Wazuh / Symentec Integration
37 views
Skip to first unread message
Yazid
2:57 AM (9 hours ago) 2:57 AM
to Wazuh | Mailing List
Hello,
I’m wondering if it’s possible to integrate Wazuh with Symantec. I configured Symantec to send logs to Wazuh, but Wazuh doesn’t seem to understand the log format.
and Thank you for your efforts and this amazing product!
Richmond Aribibia Fimie
4:11 AM (8 hours ago) 4:11 AM
to Yazid, Wazuh | Mailing List
Hello Yazid, you need to temporarily enable archives on your Wazuh manager so we can verify that the logs are reaching it. To do this, edit /var/ossec/etc/ossec.conf and add the following inside the section:
<global>
<logall>yes</logall>
</global>
Then restart Wazuh with:
systemctl restart wazuh-manager
After that, you’ll find the raw logs stored in /var/ossec/logs/archives/archives.log. Please share a few sample log lines from there — with those, we can help create or adapt the right decoders so Wazuh can properly parse and categorize the Symantec events.
Reference link
https://documentation.wazuh.com/current/cloud-service/archive-data/configuration.html
<global>
<logall>yes</logall>
</global>
Then restart Wazuh with:
systemctl restart wazuh-manager
After that, you’ll find the raw logs stored in /var/ossec/logs/archives/archives.log. Please share a few sample log lines from there — with those, we can help create or adapt the right decoders so Wazuh can properly parse and categorize the Symantec events.
Reference link
https://documentation.wazuh.com/current/cloud-service/archive-data/configuration.html
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/b927981d-a139-4424-b6e9-299cace09f7an%40googlegroups.com.
Yazid
7:03 AM (5 hours ago) 7:03 AM
to Wazuh | Mailing List
Symantec has three types of syslog, and I tried them. Here is an example of each:
RFC 5424 with newline delimiter :
<14>1 2026-01-13T10:00:34.773Z localhost.localdomain SEDR - 8006 [origin ip="192.168.50.91"] {"user_name":"Svc.User","device_domain":"corp-zone.local","uuid":"7a9f1120-a063-21f0-b10a-000000ab912e","edr_enriched_data":{"category_name":"Generic Data to be sent to Symantec EDR","category_id":201,"rule_name":"eChangeDefaultFileAssoc","suspicion_score":50,"rule_description":"Change to default File Association handler detected"},"ref_uid":"AA1CBF2C-A716-49BB-C22F-8113ECC44A1D","device_name":"WKSTNENG0451","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1546","tactic_ids":[3,4],"technique_name":"Event Triggered Execution","tactic_uids":["TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","id":2,"device_time":1768296970197,"device_os_name":"Windows 10 Professional Edition","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8006,"message":"mighost.exe set registry value HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\: kZp21AX71cQ=","log_time":"2026-01-13T10:00:34.732Z","status_detail":"Generic Data to be sent to Symantec EDR","device_ip":"192.168.50.91","actor":{"uid":"BD6A1693-A050-F1F0-C2D7-284F30AB9E10","start_time":1768296938441,"file":{"signature_level_id":60,"path":"c:\\$windows.~bt\\sources\\mighost.exe","signature_value_ids":[3,5],"sha2":"174885c6416a060e9a9342ce20fce0cf2b2937092b38f9b742c82c578f11111a","normalized_path":"CSIDL_SYSTEM_DRIVE\\$windows.~bt\\sources\\mighost.exe","original_name":"MigHost.exe","name":"mighost.exe","modified":1635900482000,"md5":"ccd2a46cb60bcc3c39c89c178a8c3aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\$WINDOWS.~BT\\Sources\\mighost.exe\" {47C9AD47-8A33-4C5F-A8B8-2F680D111BA4} /InitDoneEvent:MigHost.{47C9AD47-8A33-4C5F-A8B8-2F680D111BA4}.Event /ParentPID:19108 /LogDir:\"C:\\$WINDOWS.~BT\\Sources\\Panther\"","pid":31668,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_uid":"1a7182cb-d458-4a22-a454-54a55dac1122","device_ipv6":"fe80:0000:0000:0000:11cd:fe7d:e079:b123","reg_value_result":{"data":"qa3VA2W4cdM="},"severity_id":1,"reg_value":{"path":"HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\","data":"kZp21AX71cQ=","name":"Hash"}}
