manually insert a log into Wazuh Manager directly from the command line
669 views
Skip to first unread message
Mohammad Shafiuddin Russel
Oct 19, 2023, 4:10:25 AM10/19/23
to Wazuh mailing list
Dear Wazuh Forum Moderators and Members,
I am reaching out to the Wazuh community seeking assistance with a specific query related to Wazuh Manager.
I'm currently exploring ways to manually insert a log into Wazuh Manager directly from the command line. While I have been able to configure Wazuh for log collection, I have come across situations where I need to insert logs manually for testing and validation purposes. I believe that this capability is crucial for various testing scenarios, and it would be immensely helpful if I could gain a better understanding of how to achieve this.
I look forward to your valuable input on this matter.
Sincerely,
I am reaching out to the Wazuh community seeking assistance with a specific query related to Wazuh Manager.
I'm currently exploring ways to manually insert a log into Wazuh Manager directly from the command line. While I have been able to configure Wazuh for log collection, I have come across situations where I need to insert logs manually for testing and validation purposes. I believe that this capability is crucial for various testing scenarios, and it would be immensely helpful if I could gain a better understanding of how to achieve this.
I look forward to your valuable input on this matter.
Sincerely,
Shafiuddin Russel
Olusegun Adenrele Oyebo
Oct 19, 2023, 7:14:58 AM10/19/23
to Wazuh | Mailing List
Hello Mohammad,
Thank you for using Wazuh.
If I can get you correctly, you want to perform a logtest directly on the Wazuh manager and check what decoders match them, check what fields the decoders identify and also check what alerts match the event logs? If that is what you want to achieve, you can perform the Wazuh logtest using the command line tool and from the dashboard.
To perform the logtest using the command line tool from the Wazuh manager server:
full event: 'Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
timestamp: 'Oct 15 21:07:00'
hostname: 'linux-agent'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'sshd'
parent: 'sshd'
srcip: '18.18.18.18'
srcport: '48928'
srcuser: 'blimey'
**Phase 3: Completed filtering (rules).
id: '5710'
level: '5'
description: 'sshd: Attempt to login using a non-existent user'
groups: '["syslog","sshd","authentication_failed","invalid_login"]'
firedtimes: '1'
gdpr: '["IV_35.7.d","IV_32.2"]'
gpg13: '["7.1"]'
hipaa: '["164.312.b"]'
mail: 'false'
mitre.id: '["T1110.001","T1021.004","T1078"]'
mitre.tactic: '["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"]'
mitre.technique: '["Password Guessing","SSH","Valid Accounts"]'
nist_800_53: '["AU.14","AC.7","AU.6"]'
pci_dss: '["10.2.4","10.2.5","10.6.1"]'
tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.
Depending on the logs you inputted, you could see an output different from the above.
To perform the logtest from the Wazuh dashboard:
Best regards.
Thank you for using Wazuh.
If I can get you correctly, you want to perform a logtest directly on the Wazuh manager and check what decoders match them, check what fields the decoders identify and also check what alerts match the event logs? If that is what you want to achieve, you can perform the Wazuh logtest using the command line tool and from the dashboard.
To perform the logtest using the command line tool from the Wazuh manager server:
- Run /var/ossec/bin/wazuh-logtest and paste the log you want to run the test on e.g. Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928
- You should see an output like below:
full event: 'Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
timestamp: 'Oct 15 21:07:00'
hostname: 'linux-agent'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'sshd'
parent: 'sshd'
srcip: '18.18.18.18'
srcport: '48928'
srcuser: 'blimey'
**Phase 3: Completed filtering (rules).
id: '5710'
level: '5'
description: 'sshd: Attempt to login using a non-existent user'
groups: '["syslog","sshd","authentication_failed","invalid_login"]'
firedtimes: '1'
gdpr: '["IV_35.7.d","IV_32.2"]'
gpg13: '["7.1"]'
hipaa: '["164.312.b"]'
mail: 'false'
mitre.id: '["T1110.001","T1021.004","T1078"]'
mitre.tactic: '["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"]'
mitre.technique: '["Password Guessing","SSH","Valid Accounts"]'
nist_800_53: '["AU.14","AC.7","AU.6"]'
pci_dss: '["10.2.4","10.2.5","10.6.1"]'
tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.
Depending on the logs you inputted, you could see an output different from the above.
To perform the logtest from the Wazuh dashboard:
- Go to Tools > Ruleset test in the Wazuh dashboard and paste the logs you want to test.
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
- https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Best regards.
Reply all
Reply to author
Forward
0 new messages