Full log collection; rules based on currently logged in user
108 views
Skip to first unread message
Sebastian Silva
Feb 10, 2022, 8:00:36 AM2/10/22
to Wazuh mailing list
Hello dear Wazuh team and Wazuh users,
I am running the Wazuh manager with several agents, fairly standard setup and would like to collect logs. I added several custom program logs as well as windows registry etc. to the Ossec config-file and the manager shows changes, everything works fine.
My problem arises when wanting to view the full log. I would like to access collected logs from the manager and scroll through them entirely and not only view changes that triggered alerts. Is such a thing possible? I have thought about trying to force the agent to deliver the entire log via a rule but that did not help.
My second question is if it is possible to discriminate between the user that is currently logged in. Say User 1 can not change a file without triggering an alarm (unless the file gets changed by one specific program) but the Admin for example can change whatever he likes.
I would really appreciate the help!
Cheers
S.Silva
Christian Borla
Feb 10, 2022, 12:16:54 PM2/10/22
to Wazuh mailing list
Hi Sebastian Silva!
I hope you are doing fine.
Regarding your first question, to collect everything, I think it's possible but it will have cpu, storage and memory cost. Take a look to following link: https://groups.google.com/u/1/g/wazuh/c/4m0WR7FVwfA
The idea is create a custom decoder to collect every non match event, the problem is known what information set in each <order> field, but as an example, we create a decoder for EventChannel events as following.
Custom decoder: /var/ossec/etc/decoders/local_decoder.xml
<decoder name="allow_all">
<prematch>\.</prematch>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<regex type="pcre2">(?i)(.*)(EventChannel)(.*)</regex>
<order>data,action,extra_data</order>
</decoder>
you can try modifying the regex:
<decoder name="allow_all">
<parent>allow_all</parent>
<regex type="pcre2">(.*)</regex>
<order>action</order>
</decoder>
Also it's necessary create a custom rule to match with our custom decoder, for example
Custom Rule: /var/ossec/etc/rules/local_rules.xml
<rule id="100000" level="5">
<regex type="pcre2">.*</regex>
<description>Allow all logs not caught by inbuilt rules</description>
</rule>
Regarding your second question, if you want to avoid alerts from specific users, you should identify the event and the field that contain the user, and create a child rule with level 0 to avoid that alert.
for example:
If you know that alert triggered is 200000, and you want to avoid this alert from any type of admin user.
<rule id="100500" level="0"> <--- level 0 to avoid create an alert
<if_sid>200000</if_sid> <--- this rule id is the rule we want to filter
<field name="user">admin|Admin|root</field>
<description>filtering 100500 from system check</description>
</rule>
Let me know if this information is useful to you.
Regards.
I hope you are doing fine.
Regarding your first question, to collect everything, I think it's possible but it will have cpu, storage and memory cost. Take a look to following link: https://groups.google.com/u/1/g/wazuh/c/4m0WR7FVwfA
The idea is create a custom decoder to collect every non match event, the problem is known what information set in each <order> field, but as an example, we create a decoder for EventChannel events as following.
Custom decoder: /var/ossec/etc/decoders/local_decoder.xml
<decoder name="allow_all">
<prematch>\.</prematch>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<regex type="pcre2">(?i)(.*)(EventChannel)(.*)</regex>
<order>data,action,extra_data</order>
</decoder>
you can try modifying the regex:
<decoder name="allow_all">
<parent>allow_all</parent>
<regex type="pcre2">(.*)</regex>
<order>action</order>
</decoder>
Also it's necessary create a custom rule to match with our custom decoder, for example
Custom Rule: /var/ossec/etc/rules/local_rules.xml
<rule id="100000" level="5">
<regex type="pcre2">.*</regex>
<description>Allow all logs not caught by inbuilt rules</description>
</rule>
Regarding your second question, if you want to avoid alerts from specific users, you should identify the event and the field that contain the user, and create a child rule with level 0 to avoid that alert.
for example:
If you know that alert triggered is 200000, and you want to avoid this alert from any type of admin user.
<rule id="100500" level="0"> <--- level 0 to avoid create an alert
<if_sid>200000</if_sid> <--- this rule id is the rule we want to filter
<field name="user">admin|Admin|root</field>
<description>filtering 100500 from system check</description>
</rule>
Let me know if this information is useful to you.
Regards.
Reply all
Reply to author
Forward
0 new messages