Parsing logs apache
296 views
Skip to first unread message
Cyprien Chapelle
Feb 15, 2022, 5:16:51 AM2/15/22
to Wazuh mailing list
Hello,
I have a problem with apache log parsing.
Indeed, I recover by Wazuh the logs of two websites hosted under OVH.
For one of the websites there is no problem, the parsing works perfectly.
I have a problem with apache log parsing.
Indeed, I recover by Wazuh the logs of two websites hosted under OVH.
For one of the websites there is no problem, the parsing works perfectly.
On the other hand, for the other, it depends on the logs...
Here is an example of logs that are correctly parsed:
x.x.x.x www.site-web.com - [14/Feb/2022:12:14:30 +0100] "GET / HTTP/1.1" 200 32310 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0"
x.x.x.x www.site-web.com - [14/Feb/2022:12:18:57 +0100] "GET / HTTP/1.1" 301 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"
x.x.x.x www.site-web.com - [14/Feb/2022:12:18:58 +0100] "GET / HTTP/1.1" 200 32309 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
And an example of logs that are not properly parsed:
x.x.x.x www.site-web.com - [14/Feb/2022:12:18:58 +0100] "POST /wp-cron.php?doing_wp_cron=1644837538.6799080371856689453125 HTTP/1.1" 200 25 "http:// www.site-web.com /wp-cron.php?doing_wp_cron=1644837538.6799080371856689453125" "WordPress/5.9; https:// www.site-web.com "
x.x.x.x www.site-web.com - [14/Feb/2022:12:31:04 +0100] "POST /wp-cron.php?doing_wp_cron=1644838264.4029200077056884765625 HTTP/1.1" 200 25 "https:// www.site-web.com /wp-cron.php?doing_wp_cron=1644838264.4029200077056884765625" "WordPress/5.9; https:// www.site-web.com "
As soon as there is the mention "WordPress", I have the impression that it does not work, it displays to me, in
`
alerts.log
`
, an alert with an output consisting of ALL the logs consisting of "WordPress"
My config :
<localfile>
<log_format>apache</log_format>
<location>/var/log/sites-web/*.log</location>
</localfile>
NB: x.x.x.x is public IP address
Ariel Ivan Ojeda
Feb 15, 2022, 3:11:36 PM2/15/22
to Wazuh mailing list
Hi cyprien, I will be more than happy to help you with this. Below you can see how Wazuh parses(decodes) each log type you provided as examples
*Phase 1: Completed pre-decoding.
full event: 'x.x.x.x www.site-web.com - [14/Feb/2022:12:14:30 +0100] "GET / HTTP/1.1" 200 32310 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0" '
**Phase 2: Completed decoding.
name: 'web-accesslog'
parent: 'web-accesslog'
id: '200'
protocol: 'GET'
srcip: 'www.site-web.com'
url: '/'
**Phase 3: Completed filtering (rules).
id: '31108'
level: '0'
description: 'Ignored URLs (simple queries).'
groups: '['web', 'accesslog']'
firedtimes: '1'
mail: 'False'**Phase 1: Completed pre-decoding.
full event: 'x.x.x.x www.site-web.com - [14/Feb/2022:12:18:58 +0100] "POST /wp-cron.php?doing_wp_cron=1644837538.6799080371856689453125 HTTP/1.1" 200 25 "http:// www.site-web.com /wp-cron.php?doing_wp_cron=1644837538.6799080371856689453125" "WordPress/5.9; https:// www.site-web.com " '
**Phase 2: Completed decoding.
name: 'web-accesslog'
parent: 'web-accesslog'
id: '200'
protocol: 'POST'
srcip: 'www.site-web.com'
url: '/wp-cron.php?doing_wp_cron=1644837538.6799080371856689453125'
**Phase 3: Completed filtering (rules).
id: '31530'
level: '3'
description: 'POST request received.'
groups: '['web', 'appsec', 'attack']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.As you can see in the evidence above, both are being parsed(decoded) by web-accesslog decoder but the first one is captured later by rule Id 31108 which has level value of 0, so it will not trigger an alert. On the other hand, the second log is matched by rule ID 31530, which has a level value of 3, which is why it is generating an alert. Both are working as intended. Just to be clear, none of the alert is related to "WordPress" appearing in the log, it is only related to the level of the rule that is matching the event log.
You can find the parent decoder and child decoders being used here:
If you need wazuh to parse(decode) more information from the second type of logs, you could write a custom decoder that matches their format.You can find information on how to do this here:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://wazuh.com/blog/sibling-decoders-flexible-extraction-of-information/
https://wazuh.com/blog/sibling-decoders-flexible-extraction-of-information/
I hope this helps you, if not please let me know. Have a great day!
Ariel
Message has been deleted
Message has been deleted
Cyprien Chapelle
Feb 16, 2022, 3:45:32 AM2/16/22
to Wazuh mailing list
Hi !
Thank you very much for your explanation. However, I think you misunderstood my problem. It's my fault, I wasn't clear enough.
