Paloalto global protect log filter - error with field value

395 views
Skip to first unread message

Andrew

unread,
Feb 27, 2023, 5:42:56 PM2/27/23
to Wazuh mailing list
Trying to create a rule for paloalto global protect logs using status=failure and stage=login field extracted from decoder. But whenever I use status field in a rule, it gives error when restarting the service. can someone help me identify the issue?

$ sudo service wazuh-manager restart
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.

/var/ossec/logs/ossec.conf
2023/02/27 14:05:09 wazuh-analysisd: ERROR: Failure to read rule 64553. Field 'status' is static.
2023/02/27 14:05:09 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'ruleset/rules/0700-paloalto_rules.xml'.

ruleset/rules/0700-paloalto_rules.xml
  <rule id="64500" level="0">
    <decoded_as>paloalto</decoded_as>
    <description>Palo Alto $(type) event.</description>
  </rule>
...
  <rule id="64550" level="0">
    <if_sid>64500</if_sid>
    <field name="type">^GLOBALPROTECT$</field>
    <field name="stage" type="pcre2">(?i)^.+$</field>
    <description>Palo Alto $(type) stage: $(stage) event.</description>
  </rule>
...
  <rule id="64553" level="3">
    <if_sid>64550</if_sid>
    <field name="stage">login</field>
    <field name="status">failure</field>      <--adding this line will give error
    <description>$(generated_time) - $(source_user) $(error_code) </description>
  </rule>

/var/ossec/bin/wazuh-logtest
...
**Phase 2: Completed decoding.
        name: 'paloalto'
        parent: 'paloalto'
        action_flags: '0x8000000000000000'
        client_os: 'Mac'
        client_os_version: '"Apple Mac OS X 12.6.1"'
        client_version: '5.2.12'
        content_type: '0'
        device_group_hierarchy_level_1: '0'
        device_group_hierarchy_level_2: '0'
        device_group_hierarchy_level_3: '0'
        device_group_hierarchy_level_4: '0'
        device_name: 'my firewall'
        error: 'Existing user session found'
        error_code: '33'
        event_id: 'gateway-register'
        generated_time: '2023/02/27 09:39:45'
        high_res_timestamp: '2023-02-27T09:39:46.456-08:00'
        host_id: 'a0:78:57:5f:a8:d3'
        login_duration: '0'
        machine_name: 'testmachine'
        portal: 'GP-Gateway'
        private_ip: '0.0.0.0'
        private_ipv6: '0.0.0.0'
        public_ip: 'redacted'
        public_ipv6: '0.0.0.0'
        receive_time: '2023/02/27 09:39:45'
        repeat_count: '1'
        sequence_number: '7167734460594249941'
        serial_number: 'redacted'
        source_region: 'CA'
        source_user: 'redacted'
        stage: 'login'
        status: 'failure'

        type: 'GLOBALPROTECT'
        virtual_system: 'vsys1'
        virtual_system_id: '0'

Francisco Tuduri

unread,
Feb 27, 2023, 7:36:05 PM2/27/23
to Wazuh mailing list
Hello Andrew!

There are certain fields that are called static and cannot be used on the <field> label. Here is a list of those fields.

You can try using directly the status option of the ruleset syntax, like this:

<status>failure</status>

If this doesn't solve your problem please share the sample log that you are using (obfuscating any sensitive data) so that we can try it locally.

On a separate note, it looks like you are adding custom rules on the same files as the standard rules. Keep in mind that changes to any rule file inside the /var/ossec/ruleset/rules folder will be lost in the update process. To prevent that please follow these guidelines: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Regards!
Message has been deleted

Andrew

unread,
Feb 28, 2023, 12:38:49 PM2/28/23
to Wazuh mailing list
<rule id="64553" level="3">
    <if_sid>64550</if_sid>
    <field name="stage">login</field>
    <status>failure</status>
    <description>$(generated_time) - GlobalProtect Login failure for $(source_user) Reason: $(error) </description>
  </rule>

Looks like <status>failure</status> worked! no more errors restarting the service, and logtest properly "alerts" based on this rule. 
So I guess, if decoded field's name happens to be same as one of the xml labels (status in this case), it is considered "static" and I have to use that as xml label.

thank you so much for this and letting me know /var/ossec/ruleset/rules will be lost during upgrade. I'll follow the guideline to move all my custom rules. 

Francisco Tuduri

unread,
Feb 28, 2023, 2:53:19 PM2/28/23
to Wazuh mailing list
Great to hear it is working!

About the static fields, it is only a limited number of fields that are considered static: user, srcip, dstip, srcport, dstport, protocol, action, id, url, data, extra_data, status, system_name. So yes, if you see one of these fields is being decoded and want to use it in a rule you must use the corresponding xml option.

Regards!
Reply all
Reply to author
Forward
0 new messages