syslog decoder problem

33 views
Skip to first unread message

Hal Mirsky

unread,
Sep 23, 2021, 3:35:23 PMSep 23
to Wazuh mailing list

Hello,

I am trying to create a decoder and rules to process syslog output from a QNAP NAS device. Using wzuh-logtest, I see that a test event is decoded and that my rule would fire. However, after restarting Wazuh, no alerts are generated. I see syslog entries in archive.log from the NAS.

I am running Wazuh 4.1.5 under Cent OS 8.2

ossec.conf has this for syslog:

  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.10.18</allowed-ips>
    <local_ip>192.168.10.150</local_ip>
  </remote>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

The decoder is:

<decoder name="qnap-syslog">
   <prematch>^NAS1-></prematch>
   <type>syslog</type>
</decoder>

<decoder name="qnap-syslog">
   <parent>qnap-syslog</parent>
   <!-- <program_name>qlogd</program_name> -->

   <regex>^\.* Users: (\.*), Source IP: (\.*),\.* Accessed resources: (\.*)/\.*,\.*$</regex>
   <order>loginname,sourceip,sharename</order>

</decoder>

I've tried with and without program_name element

Here's a sample syslog event from the NAS (IPs redacted):

2021 Sep 23 12:25:28 NAS1->XXX.XXX.XX.XXX Sep 23 12:25:28 NAS1 qlogd[11249]: conn log: Users: ASEGINC\badusername, Source IP: XXX.XXX.XX.XXX, Computer name: XXX.XXX.XX.XXX, Connection type: SAMBA, Accessed resources: IT/Backups/ServerLogs/20210329-dc2.zip, Action: Read

Sample output from wazuh-logtest:

2021 Sep 23 12:25:28 NAS1->XXX.XXX.XX.XXX Sep 23 12:25:28 NAS1 qlogd[11249]: conn log: Users: ASEGINC\badusername, Source IP: XXX.XXX.XX.XXX, Computer name: XXX.XXX.XX.XXX, Connection type: SAMBA, Accessed resources: IT/Backups/ServerLogs/20210329-dc2.zip, Action: Read

**Phase 1: Completed pre-decoding.
        full event: '2021 Sep 23 12:25:28 NAS1->XXX.XXX.XX.XXX Sep 23 12:25:28 NAS1 qlogd[11249]: conn log: Users: ASEGINC\badusername, Source IP: XXX.XXX.XX.XXX, Computer name: XXX.XXX.XX.XXX, Connection type: SAMBA, Accessed resources: IT/Backups/ServerLogs/20210329-dc2.zip, Action: Read'
        timestamp: '2021 Sep 23 12:25:28'

**Phase 2: Completed decoding.
        name: 'qnap-syslog'
        loginname: 'ASEGINC\badusername'
        sharename: 'IT'
        sourceip: 'XXX.XXX.XX.XXX'

**Phase 3: Completed filtering (rules).
        id: '100542'
        level: '12'
        description: 'Unexpected access to IT share'
        groups: '['local', 'syslog']'
        firedtimes: '2'
        mail: 'True'
**Alert to be generated.

Any suggestions would be appreciated!

Jose Cruz Lopez

unread,
Sep 24, 2021, 2:11:19 AMSep 24
to Wazuh mailing list
Hello!

Seems that your problem may come from the decoder. At first sight, there are two issues:
- Your two decoders have the same name, as you do a prematch, your sibling decoder needs to have a different name to be differentiated from the other decoder.
- In Syslog decoders the field program_name is mandatory. So in this case, your original idea of using the program_name was correct!

If after these changes it stills not working, please also share your rules and I will made additional research with this.
Thank you very much!
Best regards.
Reply all
Reply to author
Forward
0 new messages