Here's the alert I'm having trouble with :
Here's the alert I'm having trouble with :
alerts.log** Alert 1644999760.65791: - web,appsec,attack,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Feb 16 08:22:40 wazuh-manager->/var/log/sites-web.log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Src IP: www.site-web.com
x.x.x.x www.site-web.com - [15/Feb/2022:19:46:44 +0100] "POST /wp-cron.php?doing_wp_cron=1604.73450 HTTP/1.1" 200 25 "https://www.site-web.com /wp-cron.php?doing_wp_cron=1604.73450" "WordPress/5.9; https://www.site-web.com " srcip2: x.x.x.x
x.x.x.x www.site-web.com - [15/Feb/2022:18:53:24 +0100] "POST /wp-cron.php?doing_wp_cron=1644960.9517090125 HTTP/1.1" 200 25 "https://www.site-web.com /wp-cron.php?doing_wp_cron=164494704.5158203125" "WordPress/5.9; https://www.site-web.com"
x.x.x.x www.site-web.com - [15/Feb/2022:18:50:31 +0100] "POST /wp-cron.php?doing_wp_cron=1644431.1962618750 HTTP/1.1" 200 25 "http://www.site-web.com /wp-cron.php?doing_wp_cron=1644947431.1962421750" "WordPress/5.9; https://www.site-web.com "
x.x.x.x www.site-web.com - [15/Feb/2022:17:53:05 +0100] "POST /wp-cron.php?doing_wp_cron=1644985.8333179125 HTTP/1.1" 200 25 "https://www.site-web.com /wp-cron.php?doing_wp_cron=164494385.8311328125" "WordPress/5.9; https://www.site-web.com "
x.x.x.x www.site-web.com - [15/Feb/2022:18:25:07 +0100] "POST /wp-cron.php?doing_wp_cron=1644990.8320350500 HTTP/1.1" 200 25 "https://www.site-web.com /wp-cron.php?doing_wp_cron=164494907.8325625000" "WordPress/5.9; https://www.site-web.com "
x.x.x.x www.site-web.com - [15/Feb/2022:18:33:57 +0100] "POST /wp-cron.php?doing_wp_cron=1644947.8326634050 HTTP/1.1" 200 25 "http://www.site-web.com /wp-cron.php?doing_wp_cron=1644946437.8361914050" "WordPress/5.9; https://www.site-web.com "
x.x.x.x www.site-web.com - [15/Feb/2022:17:00:12 +0100] "POST /wp-cron.php?doing_wp_cron=164494.50539085475 HTTP/1.1" 200 25 "http://www.site-web.com /wp-cron.php?doing_wp_cron=1644940812.5053942685" "WordPress/5.9; https://www.site-web.com "
x.x.x.x www.site-web.com - [15/Feb/2022:16:59:06 +0100] "POST /wp-cron.php?doing_wp_cron=164496.43686004500 HTTP/1.1" 200 25 "https://www.site-web.com /wp-cron.php?doing_wp_cron=164494746.4368600500" "WordPress/5.9; https://www.site-web.com "
I wanted to know if it was normal for the following logs to go
into the same alert, because it creates a very large "fulllog" domain in
kibana, it is not practical to exploit. You see what I mean ?
NB: Besides, do you know what this type of attack corresponds to? Why WordPress? My site was not developed by WordPress.
Best regards.
Ariel Ivan Ojeda
Feb 17, 2022, 10:24:59 AM2/17/22
to Wazuh mailing list
Hi Cyprien,
It is normal for this type of rule to include all those logs into the alert, since it is a composite rule, the alert is triggered when rule 31530 is matched 8 times within a 20 seconds timeframe. You can see both default rules included with the Wazuh Installation below:
<rule id="31530" level="3">
<if_sid>31100</if_sid>
<match>] "POST </match>
<options>no_log</options>
<description>POST request received.</description>
</rule>
<rule id="31533" level="10" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
So, when generating the alert, all 8 logs are included.
You can overwrite rule 31533 with a local copy that has the no_full_log option, this causes the rule to not include the full logs related to the alert.
You can find information to do this here:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
You can see an example below of what you would need to add to overwrite the rule:
<rule id="31533" level="10" timeframe="20" frequency="8" overwrite="yes">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<options>no_full_log</options>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
About your question on the Wordpress message, this is included by your Apache server, not by Wazuh, so I cannot tell you why.
It is normal for this type of rule to include all those logs into the alert, since it is a composite rule, the alert is triggered when rule 31530 is matched 8 times within a 20 seconds timeframe. You can see both default rules included with the Wazuh Installation below:
<rule id="31530" level="3">
<if_sid>31100</if_sid>
<match>] "POST </match>
<options>no_log</options>
<description>POST request received.</description>
</rule>
<rule id="31533" level="10" timeframe="20" frequency="8">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
So, when generating the alert, all 8 logs are included.
You can overwrite rule 31533 with a local copy that has the no_full_log option, this causes the rule to not include the full logs related to the alert.
You can find information to do this here:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
You can see an example below of what you would need to add to overwrite the rule:
<rule id="31533" level="10" timeframe="20" frequency="8" overwrite="yes">
<if_matched_sid>31530</if_matched_sid>
<same_source_ip />
<description>High amount of POST requests in a small period of time (likely bot).</description>
<options>no_full_log</options>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
About your question on the Wordpress message, this is included by your Apache server, not by Wazuh, so I cannot tell you why.
Have a great day!
Ariel
Reply all
Reply to author
Forward
0 new messages