RFC 5424 with newline delimiter :
..s.=..Le006dbc22db34f13598be5e21e662","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":11644,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6f8f9ce0-b052-11f0-dbce-000000ab7e86","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"7196FA63-15F4-4B15-9FAA-8884F32001AA","status_detail":"Generic Data to be sent to ATP","device_ip":"192.168.88.31","actor":{"uid":"26F28CEE-E631-F1F0-87F5-944348B19999","start_time":1767175907324,"file":{"signature_level_id":60,"path":"c:\\windows\\system32\\svchost.exe","signature_value_ids":[3,5],"sha2":"7fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23999999","normalized_path":"CSIDL_SYSTEM\\svchost.exe","original_name":"svchost.exe","name":"svchost.exe","modified":1715758724225,"md5":"8469cc568ad6821fd9d925542730aa11","signature_company_name":"Microsoft Windows Publisher"},"cmd_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule","pid":1792,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_name":"WKSTNENG0200","device_uid":"a038a140-19b9-48b1-afa6-95fe98231111","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1053","tactic_ids":[2,3,4],"technique_name":"Scheduled Task/Job","tactic_uids":["TA0002","TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","severity_id":1,"id":1,"device_time":1768289701294}
<14>Jan 13 10:03:04 localhost.localdomain SEDR: {"process":{"uid":"A16F3108-B04F-F1F0-87F5-944348B12222","file":{"signature_level_id":60,"path":"c:\\windows\\system32\\raserver.exe","signature_value_ids":[3,5],"sha2":"460ea04d7985f61c7c20c6ee1ca1e4d53c42593ff6d5ea2a1ddbc7a15599999","normalized_path":"CSIDL_SYSTEM\\raserver.exe","original_name":"raserver.exe","name":"raserver.exe","modified":1713686252031,"md5":"16ae006dbc22db34f13598be5e211111","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":8612,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6c1ffc70-b052-11f0-f919-000000ab7e85","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"AED
10:03:04.075391 ens18 In IP (tos 0x0, ttl 63, id 16389, offset 0, flags [DF], proto TCP (6), length 2948)
10.16.200.44.24524 > 10.16.201.200.514: Flags [.], cksum 0xe976 (incorrect -> 0xe5c5), seq 101360:104256, ack 1, win 15, options [nop,nop,TS val 3540480991 ecr 1039643213], length 2896
E...@.@.?..o
CEF:
Jan 13 10:03:54 localhost.localdomain CEF:0|Symantec|SEDR|4.12.0-73|8001|net.exe launched c:\windows\syswow64\net1.exe|1|act=1 cat=5 deviceExternalId=571c9cae-fe1c-4fee-be9a-4429fffa1111 dvchost=SARLAPDSI01160 rt=1768298623114 deviceCustomDate1=1768298623114 deviceCustomDate1Label=Logged Time cs5=Windows 11 Professional Edition cs5Label=Device OS Name suser=Svc.User symcSEDRLogName=epmp_events-fdr-2026-01-13/_doc symcSEDRUUID=529d4630-b062-11f0-cb5f-000000db8088 symcSEDRData={"process":{"uid":"4480CF04-EEF7-F1F0-9750-2851A8F02222","file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net1.exe","signature_value_ids":[3,5],"sha2":"747136c32e9e7639b251719cfe503f1bd482335aecec7ae7cb8a91b0a911111","normalized_path":"CSIDL_SYSTEMX86\\net1.exe","original_name":"net1.exe","name":"net1.exe","modified":1711956138294,"md5":"a8d42e2bf18d54816819ea4db4480aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"C:\\WINDOWS\\system32\\net1 user","pid":19660,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"type_id":8001,"device_domain":"corp-zone.local","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.NetUser!g1"},"ref_uid":"108D99A2-8F4E-44C9-8902-3A2147851111","status_detail":"Generic Data to be sent to ATP","actor":{"uid":"4480CEE6-EEF7-F1F0-9750-2851A8F03333","start_time":1768296526105,"file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net.exe","signature_value_ids":[3,5],"sha2":"1cb12d8d687b36b58a25d18d8fd4c70cb06e2f048518cf0359fc5d51b711111","normalized_path":"CSIDL_SYSTEMX86\\net.exe","original_name":"net.exe","name":"net.exe","modified":1729077174381,"md5":"c1a1e4fab1261259b5b69a8143341afe","signature_company_name":"Microsoft Windows"},"cmd_line":"net user","pid":17360,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"logging_device_name":"10.16.200.44","user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1087","tactic_ids":[7],"technique_name":"Account Discovery","tactic_uids":["TA0007"]},{"technique_uid":"T1033","tactic_ids":[7],"technique_name":"System Owner/User Discovery","tactic_uids":["TA0007"]}],"logging_device_ip":"10.16.200.44","device_time":1768296526355}
