Custom Decoder Issue
70 views
Skip to first unread message
zaffar abbas
Sep 2, 2023, 11:29:50 AM9/2/23
to Wazuh | Mailing List
Hi Team,
I have been engaged in designing custom decoders for the following event type:
Jun 12 13:43:24 X.X.X.X 66822: wan50-rt1-new: Jun 12 13:43:23: %DOMAIN-4-MC_SHUTDOWN: Reason=Minimum Requirement Not Met. Details:Instance=0: VRF=default: Min Requirement Mask=1
Upon testing this event via wazuh-logtest utility, wazuh is able to identify initial timestamp, host's IP Address (X.X.X.X), however, number after IP address (66822) is being considered by wazuh as program_name and no other information is parsed. I cannot use this exact number as program name in my decoder since it changes with every event.
Kindly someone please help me in designing custom decoder for this event.
Your early response will be highly appreciated!
Thanks,
Syed
Syed
Daniel Sappa
Sep 3, 2023, 12:10:09 PM9/3/23
to Wazuh | Mailing List
Hi zaffar abbas!
I think I understand what you want to explain, however, it would be useful if you could share the rule
zaffar abbas
Sep 3, 2023, 12:23:46 PM9/3/23
to Wazuh | Mailing List
Thanks a lot for your response Daniel!
Apologies! Could you please clarify which rule your are asking for? If it is the custom decoder I was trying to design, I removed it as it was not helpful to parse useful information from the event.
Apologies! Could you please clarify which rule your are asking for? If it is the custom decoder I was trying to design, I removed it as it was not helpful to parse useful information from the event.
I will be looking forward for your help in designing custom decoder for this.
Regards,
Syed.
Daniel Sappa
Sep 4, 2023, 9:28:18 AM9/4/23
to Wazuh | Mailing List
It would be useful if you could recover the decoder, and so I can evaluate the behavior.
Daniel Sappa
Sep 14, 2023, 2:36:05 PM9/14/23
to Wazuh | Mailing List
Hi zaffar abbas
were you able to complete the task?
If not, I will tell you that this happens because due to the log format to be analyzed, it is necessary to build a custom decoder.
Can I help you with this?
If not, I will tell you that this happens because due to the log format to be analyzed, it is necessary to build a custom decoder.
Can I help you with this?
zaffar abbas
Sep 14, 2023, 3:06:25 PM9/14/23
to Daniel Sappa, Wazuh | Mailing List
Dear Daniel,
I am glad to hear from you. Apoligies for not being able to return to this conversation. I am still stuck with that decoder. It would be great if I can get help from you.
Regards,
Syed
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/_jMBUxa8TeA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8b05e3f0-cb19-4edb-a062-757f61a87333n%40googlegroups.com.
Daniel Sappa
Sep 15, 2023, 1:17:33 PM9/15/23
to Wazuh | Mailing List
Have you been able to test the log in the following way?
Starting wazuh-logtest v4.6.0
Type one log per line
Jun 12 13:43:24 X.X.X.X 66822: wan50-rt1-new: Jun 12 13:43:23: %DOMAIN-4-MC_SHUTDOWN: Reason=Minimum Requirement Not Met. Details:Instance=0: VRF=default: Min Requirement Mask=1
full event: 'Jun 12 13:43:24 X.X.X.X 66822: wan50-rt1-new: Jun 12 13:43:23: %DOMAIN-4-MC_SHUTDOWN: Reason=Minimum Requirement Not Met. Details:Instance=0: VRF=default: Min Requirement Mask=1'
timestamp: 'Jun 12 13:43:24'
hostname: 'X.X.X.X'
program_name: '66822'
**Phase 2: Completed decoding.
No decoder matched.
zaffar abbas
Sep 15, 2023, 1:19:17 PM9/15/23
to Daniel Sappa, Wazuh | Mailing List
Yes, the results were same as yours
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/70a2825c-3d8f-4a5f-a81a-01f237b9caa9n%40googlegroups.com.
Daniel Sappa
Sep 15, 2023, 1:43:27 PM9/15/23
to Wazuh | Mailing List
Ok, as I mentioned before, it is necessary to create a custom decoder
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Here you can follow the example described but specifically what you have to do is
1. made a valid regex statement that allows us to separate the log into log fields that interest us.
for this there are a few sites available, e.g. https://regex101.com/
2.create a rule that relates this decoder and allows an alert to be triggered
Take a look at this and tell me your questions.
Daniel Sappa
Sep 15, 2023, 2:08:59 PM9/15/23
to Wazuh | Mailing List
There are a few things to consider for plain text logs when building a decoder.
* Is the log-structured log or an unstructured one?
* If it is structured logs, are fields ordered?
* Does the log source app allow you to define the log format?
* Is the log-structured log or an unstructured one?
* If it is structured logs, are fields ordered?
* Does the log source app allow you to define the log format?
Daniel Sappa
Sep 15, 2023, 4:28:16 PM9/15/23
to Wazuh | Mailing List
Can you tell me where this log comes from?
besides.
Can you share a few more lines with more real data?
if possible?
I am following this trouble.
Reply all
Reply to author
Forward
0 new messages