Monitoring network devices with Wazuh
181 views
Skip to first unread message
Nikolay Grudov
Apr 19, 2024, 4:52:52 AM4/19/24
to Wazuh | Mailing List
Hi all,
I followed this blog post Monitoring network devices with Wazuh but the decoders are not working correctly. You need to delete one interval between two /d+ in all decoders to make it work properly.
I followed this blog post Monitoring network devices with Wazuh but the decoders are not working correctly. You need to delete one interval between two /d+ in all decoders to make it work properly.
<decoder name="mikrotik">
<prematch>^RouterOS7.1-logs: </prematch>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+\d+:\d+:\d+) MikroTik user (\S+) (.*?) from (\d+.\d+.\d+.\d+) via (\w+)</regex>
<order>logtimestamp, logged_user, action, ip_address, protocol</order>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+\d+:\d+:\d+) MikroTik dhcp-client on (\S+) (.*?) address (\d+.\d+.\d+.\d+)</regex>
<order>logtimestamp, interface, action, ip_address</order>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+\d+:\d+:\d+) MikroTik router (\S+)</regex>
<order>logtimestamp, action</order>
</decoder>
<prematch>^RouterOS7.1-logs: </prematch>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+\d+:\d+:\d+) MikroTik user (\S+) (.*?) from (\d+.\d+.\d+.\d+) via (\w+)</regex>
<order>logtimestamp, logged_user, action, ip_address, protocol</order>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+\d+:\d+:\d+) MikroTik dhcp-client on (\S+) (.*?) address (\d+.\d+.\d+.\d+)</regex>
<order>logtimestamp, interface, action, ip_address</order>
</decoder>
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+\d+:\d+:\d+) MikroTik router (\S+)</regex>
<order>logtimestamp, action</order>
</decoder>
Hope this helps.
Julian Bustamante Narvaez
Apr 19, 2024, 1:33:12 PM4/19/24
to Wazuh | Mailing List
Hi , i hope you are well, could you send me the full_log in order to test with wazuh-logtest.
Thanks
Regards
Nikolay Grudov
Apr 22, 2024, 6:57:23 AM4/22/24
to Wazuh | Mailing List, Julian Bustamante Narvaez
RouterOS7.1-logs: 2024-04-22T06:23:08.879433900Z {ip=192.168.10.1} <24>Apr 22 09:23:07 Mikrotik Router user admin logged in from 192.168.10.182 via winbox
Best regards,
From: 'Julian Bustamante Narvaez' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: Friday, April 19, 2024 20:33
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Monitoring network devices with Wazuh
Sent: Friday, April 19, 2024 20:33
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Monitoring network devices with Wazuh
CAUTION: This email originated from outside of the organisation. Do not click links or open attachments unless you recognize the sender and know the content is safe.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/mjkeTSX-BC8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/06cdcc46-f383-4882-8c00-9d33dcf34563n%40googlegroups.com.
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/mjkeTSX-BC8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/06cdcc46-f383-4882-8c00-9d33dcf34563n%40googlegroups.com.
Message has been deleted
Message has been deleted
Julian Bustamante Narvaez
Apr 22, 2024, 3:06:36 PM4/22/24
to Wazuh | Mailing List
Thanks a lot, you are rigth, I will tell it to the correct team for update the documentation.
However , for your log you add modify other things in your regex like this
<order>logtimestamp, logged_user, action, ip_address, protocol</order>
</decoder>
RouterOS7.1-logs: 2024-04-22T06:23:08.879433900Z {ip=192.168.10.1} <24>Apr 22 09:23:07 Mikrotik Router user admin logged in from 192.168.10.182 via winbox
However , for your log you add modify other things in your regex like this
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<parent>mikrotik</parent>
<regex type="pcre2">\S+ (\w+ \d+:\d+:\d+) Mikrotik Router user (\S+) (.*?) from (\d+.\d+.\d+.\d+) via (\w+)</regex>
<order>logtimestamp, logged_user, action, ip_address, protocol</order>
</decoder>
output:
ulian-A15-FA506QM:/home/thejbte# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.9.0
Type one log per line
ulian-A15-FA506QM:/home/thejbte# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.9.0
Type one log per line
RouterOS7.1-logs: 2024-04-22T06:23:08.879433900Z {ip=192.168.10.1} <24>Apr 22 09:23:07 Mikrotik Router user admin logged in from 192.168.10.182 via winbox
**Phase 1: Completed pre-decoding.
full event: 'RouterOS7.1-logs: 2024-04-22T06:23:08.879433900Z {ip=192.168.10.1} <24>Apr 22 09:23:07 Mikrotik Router user admin logged in from 192.168.10.182 via winbox'
**Phase 2: Completed decoding.
name: 'mikrotik'
action: 'logged in'
ip_address: '192.168.10.182'
logged_user: 'admin'
logtimestamp: '22 09:23:07'
protocol: 'winbox'
full event: 'RouterOS7.1-logs: 2024-04-22T06:23:08.879433900Z {ip=192.168.10.1} <24>Apr 22 09:23:07 Mikrotik Router user admin logged in from 192.168.10.182 via winbox'
**Phase 2: Completed decoding.
name: 'mikrotik'
action: 'logged in'
ip_address: '192.168.10.182'
logged_user: 'admin'
logtimestamp: '22 09:23:07'
protocol: 'winbox'
Best regards
Nikolay Grudov
May 4, 2024, 9:50:43 AM5/4/24
to Wazuh | Mailing List
Still not OK :)
<order>logtimestamp, logged_user, action, ip_address, protocol</order>
</decoder>
With this log it is not working due to double space before 1 digit day:
RouterOS7.1-logs: 2024-05-02T13:21:36.833657800Z {ip=192.168.10.1} <24>May 2 16:21:36
MikroTik Router user admin logged in from 192.168.10.182 via winbox
Should be
<decoder name="mikrotik1">
<parent>mikrotik</parent>
<parent>mikrotik</parent>
<regex type="pcre2">\S+\s+(\w+ \d+:\d+:\d+) MikroTik Router user (\S+) (.*?) from (\d+.\d+.\d+.\d+) via (\w+)</regex>
<order>logtimestamp, logged_user, action, ip_address, protocol</order>
</decoder>
Best regards!
Julian Bustamante Narvaez
May 4, 2024, 12:46:00 PM5/4/24
to Wazuh | Mailing List
Hi,
as your log is different(with space double) is normal that it doesn't work, What i send is only a basic decoder, you need to deep in the documentation https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html , in order to make a better decoder.
The team in charge will make an appropriate decoder to https://wazuh.com/blog/monitoring-network-devices/ blog.
The better decoder for you is changing all spaces by \s+ in the regex.
RouterOS7.1-logs: 2024-04-22T06:23:08.879433900Z {ip=192.168.10.1} <24>Apr 22 09:23:07 Mikrotik Router user admin logged in from 192.168.10.182 via winbox
\S+\s+(\w+\s+\d+:\d+:\d+)\s+Mikrotik\s+Router\s+user\s+(\S+)\s+(.*?)\s+from\s+(\d+.\d+.\d+.\d+)\s+via\s+(\w+)
Regards
Reply all
Reply to author
Forward
0 new messages