Imperva logs monitoring

[Alvaro Victoriano]

Hello Wazuh team,

I have seen Imperva rules and decoders in Wazuh, I just would like to ask for which kind of logs of Imperva those rules and decoders, Iam recieving the logs via SFTP server where and agent is installed, then i have configured:

  <localfile>

    <log_format>imperva</log_format>

    <location>path to imperva/*.log</location>

  </localfile>

This is a sample of Imperva  logs iam recieveing:

5300_7c7c7c7cwhatever.log

accountId:123

configId:5300

checksum:123
format:CEF

startTime:123

endTime:123

|==|

CEF:0|Incapsula|SIEMintegration|1|1|Bot Access Control|4| fileId=9999999 sourceServiceName=
siteid=6$

Thanks

[Alvaro Victoriano]

  <localfile>

    <log_format>imperva/syslog</log_format>

    <location>path to imperva/*.log</location>

  </localfile>

nothing is working

[Daniel Melgarejo]

Hello Alvaro,

Effectively, Wazuh has Imperva rules and decoders but I think that the decoder only works when the log is similar to this one:

Aug  9 00:02:03 host1 Imperva: act=None dst=10.10.10.11 dpt=443 src=54.54.54.11 spt=34248 proto=TCP event#=4699905322851714444 eventType=http,eventSev=Medium,rt=Aug 08 2016 22:22:02 cat=Alert cs1=Suspicious Response Code cs1Label=Policy cs2=MQ-PAYMENT-API

The logs you are receiving are different. You will have to create a new decoder and rules to decode that logs. 

If your logs do not have the initial Timestamp, you can use a decoder and rule similar to this one:

<decoder name="imperva-event-siem">
    <prematch>accountId</prematch>
    <regex>^accountId:(\d+) configId:(\d+) checksum:(\d+) format:(\S+) startTime:(\d+) endTime:(\d+)</regex>
    <order>accountid,configid,checksum,format,startime,endtime</order>
</decoder>

<rule id="100002" level="7">
    <decoded_as>imperva-event-siem</decoded_as>
    <description>Imperva: Multiple logs</description>
</rule>

And if they have the Timestamp, you could use these:

<decoder name="imperva-event-siem">
    <parent>imperva</parent>
    <regex>^accountId:(\d+) configId:(\d+) checksum:(\d+) format:(\S+) startTime:(\d+) endTime:(\d+)</regex>
    <order>accountid,configid,checksum,format,startime,endtime</order>
</decoder>

<rule id="100002" level="7">
    <decoded_as>imperva-event-siem</decoded_as>
    <description>Imperva: Multiple logs</description>
</rule>

You can create more rules. You can find more information in the documentation: https://documentation.wazuh.com/3.9/user-manual/ruleset/custom.html#adding-new-decoders-and-rules

Another point to consider is 'imperva' is not a valid option to use in <log_format>. You can find the valid options in the documentation: https://documentation.wazuh.com/3.11/user-manual/reference/ossec-conf/localfile.html#log-format

I recommend you use 'multi-line' option because you have a log that is separated in different lines:

<log_format>multi-line: 9</log_format>

In other words:

<localfile>
    <log_format>multi-line: 9</log_format>

    <location>path to imperva/*.log</location>
</localfile>

I hope you find this information useful.

Best regards,

                       Daniel 

[Alvaro Victoriano]

Hello Daniel,

Thank you so much for your help, so helpful the informations.

[Daniel Melgarejo]

Hello Alvaro,

I am glad that the information was helpful.

Please do not hesitate to contact us to share more questions.

