vmware-exsi logs issue
81 views
Skip to first unread message
Neha Gautam
Apr 3, 2024, 6:20:16 AM4/3/24
to Wazuh | Mailing List
Hello everyone,
I Have a file logs of vmware-esxi host which has thousands or even more logs. But the problem is that how can i know for what logs i have to create decoders and rule in wazuh. As there are different logs of different patterns.
Do i have to manually review all the logs from the file and create decoders and rule for the logs i want to make.?
Or is there any other way.
Please answer.
I Have a file logs of vmware-esxi host which has thousands or even more logs. But the problem is that how can i know for what logs i have to create decoders and rule in wazuh. As there are different logs of different patterns.
Do i have to manually review all the logs from the file and create decoders and rule for the logs i want to make.?
Or is there any other way.
Please answer.
Christian Borla
Apr 3, 2024, 10:47:46 AM4/3/24
to Wazuh | Mailing List
Hello Neha Gautam
I hope you are well.
Currently wazuh has a set of decoders and rules for vmware, you should see if any of them apply or not to the log set you want to include. They can also serve as a guide for you.
They can be found on the manager side at the following directs:
- /var/ossec/ruleset/decoders/0360-vmware_decoders.xml
- /var/ossec/ruleset/ruleset/rules/0235-vmware_rules.xml
In case they do not match, you will have to create your own decoders and rules, for this it is advisable to separate into groups of event types.
I hope this is helpful.
Regards.
Neha Gautam
Apr 3, 2024, 1:33:24 PM4/3/24
to Wazuh | Mailing List
Hii
Christian Borla
Yeah the logs are not matching because the logs are from syslog watcher and there is no such decoder and rules. But the problem is that How do I classify those millions of logs.
Means, suppose i have millions of logs and for those each logs i don't need to write specific decoders and rules correct?. So how could i first classify the logs into categories and (for those categories I can create decoders and rules).
Is there any specific tool to classify those logs or i have to manually do this task. This is what I am asking.
Yeah the logs are not matching because the logs are from syslog watcher and there is no such decoder and rules. But the problem is that How do I classify those millions of logs.
Means, suppose i have millions of logs and for those each logs i don't need to write specific decoders and rules correct?. So how could i first classify the logs into categories and (for those categories I can create decoders and rules).
Is there any specific tool to classify those logs or i have to manually do this task. This is what I am asking.
Christian Borla
Apr 3, 2024, 2:30:00 PM4/3/24
to Wazuh | Mailing List
Hello
Neha Gautam.
You are correct, there is no tool to automatically sort and create decoders from a set of events, it is a manual job, where the content team sorts and extracts the important fields from each set of events.
To create regular expressions for decoders, the tool https://regex101.com/ is useful.
You can help yourself with some AI to classify the events in addition to the application manual.
It is important that you get the log set to analyze from the archives.json file, that way you make sure that the format is as it arrives to wazuh manager.
Another option is to hire professional support to create the ruleset . You can also create an issue requesting support (already exist one issue) for this type of events and if wazuh considers it important for its roadmap, maybe it will be included in a comming release.
I hope it helps.
You are correct, there is no tool to automatically sort and create decoders from a set of events, it is a manual job, where the content team sorts and extracts the important fields from each set of events.
To create regular expressions for decoders, the tool https://regex101.com/ is useful.
You can help yourself with some AI to classify the events in addition to the application manual.
It is important that you get the log set to analyze from the archives.json file, that way you make sure that the format is as it arrives to wazuh manager.
Another option is to hire professional support to create the ruleset . You can also create an issue requesting support (already exist one issue) for this type of events and if wazuh considers it important for its roadmap, maybe it will be included in a comming release.
I hope it helps.
Regards.
Neha Gautam
Apr 4, 2024, 1:03:39 AM4/4/24
to Wazuh | Mailing List
Hii
Christian Borla
Firstly thanks for explaining this much. I got it what you told me. Now my last question is -
- I am done with collecting and ingesting logs in wazuh server .
- Am done with creating decoders and rules
- And am done with getting alerts on wazuh dashboard.
Firstly thanks for explaining this much. I got it what you told me. Now my last question is -
- I am done with collecting and ingesting logs in wazuh server .
- Am done with creating decoders and rules
- And am done with getting alerts on wazuh dashboard.
Now, What to do with alerts. Do I have to analyze each alert i am getting or is there any specific tool for it.
I search on this before I get to know some tools like ELK, theHive, cortex etc. But these tools are not analyzing alerts instead these are representing the same alerts in different interface after applying some filters on those alerts.
So please help me out in this also.
Thank You
I search on this before I get to know some tools like ELK, theHive, cortex etc. But these tools are not analyzing alerts instead these are representing the same alerts in different interface after applying some filters on those alerts.
So please help me out in this also.
Thank You
Christian Borla
Apr 4, 2024, 2:35:05 PM4/4/24
to Wazuh | Mailing List
Hi Neha Gautam
When it comes to handling alerts, it's crucial to have a systematic approach in place. Here's a suggested workflow:
Ultimately, the effectiveness of your alert analysis and response process will depend on a combination of tools, human expertise, and well-defined procedures. Regular review and refinement of your processes will also be essential to stay ahead of emerging threats and adapt to changes in your environment.
When it comes to handling alerts, it's crucial to have a systematic approach in place. Here's a suggested workflow:
- Alert Triage: The first step is to triage the alerts. Not every alert will be malicious or require immediate attention. Some alerts might be false positives or benign events.
- Prioritization: Prioritize the alerts based on their severity and potential impact on your organization. High-priority alerts, such as indications of a breach or a critical vulnerability, should be addressed promptly.
- Analysis: For each alert, conduct a thorough analysis to determine whether it's malicious or not. This may involve examining the context, investigating related events, and utilizing threat intelligence sources.
- Manual Investigation: Depending on the complexity of the alert, manual investigation may be necessary. This could involve analyzing logs, network traffic, system configurations, and other relevant data sources.
- Response: Once an alert is confirmed as malicious or suspicious, take appropriate action to contain or mitigate the threat. This could involve isolating affected systems, blocking malicious IP addresses, or deploying patches to vulnerable systems. active response
Ultimately, the effectiveness of your alert analysis and response process will depend on a combination of tools, human expertise, and well-defined procedures. Regular review and refinement of your processes will also be essential to stay ahead of emerging threats and adapt to changes in your environment.
I hpe it helps.
Neha Gautam
Apr 5, 2024, 12:54:53 AM4/5/24
to Wazuh | Mailing List
Hello
Christian Borla,
Thank you, Thank you so much for such a Nice workflow. Now I am crystal clear with the things which i Want to perform, now little research i will do of my own to complete my project.
Regards.
Thank you, Thank you so much for such a Nice workflow. Now I am crystal clear with the things which i Want to perform, now little research i will do of my own to complete my project.
Regards.
Christian Borla
Apr 5, 2024, 9:27:08 AM4/5/24
to Wazuh | Mailing List
You are welcome!
Regards
Regards
Reply all
Reply to author
Forward
0 new messages