<14>1 2026-01-13T10:00:34.773Z localhost.localdomain SEDR - 8006 [origin ip="192.168.50.91"] {"user_name":"Svc.User","device_domain":"corp-zone.local","uuid":"7a9f1120-a063-21f0-b10a-000000ab912e","edr_enriched_data":{"category_name":"Generic Data to be sent to Symantec EDR","category_id":201,"rule_name":"eChangeDefaultFileAssoc","suspicion_score":50,"rule_description":"Change to default File Association handler detected"},"ref_uid":"AA1CBF2C-A716-49BB-C22F-8113ECC44A1D","device_name":"WKSTNENG0451","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1546","tactic_ids":[3,4],"technique_name":"Event Triggered Execution","tactic_uids":["TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","id":2,"device_time":1768296970197,"device_os_name":"Windows 10 Professional Edition","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8006,"message":"mighost.exe set registry value HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\: kZp21AX71cQ=","log_time":"2026-01-13T10:00:34.732Z","status_detail":"Generic Data to be sent to Symantec EDR","device_ip":"192.168.50.91","actor":{"uid":"BD6A1693-A050-F1F0-C2D7-284F30AB9E10","start_time":1768296938441,"file":{"signature_level_id":60,"path":"c:\\$windows.~bt\\sources\\mighost.exe","signature_value_ids":[3,5],"sha2":"174885c6416a060e9a9342ce20fce0cf2b2937092b38f9b742c82c578f11111a","normalized_path":"CSIDL_SYSTEM_DRIVE\\$windows.~bt\\sources\\mighost.exe","original_name":"MigHost.exe","name":"mighost.exe","modified":1635900482000,"md5":"ccd2a46cb60bcc3c39c89c178a8c3aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\$WINDOWS.~BT\\Sources\\mighost.exe\" {47C9AD47-8A33-4C5F-A8B8-2F680D111BA4} /InitDoneEvent:MigHost.{47C9AD47-8A33-4C5F-A8B8-2F680D111BA4}.Event /ParentPID:19108 /LogDir:\"C:\\$WINDOWS.~BT\\Sources\\Panther\"","pid":31668,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_uid":"1a7182cb-d458-4a22-a454-54a55dac1122","device_ipv6":"fe80:0000:0000:0000:11cd:fe7d:e079:b123","reg_value_result":{"data":"qa3VA2W4cdM="},"severity_id":1,"reg_value":{"path":"HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\","data":"kZp21AX71cQ=","name":"Hash"}}
RFC 5424 with newline delimiter :
..s.=..Le006dbc22db34f13598be5e21e662","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":11644,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6f8f9ce0-b052-11f0-dbce-000000ab7e86","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"7196FA63-15F4-4B15-9FAA-8884F32001AA","status_detail":"Generic Data to be sent to ATP","device_ip":"192.168.88.31","actor":{"uid":"26F28CEE-E631-F1F0-87F5-944348B19999","start_time":1767175907324,"file":{"signature_level_id":60,"path":"c:\\windows\\system32\\svchost.exe","signature_value_ids":[3,5],"sha2":"7fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23999999","normalized_path":"CSIDL_SYSTEM\\svchost.exe","original_name":"svchost.exe","name":"svchost.exe","modified":1715758724225,"md5":"8469cc568ad6821fd9d925542730aa11","signature_company_name":"Microsoft Windows Publisher"},"cmd_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule","pid":1792,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_name":"WKSTNENG0200","device_uid":"a038a140-19b9-48b1-afa6-95fe98231111","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1053","tactic_ids":[2,3,4],"technique_name":"Scheduled Task/Job","tactic_uids":["TA0002","TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","severity_id":1,"id":1,"device_time":1768289701294}