Regards,
              Daniel

[Alvaro Victoriano]

Hello Daneil,

When i do the test by ossec-logtest in linearly it works but when i do it multi-line it doesnt work,

I would like to share again what I have because they dont appear the events in Wazuh app,

/var/ossec/etc/decoders/local_decoder.xml

<decoder name="imperva-event-siem">

    <prematch>accountId</prematch>

    <regex>^accountId:(\d+) configId:(\d+) checksum:(\w+) format:(\S+) startTime:(\d+) endTime:(\d+)</regex>

    <order>accountid,configid,checksum,format,startime,endtime</order>

</decoder>

/var/ossec/etc/rules/local_rules.xml

<group name="imperva,">

<rule id="100011" level="7" overwrite="yes">

    <decoded_as>imperva-event-siem</decoded_as>

    <description>Imperva: Multiple logs</description>

</rule>

</group>

/var/ossec/etc/ossec.conf

<localfile>

    <log_format>multi-line: 9</log_format>

    <location>path_to_imperva/*.log</location>

</localfile>

In the logs, there is number standerd of first lines that it doesnt change (6) to define the event as you can see, 

accountId:213

configId:5300

checksum:fffffffffffff

format:CEF

startTime:456

endTime:789

|==|

CEF:0|Incapsula|SIEMintegration|1|1|Bot Access Control|4| fileId=21200000000

The number of lines of  CEF are always changeable, in some logs there 30 lines of CEF and others only 1, for now  I would like to pass the first level by analyzing the first 6 lines to appear in Wazuh APP, could you help me with this please because I need to monitor the Panda logs which is same to Imperva, CEF and LEEF.

Thanks.

[Daniel Melgarejo]

Hi Alvaro,

I did an experiment modifying <log_format>:

<log_format>multi-line: 6</log_format>

Then, I created some logs with the same 6 first lines and adding more 3, 6, 9 lines.

When I executed the following command, I saw this:

# tail -f /var/ossec/logs/archives/archives.log

Output adding 3 lines:

 2020 Feb 05 09:15:00 host->/var/ossec/logs/example.log accountId:213 configId:5300 checksum:fffffffffffff format:CEF startTime:456 endTime:789

Output adding 6 lines:

2020 Feb 05 09:15:26 host->/var/ossec/logs/example.log 1 line 2 line 3 line 4 line 5 line 6 line

2020 Feb 05 09:15:26 host->/var/ossec/logs/example.log accountId:213 configId:5300 checksum:fffffffffffff format:CEF startTime:456 endTime:789

Output adding 9 lines:

2020 Feb 05 09:16:20 host->/var/ossec/logs/example.log 1 line 2 line 3 line 4 line 5 line 6 line

2020 Feb 05 09:16:20 host->/var/ossec/logs/example.log accountId:213 configId:5300 checksum:fffffffffffff format:CEF startTime:456 endTime:789

It seems that the log is being separated automatically. It is divided by every 6 lines.

Rules are generated correctly:

** Alert 1580890500.32423: - local,syslog,sshd,

2020 Feb 05 09:15:00 host->/var/ossec/logs/example.log

Rule: 100002 (level 7) -> 'Imperva: Multiple logs'

accountId:213 configId:5300 checksum:fffffffffffff format:CEF startTime:456 endTime:789

** Alert 1580890526.32665: - local,syslog,sshd,

2020 Feb 05 09:15:26 host->/var/ossec/logs/example.log

Rule: 100002 (level 7) -> 'Imperva: Multiple logs'

accountId:213 configId:5300 checksum:fffffffffffff format:CEF startTime:456 endTime:789

** Alert 1580890580.32907: - local,syslog,sshd,

2020 Feb 05 09:16:20 host->/var/ossec/logs/example.log

Rule: 100002 (level 7) -> 'Imperva: Multiple logs'

accountId:213 configId:5300 checksum:fffffffffffff format:CEF startTime:456 endTime:789

Can you try to use <log_format>multi-line: 6</log_format>?

Best Regards,

                      Daniel

[Alvaro Victoriano]

Hello Daniel,

Thank you so much for your help, everything is working fine now after so many tries.

[Daniel Melgarejo]

Hello Alvaro,

I am glad that everything is working fine.

Please do not hesitate to contact us to share more questions.

Regards,
               Daniel