A couple (newbie) Wazuh custom decoder questions

Jamie Navarro

unread,

Mar 16, 2023, 1:17:30 PM3/16/23

to Wazuh mailing list

I have a NetGate pfSense firewall/router, but I don't think I can install the Wazuh agent on it. So I turned on it's built-in Syslog option.

Here are some lines from the log. (I think this is the format that it is sending):
Mar 16 09:12:40 dhcpd[7416]: Wrote 0 class decls to leases file.
Mar 16 09:12:40 dhcpd[7416]: Wrote 21 leases to leases file.
Mar 16 09:12:40 dhcpd[7416]: DHCPACK on 10.10.10.65 to 84:98:66:ca:f5:e3 (Galaxy-Tab-A) via mvneta0.4091
Mar 16 09:22:41 dhcpd[7416]: reuse_lease: lease age 8124 (secs) under 25% threshold, reply with unaltered, existing lease for 10.10.10.69
Mar 16 09:22:41 dhcpd[7416]: DHCPREQUEST for 10.10.10.69 from 02:ec:36:d6:3e:bb via mvneta0.4091
Mar 16 09:22:41 dhcpd[7416]: DHCPACK on 10.10.10.69 to 02:ec:36:d6:3e:bb via mvneta0.4091
Mar 16 09:31:13 dhcpd[7416]: DHCPREQUEST for 10.10.10.80 from 28:29:86:16:af:52 via mvneta0.4091
Mar 16 09:31:13 dhcpd[7416]: DHCPACK on 10.10.10.80 to 28:29:86:16:af:52 via mvneta0.4091

(I'm saying that 'I think this is the format' because I set up a simple Syslog server on a test Windows PC to receive the pfSense logs and that is how they're being recorded.)

Now, when I temporarily turned on the logall option in Wazuh, this is a sample line from archives.log:
2023 Mar 13 22:19:43 ubuntusrvwazuhtest1->10.10.10.253 Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091

As you can see it's not the same - Wazuh seems to be prepending data? I did not know it does this - I do not remember seeing anything about that in the documentation.
So my first question then is when writing decoders, do I need to base them off of what the 'raw' logs are coming in as, or do I base them off of the Wazuh-modified logs that I see in archives.log?

Next, I've been trying to write a decoder based on the assumption that I'm supposed to write the decoder based off of the 'raw' log. But I haven't gotten very far. Here's what I've got so far in my /var/ossec/etc/decoders/local_decoder.xml:

<decoder name="dork">
<prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\sdhcpd\p\d+\p:</prematch>
</decoder>

However, when I run wazuh-logtest:

Starting wazuh-logtest v4.3.10
Type one log per line

Mar 16 05:36:14 dhcpd[7416]: DHCPACK on 10.10.10.80 to 28:29:86:16:af:52 via mvneta0.4091

**Phase 1: Completed pre-decoding.
full event: 'Mar 16 05:36:14 dhcpd[7416]: DHCPACK on 10.10.10.80 to 28:29:86:16:af:52 via mvneta0.4091'
timestamp: 'Mar 16 05:36:14'
hostname: 'dhcpd[7416]:'

**Phase 2: Completed decoding.
No decoder matched.

Is Wazuh pre-decoding from some other file other than mine maybe? I don't know where the 'timestamp' and 'hostname' is coming from, because as you can see I don't have those in my local_decoder.xml file. Next, it's my understanding that at this point
Phase 2 should have given me something, right? However, it's saying 'No decoder matched'.

Please excuse my ignorance on Wazuh, pre-decoding, decoding, and regular expressions - I'm super new to all of this. But I was wondering if maybe someone could clarify my first question and then maybe point out what I'm doing wrong in my local_decoder.xml file?

What I ultimately want to do is extract the IP address and MAC address and build an alert from all of the log lines that contain 'DHCPACK', and pass the IP and MAC address to that alert.

Thank you,

Jamie

Roman Luna

unread,

Mar 16, 2023, 5:30:00 PM3/16/23

to Wazuh mailing list

Hi,

You should use the samples logs that are taken from the archives.json, with this, you can then create a custom decoder. You have two logtest which provide simillar information.

Using the following log:

2023 Mar 13 22:19:43 ubuntusrvwazuhtest1->10.10.10.253 Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091

I get this result, which already matches a decoder and rule:

Starting wazuh-logtest v4.3.10
Type one log per line

2023 Mar 13 22:19:43 ubuntusrvwazuhtest1->10.10.10.253 Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091

**Phase 1: Completed pre-decoding.
full event: '2023 Mar 13 22:19:43 ubuntusrvwazuhtest1->10.10.10.253 Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091'
timestamp: '2023 Mar 13 22:19:43'

**Phase 2: Completed decoding.
name: 'FreePBX'

**Phase 3: Completed filtering (rules).
id: '70000'
level: '0'
description: ' FreePBX parent '
groups: '['freepbx']'
firedtimes: '1'
mail: 'False'

Let me know which logs are not being parsed ok.

Regards.

Jamie Navarro

unread,

Mar 16, 2023, 6:45:30 PM3/16/23

to Wazuh mailing list

Hi Roman,

Thank you for the reply. OK, so if you're saying I should be using the one from the archives.log file:

2023 Mar 13 22:19:43 ubuntusrvwazuhtest1->10.10.10.253 Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091

Then I do get the same result as you do:

**Phase 1: Completed pre-decoding.
full event: '2023 Mar 13 22:19:43 ubuntusrvwazuhtest1->10.10.10.253 Mar 13 15:19:43 dhcpd[7416]: DHCPACK on 10.10.10.77 to 56:8d:3d:8f:0c:90 via mvneta0.4091'
timestamp: '2023 Mar 13 22:19:43'

**Phase 2: Completed decoding.
name: 'FreePBX'

**Phase 3: Completed filtering (rules).
id: '70000'
level: '0'
description: ' FreePBX parent '
groups: '['freepbx']'
firedtimes: '1'
mail: 'False'

This presents another problem for me - this isn't a FreePBX log - it's a pfSense log (completely different). I'm trying to write my own decoder because I want to extract the IP address and the MAC address from it.

Even with the little section that I have entered in my local_decoder.xml file:

<decoder name="dork">
<prematch>^\w\w\w\s\d\d\s\d\d:\d\d:\d\d\sdhcpd\p\d+\p:</prematch>
</decoder>

The logtest still shows it as FreePBX. :( There must be a way to make it see my decoder instead of the existing FreePBX decoder, right?