syslog decoder problem
403 views
Skip to first unread message
Hal Mirsky
Sep 23, 2021, 3:35:23 PM9/23/21
to Wazuh mailing list
Hello,
I am trying to create a decoder and rules to process syslog output from a QNAP NAS device. Using wzuh-logtest, I see that a test event is decoded and that my rule would fire. However, after restarting Wazuh, no alerts are generated. I see syslog entries in archive.log from the NAS.
I am running Wazuh 4.1.5 under Cent OS 8.2
ossec.conf has this for syslog:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.10.18</allowed-ips>
<local_ip>192.168.10.150</local_ip>
</remote>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.10.18</allowed-ips>
<local_ip>192.168.10.150</local_ip>
</remote>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
The decoder is:
<decoder name="qnap-syslog">
<prematch>^NAS1-></prematch>
<type>syslog</type>
</decoder>
<decoder name="qnap-syslog">
<parent>qnap-syslog</parent>
<!-- <program_name>qlogd</program_name> -->
<regex>^\.* Users: (\.*), Source IP: (\.*),\.* Accessed resources: (\.*)/\.*,\.*$</regex>
<order>loginname,sourceip,sharename</order>
</decoder>
<prematch>^NAS1-></prematch>
<type>syslog</type>
</decoder>
<decoder name="qnap-syslog">
<parent>qnap-syslog</parent>
<!-- <program_name>qlogd</program_name> -->
<regex>^\.* Users: (\.*), Source IP: (\.*),\.* Accessed resources: (\.*)/\.*,\.*$</regex>
<order>loginname,sourceip,sharename</order>
</decoder>
I've tried with and without program_name element
Here's a sample syslog event from the NAS (IPs redacted):
2021 Sep 23 12:25:28 NAS1->XXX.XXX.XX.XXX Sep 23 12:25:28 NAS1 qlogd[11249]: conn log: Users: ASEGINC\badusername, Source IP: XXX.XXX.XX.XXX, Computer name: XXX.XXX.XX.XXX, Connection type: SAMBA, Accessed resources: IT/Backups/ServerLogs/20210329-dc2.zip, Action: Read
Sample output from wazuh-logtest:
2021 Sep 23 12:25:28 NAS1->XXX.XXX.XX.XXX Sep 23 12:25:28 NAS1 qlogd[11249]: conn log: Users: ASEGINC\badusername, Source IP: XXX.XXX.XX.XXX, Computer name: XXX.XXX.XX.XXX, Connection type: SAMBA, Accessed resources: IT/Backups/ServerLogs/20210329-dc2.zip, Action: Read
**Phase 1: Completed pre-decoding.
full event: '2021 Sep 23 12:25:28 NAS1->XXX.XXX.XX.XXX Sep 23 12:25:28 NAS1 qlogd[11249]: conn log: Users: ASEGINC\badusername, Source IP: XXX.XXX.XX.XXX, Computer name: XXX.XXX.XX.XXX, Connection type: SAMBA, Accessed resources: IT/Backups/ServerLogs/20210329-dc2.zip, Action: Read'
timestamp: '2021 Sep 23 12:25:28'
**Phase 2: Completed decoding.
name: 'qnap-syslog'
loginname: 'ASEGINC\badusername'
sharename: 'IT'
sourceip: 'XXX.XXX.XX.XXX'
**Phase 3: Completed filtering (rules).
id: '100542'
level: '12'
description: 'Unexpected access to IT share'
groups: '['local', 'syslog']'
firedtimes: '2'
mail: 'True'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '2021 Sep 23 12:25:28 NAS1->XXX.XXX.XX.XXX Sep 23 12:25:28 NAS1 qlogd[11249]: conn log: Users: ASEGINC\badusername, Source IP: XXX.XXX.XX.XXX, Computer name: XXX.XXX.XX.XXX, Connection type: SAMBA, Accessed resources: IT/Backups/ServerLogs/20210329-dc2.zip, Action: Read'
timestamp: '2021 Sep 23 12:25:28'
**Phase 2: Completed decoding.
name: 'qnap-syslog'
loginname: 'ASEGINC\badusername'
sharename: 'IT'
sourceip: 'XXX.XXX.XX.XXX'
**Phase 3: Completed filtering (rules).
id: '100542'
level: '12'
description: 'Unexpected access to IT share'
groups: '['local', 'syslog']'
firedtimes: '2'
mail: 'True'
**Alert to be generated.
Any suggestions would be appreciated!
Jose Cruz Lopez
Sep 24, 2021, 2:11:19 AM9/24/21
to Wazuh mailing list
Hello!
Seems that your problem may come from the decoder. At first sight, there are two issues:
- Your two decoders have the same name, as you do a prematch, your sibling decoder needs to have a different name to be differentiated from the other decoder.
- In Syslog decoders the field program_name is mandatory. So in this case, your original idea of using the program_name was correct!
If after these changes it stills not working, please also share your rules and I will made additional research with this.
Thank you very much!
Best regards.
Reply all
Reply to author
Forward
0 new messages