URGENT: Alerts Not Generating When Log Has Multi Timestamp
53 views
Skip to first unread message
Experimantal Guest
Mar 29, 2024, 5:28:30 AM3/29/24
to Wazuh | Mailing List
Hello Wazuh Team,
I created a decoder for the below log-
2024 Mar 07 00:03:48 WARNING->10.0.0.104 2024 Mar 06 15:47:07 WARNING 100002235 DDOS ATTACK RECORD: sip="103.253.47.168" , dip="10.0.0.102", dport="443", zone="Untrust", srv="VSMOBAPPS", protocol="SSL", atktype="SSL_HANDSHAKE", action="detect", counts=1
When I use '/var/ossec/bin/wazuh-logtest' my decoder decodes the log successfully. Also when I store the log in <localfile> file then alerts are generated in Dashboard.
But, there is no alerts generated when the log remains in 'archives.log' file.
Is it because there are 2 timestamps (different) in the log? Please help.
Marcel Kemp
Apr 2, 2024, 8:29:50 AM4/2/24
to Wazuh | Mailing List
Hi Experimantal Guest,
If you have already generated a working decoder for that log and checked it using wazuh-logtest and matched step 3 of the rule, which would generate the alert.
Then it should still work once the log is collected by the manager and analysed.
To verify where the problem might be, I recommend you to check the log inside the archives.log, and test that log in wazuh-logtest, so if everything is set correctly, it should work:
Then it should still work once the log is collected by the manager and analysed.
To verify where the problem might be, I recommend you to check the log inside the archives.log, and test that log in wazuh-logtest, so if everything is set correctly, it should work:
- https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html
- https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
In case it doesn't work, check which step is wrong and modify the decoder/rule according to your needs:
If there are 2 timestamps, it shouldn't be a problem as long as the decoder parses those fields correctly.
I hope this is useful.
Reply all
Reply to author
Forward
0 new messages