Decoders work, but only the first decoder parses data

524 views
Skip to first unread message

Miroslav M

unread,
Oct 6, 2022, 3:27:29 PM10/6/22
to Wazuh mailing list
Hi, I have Zimbra email server, I collect audit file /opt/zimbra/log/audit.log. In the local_decoder.xml I have:

<decoder name="zimbra">
 <prematch>[\S+] [\S+;oip=\S+;\S+] security - cmd=Auth; account=\S+; protocol=\S+;</prematch>
</decoder>

<decoder name="zimbra-login-success-imap">
 <parent>zimbra</parent>
 <type>syslog</type>
 <regex>[\S+] [\S+;oip=(\S+);\S+;\S+;\S+] security - cmd=Auth; account=(\S+); protocol=(\S+);</regex>
 <order>srcip, user, protocol</order>
</decoder>


<decoder name="zimbra-smtp-failed">
 <parent>zimbra</parent>
 <type>syslog</type>
 <regex>[\S+] [\S+;oip=(\S+);\S+;soapId=\S+;] security - cmd=Auth; account=(\S+); protocol=(\S+); error=</regex>
 <order>srcip, user, protocol</order>
</decoder>

and testing messages:
2022-10-06 20:26:58,267 INFO  [ImapSSLServer-4054] [ip=192.168.200.200;oip=1.1.1.1;via=192.168.200.200(nginx/1.20.0);ua=Zimbra/8.8.15_GA_4372;cid=13023;] security - cmd=Auth; account=in...@example.com; protocol=imap;

2022-10-06 20:29:20,050 WARN  [qtp1704064279-19323://localhost:8080/service/soap/BatchRequest] [name=no...@example.com;oip=1.1.1.1;ua=zclient/8.8.15_GA_4372;soapId=4bb5ef91;] security - cmd=Auth; account=no...@example.com; protocol=soap; error=authentication failed for [no...@example.com], invalid password;

For the first event Wazuh logtest shows:
**Phase 2: Completed decoding.
    name: 'zimbra'
    dstuser: 'in...@example.com'
    protocol: 'imap'
    srcip: '1.1.1.1'

For the second event Wazuh logtest shows only:
**Phase 2: Completed decoding.
    name: 'zimbra'

If I move the second decoder before the first one in the local_decoder.xml, logtest parses correctly the second event, but not the first one :)

So I should construct decoders differently? But how?

Thanks,
Miro

Sebastian Dario Bustos

unread,
Oct 6, 2022, 6:20:32 PM10/6/22
to Wazuh mailing list
Hello Miro,
Thank you for using Wazuh!!!

<decoder name="zimbra">
 <prematch>[\S+] [\S+;oip=\S+;\S+] security - cmd=Auth; account=\S+; protocol=\S+;</prematch>
</decoder>

<decoder name="zimbra-fields">
 <parent>zimbra</parent>

 <regex>[\S+] [\S+;oip=(\S+);\S+;\S+;\S+] security - cmd=Auth; account=(\S+); protocol=(\S+);</regex>
 <order>srcip, user, protocol</order>
</decoder>


<decoder name=" zimbra-fields">
 <parent>zimbra</parent>

 <regex>[\S+] [\S+;oip=(\S+);\S+;soapId=\S+;] security - cmd=Auth; account=(\S+); protocol=(\S+); error=</regex>
 <order>srcip, user, protocol</order>
</decoder>


Let me know.
Regards.

Sebastian Dario Bustos

unread,
Oct 6, 2022, 7:33:58 PM10/6/22
to Wazuh mailing list
This is more a sibling decoder approach, here is the documentation for sibling decoders:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/sibling-decoders.html
In this way you can analyze and decode several log formats under the same decoder name, you even can atomize the decoder in to each specific field to be decoded with all the variats it may have.

Let me know.
Regards.

Miroslav Rudolf

unread,
Oct 7, 2022, 1:41:43 PM10/7/22
to wa...@googlegroups.com

Many thanks, works fine.

So I covered

<!-- Zimbra audit.log -->


<decoder name="zimbra">
 <prematch>[\S+] [\S+;oip=\S+;\S+] security - cmd=Auth; account=\S+; protocol=\S+;</prematch>
</decoder>

<!-- siblings for successful logon events for IMAP -->


<decoder name="zimbra-fields">
  <parent>zimbra</parent>
  <regex>[\S+] [\S+;oip=(\S+);\S+;\S+;\S+] security - cmd=Auth; account=(\S+); protocol=(\S+);</regex>
  <order>srcip, user, protocol</order>
</decoder>

<!-- siblings for successful logon events for WEB and SMTP -->


<decoder name="zimbra-fields">
 <parent>zimbra</parent>

 <regex>[\S+] [\S+;oip=(\S+);\S+;\S+;] security - cmd=Auth; account=(\S+); protocol=(\S+);</regex>


 <order>srcip, user, protocol</order>
</decoder>

<!-- siblings for unsuccessful logon events for imap, web and smtp -->


<decoder name="zimbra-fields">
   <parent>zimbra</parent>
   <regex>[\S+] [\S+;oip=(\S+);\S+;soapId=\S+;] security - cmd=Auth; account=(\S+); protocol=(\S+); error=</regex>
   <order>srcip, user, protocol</order>
</decoder>

And then older

<!-- Zimbra mailbox.log account lockout-->
<decoder name="zimbra-mailbox">
 <prematch>[\S+] [] misc - Access from IP \S+ suspended</prematch>
</decoder>

<decoder name="zimbra-mailbox-suspeded">
 <parent>zimbra-mailbox</parent>
 <type>syslog</type>
 <regex>[\S+] [] misc - Access from IP (\S+) (suspended)</regex>
 <order>srcip, action</order>
</decoder>



Dne 07. 10. 22 v 1:33 Sebastian Dario Bustos napsal(a):
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/gm3pUiUj2Tw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f6582e9a-576d-4231-bee1-6aa136759c03n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages