:15 wazuh-testrule: INFO: Started (pid: 2473).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
wazuh-testrule: Type one log per line.
Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down
**Phase 1: Completed pre-decoding.
full event: 'Feb 13 15:33:03 GSM-YUL-SW-STK2 intfd[766] Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down'
timestamp: 'Feb 13 15:33:03'
hostname: 'GSM-YUL-SW-STK2'
program_name: 'intfd'
log: 'Event|404|LOG_INFO|UKWN|1|Link status for interface 2/1/52 is down - Administratively down'
**Phase 2: Completed decoding.
No decoder matched.
Reply all
Reply to author
Forward
0 new messages