Can the syslog cef output/mapping be viewed or edited?

[Robert H]

Hi Wazuh,

We are outputting Manager alert data via syslog in cef format.  We are seeing it in ArcSight our SIEM, however the fields do not seem to be populating as we would like.  Can we view and/or modify the cef mappings somehow?

Our manager has this syslog config.

<syslog_output>

    <server>127.0.0.1</server>

    <level>3</level>

    <format>cef</format>

  </syslog_output>

For example, I have been testing with file integrity checking and windows logon events.  For file integrity checks, Pedro proved this screen shot in another post.

In our test environment, I have generated a integrity checksum changed alerts.  However we cannot see the diff information of what changed in the file.  Can we view and/or change the mapping of (in the above example) the syscheck.diff to be mapped to another standardized field in our SIEM?

Regards,

Robert

[Jesus Linares]

Hi Robert,

could you share the raw log in CEF format that you are receiving in ArcSight?. We will need to improve the CEF format to get all the syscheck fields.

Thanks.

Regards.

[Luis Arriaga]

Hi Jesus,

Robert and I are working together on this project. I have an example here of a CEF message that was generated after a syscheck on a particular file whose contents were modified.  Our largest concern is mainly with the cs2 field. When a CEF message is generated for an Agent rule trigger the cs2 Location field seems to be formatted in a cs2=(<shost>) <src>-><cat> type of format when we would typically expect shost=<shost> src=<src> cat=<cat> in ArcSight. If the rule trigger is on the Manager the cs2 field looks like so <shost>-><cat>. The exact field names may not be technically correct but essentially the cs2 field needs to be split up into their own separate fields. The cat field in the sample message below seems like it should be split up too. 

We are contemplating updating some of the code in the ossec/src/os_csyslogd/alert.c to make these changes then reinstall a manager with this updated package. Could you please suggest any possible solutions you may be aware of?

Aug 25 16:26:59 192.168.212.171 Aug 25 16:26:54 CEF:0|Wazuh Inc.|Wazuh|v2.1.0|550|Integrity checksum changed.|7|dvc=ossec-manager cs2=(OSSEC-WIN) x.x.x.x->syscheck cs2Label=Location cat=ossec,syscheck,pci_dss_11.5, fname=C:/testdir/test_doc.txt msg=Integrity checksum changed for: 'C:/testdir/test_doc.txt' cs1Label=OldMD5 cs1='6f5cf05b54960687fddf71331396e0f7' cs2Label=NewMDG cs2='f814893777bcc2295fff05f00e508da6' oldFileHash='d0659542c0e682b24f98c9709e79b36c7bcc578b' fhash='c4d871ad13ad00fde9a7bb7ff7ed2543aec54241' fileHash='c4d871ad13ad00fde9a7bb7ff7ed2543aec54241'

Cheers,

Luis Arriaga

[Pedro Sanchez]

Hi Luis,

Currently, we don't have any other way to modify CEF syslog output format apart of modify the source code as you mention. Maybe, in the future, we can create templates to easily adapt the format to your desired output.

As you said, related source code file is https://github.com/wazuh/wazuh/blob/master/src/os_csyslogd/alert.c#L123, maybe you can add a new CEF family format, that way we can keep current format (just in case some users be using it) and add a new one to match ArcSight expected input.

Please, feel free to a open a issue with the new field format you apply, I think we can review it and help you with C development, if everything looks right, we can even merge it.

Thanks,

Pedro.

[Ignacio Lobo Navarrete (External)]

Hello!,

We have the same problems with the wazuh integration.

Any updates with the problems related to the parser?

Regards

[Chema Martinez]

Hi Ignacio,

Sorry for the late response.

Could you be more specific about your use case with the Syslog parser? We are aware we have to improve it and merge a particular PR that fixes the use case of this thread (https://github.com/wazuh/wazuh/pull/422). We will try to achieve these goals asap.

Best regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

La información contenida en el presente correo y cualquiera de sus ficheros adjuntos es información privilegiada y confidencial, y va destinada únicamente a la/s persona/s a quien el mensaje va dirigido. Si Vd. no es el destinatario señalado, agradeceríamos lo destruya y lo notifique inmediatamente al emisor, estando totalmente prohibido divulgar, distribuir o reproducir el contenido del mismo. Las opiniones, conclusiones o cualquier otro tipo de información que se contenga en el presente correo no relacionada con la actividad de las empresas integrantes de GRUPO KONECTA, serán entendidas exclusivas del emisor. Los empleados del GRUPO KONECTA, están expresamente obligados a no hacer declaraciones difamatorias y a no infringir cualquier derecho legal sobre las comunicaciones por correo electrónico. Toda comunicación de este tipo es contraria a la política de la empresa, y se considera fuera del ámbito de empleo de la persona en cuestión.
GRUPO KONECTA, no aceptará ninguna responsabilidad en relación con dicha comunicación y el empleado emisor del email, será el responsable de los daños u otras responsabilidades derivados del mismo.

The information contained in this message and in any attachments is legally privileged and confidential, and it is intended solely for the use of the person(s) to whom the message is addressed. If you are not the addressee, please destroy this message and kindly notify the sender by reply email. Unauthorised copying, delivery or distribution to non-addressees is not permitted. Opinions, conclusions or any other information contained in this message that do not relate to the business of the companies that are part of GRUPO KONECTA, shall be understood as not endorsed by them. Employees of GRUPO KONECTA are expressly required not to make defamatory statements and not to infringe any legal right by email communications. Any such communication is contrary to company policy and outside the scope of the employment of the individual concerned.
GRUPO KONECTA will not accept any liability in respect of such communication, and the employee responsible will be personally liable for any damages or other liability arising.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/57cf861e-c1cb-47e7-9c2a-4ca3b7b0f87f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.