Paloalto global protect log filter - error with field value
395 views
Skip to first unread message
Andrew
Feb 27, 2023, 5:42:56 PM2/27/23
to Wazuh mailing list
Trying to create a rule for paloalto global protect logs using status=failure and stage=login field extracted from decoder. But whenever I use status field in a rule, it gives error when restarting the service. can someone help me identify the issue?
$ sudo service wazuh-manager restart
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.
Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.
/var/ossec/logs/ossec.conf
2023/02/27 14:05:09 wazuh-analysisd: ERROR: Failure to read rule 64553. Field 'status' is static.
2023/02/27 14:05:09 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'ruleset/rules/0700-paloalto_rules.xml'.
2023/02/27 14:05:09 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'ruleset/rules/0700-paloalto_rules.xml'.
ruleset/rules/0700-paloalto_rules.xml
<rule id="64500" level="0">
<decoded_as>paloalto</decoded_as>
<description>Palo Alto $(type) event.</description>
</rule>
<decoded_as>paloalto</decoded_as>
<description>Palo Alto $(type) event.</description>
</rule>
...
<rule id="64550" level="0">
<if_sid>64500</if_sid>
<field name="type">^GLOBALPROTECT$</field>
<field name="stage" type="pcre2">(?i)^.+$</field>
<description>Palo Alto $(type) stage: $(stage) event.</description>
</rule>
<if_sid>64500</if_sid>
<field name="type">^GLOBALPROTECT$</field>
<field name="stage" type="pcre2">(?i)^.+$</field>
<description>Palo Alto $(type) stage: $(stage) event.</description>
</rule>
...
<rule id="64553" level="3">
<if_sid>64550</if_sid>
<field name="stage">login</field>
<if_sid>64550</if_sid>
<field name="stage">login</field>
<field name="status">failure</field> <--adding this line will give error
<description>$(generated_time) - $(source_user) $(error_code) </description>
</rule>
/var/ossec/bin/wazuh-logtest<description>$(generated_time) - $(source_user) $(error_code) </description>
</rule>
...
**Phase 2: Completed decoding.
name: 'paloalto'
parent: 'paloalto'
action_flags: '0x8000000000000000'
client_os: 'Mac'
client_os_version: '"Apple Mac OS X 12.6.1"'
client_version: '5.2.12'
content_type: '0'
device_group_hierarchy_level_1: '0'
device_group_hierarchy_level_2: '0'
device_group_hierarchy_level_3: '0'
device_group_hierarchy_level_4: '0'
device_name: 'my firewall'
error: 'Existing user session found'
error_code: '33'
event_id: 'gateway-register'
generated_time: '2023/02/27 09:39:45'
high_res_timestamp: '2023-02-27T09:39:46.456-08:00'
host_id: 'a0:78:57:5f:a8:d3'
login_duration: '0'
machine_name: 'testmachine'
portal: 'GP-Gateway'
private_ip: '0.0.0.0'
private_ipv6: '0.0.0.0'
public_ip: 'redacted'
public_ipv6: '0.0.0.0'
receive_time: '2023/02/27 09:39:45'
repeat_count: '1'
sequence_number: '7167734460594249941'
serial_number: 'redacted'
source_region: 'CA'
source_user: 'redacted'
stage: 'login'
status: 'failure'
type: 'GLOBALPROTECT'
virtual_system: 'vsys1'
virtual_system_id: '0'
parent: 'paloalto'
action_flags: '0x8000000000000000'
client_os: 'Mac'
client_os_version: '"Apple Mac OS X 12.6.1"'
client_version: '5.2.12'
content_type: '0'
device_group_hierarchy_level_1: '0'
device_group_hierarchy_level_2: '0'
device_group_hierarchy_level_3: '0'
device_group_hierarchy_level_4: '0'
device_name: 'my firewall'
error: 'Existing user session found'
error_code: '33'
event_id: 'gateway-register'
generated_time: '2023/02/27 09:39:45'
high_res_timestamp: '2023-02-27T09:39:46.456-08:00'
host_id: 'a0:78:57:5f:a8:d3'
login_duration: '0'
machine_name: 'testmachine'
portal: 'GP-Gateway'
private_ip: '0.0.0.0'
private_ipv6: '0.0.0.0'
public_ip: 'redacted'
public_ipv6: '0.0.0.0'
receive_time: '2023/02/27 09:39:45'
repeat_count: '1'
sequence_number: '7167734460594249941'
serial_number: 'redacted'
source_region: 'CA'
source_user: 'redacted'
stage: 'login'
status: 'failure'
type: 'GLOBALPROTECT'
virtual_system: 'vsys1'
virtual_system_id: '0'
Francisco Tuduri
Feb 27, 2023, 7:36:05 PM2/27/23
to Wazuh mailing list
Hello Andrew!
There are certain fields that are called static and cannot be used on the <field> label. Here is a list of those fields.
You can try using directly the status option of the ruleset syntax, like this:
<status>failure</status>
If this doesn't solve your problem please share the sample log that you are using (obfuscating any sensitive data) so that we can try it locally.
On a separate note, it looks like you are adding custom rules on the same files as the standard rules. Keep in mind that changes to any rule file inside the /var/ossec/ruleset/rules folder will be lost in the update process. To prevent that please follow these guidelines: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Regards!
There are certain fields that are called static and cannot be used on the <field> label. Here is a list of those fields.
You can try using directly the status option of the ruleset syntax, like this:
<status>failure</status>
If this doesn't solve your problem please share the sample log that you are using (obfuscating any sensitive data) so that we can try it locally.
On a separate note, it looks like you are adding custom rules on the same files as the standard rules. Keep in mind that changes to any rule file inside the /var/ossec/ruleset/rules folder will be lost in the update process. To prevent that please follow these guidelines: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Regards!
Message has been deleted
Andrew
Feb 28, 2023, 12:38:49 PM2/28/23
to Wazuh mailing list
<rule id="64553" level="3">
<if_sid>64550</if_sid>
<field name="stage">login</field>
<if_sid>64550</if_sid>
<field name="stage">login</field>
<description>$(generated_time) - GlobalProtect Login failure for $(source_user) Reason: $(error) </description>
</rule>
Looks like <status>failure</status> worked! no more errors restarting the service, and logtest properly "alerts" based on this rule.
So I guess, if decoded field's name happens to be same as one of the xml labels (status in this case), it is considered "static" and I have to use that as xml label.
thank you so much for this and letting me know /var/ossec/ruleset/rules will be lost during upgrade. I'll follow the guideline to move all my custom rules.
Francisco Tuduri
Feb 28, 2023, 2:53:19 PM2/28/23
to Wazuh mailing list
Great to hear it is working!
About the static fields, it is only a limited number of fields that are considered static: user, srcip, dstip, srcport, dstport, protocol, action, id, url, data, extra_data, status, system_name. So yes, if you see one of these fields is being decoded and want to use it in a rule you must use the corresponding xml option.
Regards!
Reply all
Reply to author
Forward
0 new messages