Custom decoder not showing up in Kibana

[Daniel D'Angeli]

Hi,

im trying to use a custom decoder to parse determined fields from a log and everything works correctly using the test scripts (both ossec-logtest and wazuh-logtest).

However when i go in Kibana and check for the decoder name used i keep seeing the default one which in this case is windows_eventchannel.

Any tips?

Regards,

Daniel

[Rafael Antonio Rodriguez Otero]

Hello.

Could you show the log you want to treat? Also tell me which version of Wazuh you are using.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6300784e-789f-4de1-85db-d8b75f51d25cn%40googlegroups.com.

[Christian Borla]

Hi Daniel

Did you include a new rule to your new decoder?
Decoders parse different fields from a log, but rules are in charge of enriching the alert, for example adding level or name to each alert.  
Once your decoder is working, you can create a new rule to complete the process. you can customize a new rule or modify a default one.

It's possible create a customized rule child from default one, for example main rule to windows_eventchannel is:  

Default rule:

  <rule id="60000" level="0">
    <category>ossec</category>
    <decoded_as>windows_eventchannel</decoded_as>
    <field name="win.system.providerName">\.+</field>
    <options>no_full_log</options>
    <description>Group of windows rules</description>
  </rule>

An example of customized rule:

  <rule id="100000" level="6">
    <if_sid>60000</if_sid>                                                          <----- previous rule triggered
    <field name="win.system.channel">^TestRule$</field>        <----- win.system.channel field must include "TestRule"
    <options>no_full_log</options>
    <description>New test rule.</description>
  </rule>

If the event was decoded as windows_eventchannel, and field win.system.providerName include something text, will trigger rule id 60000.
After that if the field win.system.channel includes exactly TestRule text, and was previously processed by rule 60000 will trigger the custom rule 100000, and the name of the alert will be "New test rule." as the custom rule.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#adding-new-decoders-and-rules


Another important point is, disable default decoder to keep yours working.
It's necessary to make a copy of the default decoder file before modifying it into /var/ossec/etc/decoders, customize your decoder, and exclude it by adding a <decoder_exclude> option into ossec.conf file. as following link mention
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder

I am glad to help you.
Let me know if you need help with rules and how it goes.
Regards.

Virus-free. www.avast.com

--

[Daniel D'Angeli]

Hi, thanks for the quick response!

First of all i would like to point that all of this is part of the archives and not alerts, so rules are not involved.

The log is the following, it's just a line and what i need to extract are the username, client ip and remote ip (the one to which the client is connecting) and the eventID to check if is a login or a logout (in this case either 302 / 303).

The desired fields are highlighted.

{"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-Gateway","providerGuid":"{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}","eventID":"302","version":"0","level":"4","task":"3","opcode":"30","keywords":"0x4000000001000000","systemTime":"2021-05-14T07:46:16.665511100Z","eventRecordID":"625616","processID":"2420","threadID":"4032","channel":"Microsoft-Windows-TerminalServices-Gateway/Operational","computer":"xxx.DYNARTIS.local","severityValue":"INFORMATION","message":"\"L'utente \"DYNARTIS\\username\", nel computer client \"0.0.0.0\", si è connesso alla risorsa \"0.0.0.0\". Protocollo di connessione utilizzato: \"HTTP\".\""},"eventInfo":{"username":"DYNARTIS\\\\username","ipAddress":"0.0.0.0","resource":"0.0.0.0","connectionProtocol":"HTTP","errorCode":"0"}}}

Using the ./ossec-logtest and ./wazuh-logtest it correctly parses the fields as you can see in the following image:

Though the same log in Kibana appears to be using the default decoder named "windows_eventchannel" which has some fields that are wrongly named for my purposes.

Regards,

Daniel

[Daniel D'Angeli]

Hi,

does anyone know how to solve this pls?

Thanks,

Daniel

[Christian Borla]

Hi Daniel

you can perform changes in any decoder file as follows:

For example: If you want to change something in the decoder file 0380-windows_decoders.xml, do the following:

1. Copy the decoder file /var/ossec/ruleset/decoders/0380-windows_decoders.xml from the default folder to the user folder /var/ossec/etc/decoders in order to keep the changes.

2. Exclude the original decoder file ruleset/decoders/0380-windows_decoders.xml from the OSSEC loading list. To do this, use the tag <decoder_exclude> in the ossec.conf file.  Specified decoder will not be loaded from the default decoder folder, and the decoder file saved in the user folder will be loaded instead.

ossec.conf file:

    <ruleset>

      <!-- Default ruleset -->

      <decoder_dir>ruleset/decoders</decoder_dir>

      <rule_dir>ruleset/rules</rule_dir>

      <rule_exclude>0215-policy_rules.xml</rule_exclude>

      <list>etc/lists/audit-keys</list>

      <!-- User-defined ruleset -->

      <decoder_dir>etc/decoders</decoder_dir>

      <rule_dir>etc/rules</rule_dir>

      <decoder_exclude>ruleset/decoders/0380-windows_decoders.xml</decoder_exclude>

    </ruleset>

3. Add your changes into the file /var/ossec/etc/decoders/0310-ssh_decoders.xml.      

4. Restart wazuh service.

If it doesn't works, provide me your custom decoder to analyze and test it.
Let me know how it goes.

Regards.

Christian.