<14>Jan 13 10:03:04 localhost.localdomain SEDR: {"process":{"uid":"A16F3108-B04F-F1F0-87F5-944348B12222","file":{"signature_level_id":60,"path":"c:\\windows\\system32\\raserver.exe","signature_value_ids":[3,5],"sha2":"460ea04d7985f61c7c20c6ee1ca1e4d53c42593ff6d5ea2a1ddbc7a15599999","normalized_path":"CSIDL_SYSTEM\\raserver.exe","original_name":"raserver.exe","name":"raserver.exe","modified":1713686252031,"md5":"16ae006dbc22db34f13598be5e211111","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":8612,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6c1ffc70-b052-11f0-f919-000000ab7e85","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"AED
10:03:04.075391 ens18 In IP (tos 0x0, ttl 63, id 16389, offset 0, flags [DF], proto TCP (6), length 2948)
10.16.200.44.24524 > 10.16.201.200.514: Flags [.], cksum 0xe976 (incorrect -> 0xe5c5), seq 101360:104256, ack 1, win 15, options [nop,nop,TS val 3540480991 ecr 1039643213], length 2896
E...@.@.?..o
CEF:
Jan 13 10:03:54 localhost.localdomain CEF:0|Symantec|SEDR|4.12.0-73|8001|net.exe launched c:\windows\syswow64\net1.exe|1|act=1 cat=5 deviceExternalId=571c9cae-fe1c-4fee-be9a-4429fffa1111 dvchost=SARLAPDSI01160 rt=1768298623114 deviceCustomDate1=1768298623114 deviceCustomDate1Label=Logged Time cs5=Windows 11 Professional Edition cs5Label=Device OS Name suser=Svc.User symcSEDRLogName=epmp_events-fdr-2026-01-13/_doc symcSEDRUUID=529d4630-b062-11f0-cb5f-000000db8088 symcSEDRData={"process":{"uid":"4480CF04-EEF7-F1F0-9750-2851A8F02222","file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net1.exe","signature_value_ids":[3,5],"sha2":"747136c32e9e7639b251719cfe503f1bd482335aecec7ae7cb8a91b0a911111","normalized_path":"CSIDL_SYSTEMX86\\net1.exe","original_name":"net1.exe","name":"net1.exe","modified":1711956138294,"md5":"a8d42e2bf18d54816819ea4db4480aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"C:\\WINDOWS\\system32\\net1 user","pid":19660,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"type_id":8001,"device_domain":"corp-zone.local","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.NetUser!g1"},"ref_uid":"108D99A2-8F4E-44C9-8902-3A2147851111","status_detail":"Generic Data to be sent to ATP","actor":{"uid":"4480CEE6-EEF7-F1F0-9750-2851A8F03333","start_time":1768296526105,"file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net.exe","signature_value_ids":[3,5],"sha2":"1cb12d8d687b36b58a25d18d8fd4c70cb06e2f048518cf0359fc5d51b711111","normalized_path":"CSIDL_SYSTEMX86\\net.exe","original_name":"net.exe","name":"net.exe","modified":1729077174381,"md5":"c1a1e4fab1261259b5b69a8143341afe","signature_company_name":"Microsoft Windows"},"cmd_line":"net user","pid":17360,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"logging_device_name":"10.16.200.44","user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1087","tactic_ids":[7],"technique_name":"Account Discovery","tactic_uids":["TA0007"]},{"technique_uid":"T1033","tactic_ids":[7],"technique_name":"System Owner/User Discovery","tactic_uids":["TA0007"]}],"logging_device_ip":"10.16.200.44","device_time":1768296526355}
Richmond Aribibia Fimie
9:52 AM (2 hours ago) 9:52 AM
to Wazuh | Mailing List
Hello @yazid
Thank you for sharing the Symantec logs, that was very helpful. I’ve created a decoder based on the samples you provided, and it’s working correctly with Wazuh. The decoder now parses the Symantec EDR logs in both RFC 5424 extracting fields such as user, device, UUID, severity, category, rule details, suspicion score, and MITRE ATT&CK technique IDs.
With this in place, Wazuh can properly interpret and categorize your Symantec events.
Steps to add the custom Symantec decoder in Wazuh
- Create a custom decoder file
- Go to the Wazuh manager configuration directory:
- Create a new file, for example:
cd /var/ossec/etc/decoders/
- Add the Content of the created symantec decoder
- Restart Wazuh manager
- Apply the changes by restarting the service:
nano symantec-edr_decoders.xml
Reply all
Reply to author
Forward
0 new messages