Alerts NextCloud not showing in Wazuh Dashboard
515 views
Skip to first unread message
Valentin Nguyen
May 16, 2023, 9:04:26 AM5/16/23
to Wazuh mailing list
Hi,
I'm using Wazuh version 4.4.1 with a Docker installation.
My NextCloud alert are not displayed in the Wazuh Dashboard but the alert is correctly generated in the Wazuh server's log file (alerts.log).
I'm using Wazuh version 4.4.1 with a Docker installation.
My NextCloud alert are not displayed in the Wazuh Dashboard but the alert is correctly generated in the Wazuh server's log file (alerts.log).
These are the NextCloud default rules and decoders (0630)
Wazuh server alerts (alerts.log)
NextCloud Agent (ossec.conf) :
<localfile>
<location>/var/www/html/nextcloud/data/audit.log</location>
<log_format>json</log_format>
<label key="@source">NextCloud</label>
</localfile>
</ossec_config>
<localfile>
<location>/var/www/html/nextcloud/data/audit.log</location>
<log_format>json</log_format>
<label key="@source">NextCloud</label>
</localfile>
</ossec_config>
Wazuh server alerts (alerts.log)
Rule: 88211 (level 3) -> 'NextCloud authentication successful.'
{"reqId":"XXX","level":1,"time":"May 16, 2023 14:22:55","remoteAddr":"X.X.X.X","user":"XXX","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"XXX\"","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"},"@source":"NextCloud"}
reqId: XXX
level: 1
time: May 16, 2023 14:22:55
remoteAddr: X.X.X.X
user: XXX
app: admin_audit
method: POST
message: Login successful: "XXX"
userAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
version: 24.0.3.2
data.app: admin_audit
@source: NextCloud
{"reqId":"XXX","level":1,"time":"May 16, 2023 14:22:55","remoteAddr":"X.X.X.X","user":"XXX","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"XXX\"","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"},"@source":"NextCloud"}
reqId: XXX
level: 1
time: May 16, 2023 14:22:55
remoteAddr: X.X.X.X
user: XXX
app: admin_audit
method: POST
message: Login successful: "XXX"
userAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
version: 24.0.3.2
data.app: admin_audit
@source: NextCloud
Marcelo Hamra
May 16, 2023, 6:40:56 PM5/16/23
to Wazuh mailing list
Hi Valentin,
I'll try to help you with your problem. Please share with me your decoder and rules configuration for Nextcloud.
Are Nextcloud's alerts the only ones not being shown in your dashboard?
Valentin Nguyen
May 17, 2023, 4:01:21 AM5/17/23
to Wazuh mailing list
Hi Marcelo, thank you for your help
I only have problem with NextCloud alerts. Other alerts is showing up in my dashboard.
NextCloud generates two log files:
nextcloud.log --> errors or operation fails
audit.log --> Activity such as user logins and file activities
In my case, the alerts from file "nextcloud.log" (when login failed) are generated in alerts.log of Wazuh server and are displayed on my dashboard.
The alerts from file "audit.log" (when login successful) are generated in alerts.log of Wazuh server but are not displayed on my dashboard.
Nextcloud rules :
<group name="json,nextcloud,">
<rule id="88200" level="0">
<decoded_as>json</decoded_as>
<field name="@source">NextCloud</field>
<options>no_full_log</options>
<description>NextCloud messages grouped.</description>
</rule>
<rule id="88201" level="0">
<decoded_as>nextcloud</decoded_as>
<options>no_full_log</options>
<description>NextCloud messages grouped.</description>
</rule>
<rule id="88212" level="6">
<if_sid>88200,88201</if_sid>
<match>Login failed: </match>
<options>no_full_log</options>
<description>NextCloud authentication failed.</description>
<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="88211" level="3">
<if_sid>88200,88201</if_sid>
<match>Login successful: </match>
<options>no_full_log</options>
<description>NextCloud authentication successful.</description>
<group>authentication_success,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
JSON decoders :
<decoder name="json">
<prematch>^{\s*"</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
NextCloud decoders :
<decoder name="nextcloud">
<program_name>^NextCloud</program_name>
</decoder>
<decoder name="nextcloud-failed1">
<parent>nextcloud</parent>
<prematch>Login failed: user </prematch>
<regex offset="after_prematch">^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+)</regex>
<order>user, srcip</order>
</decoder>
<decoder name="nextcloud-failed2">
<parent>nextcloud</parent>
<prematch>Login failed: </prematch>
<regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+)</regex>
<order>user, srcip</order>
</decoder>
<decoder name="nextcloud-malicious">
<parent>nextcloud</parent>
<prematch>Passed filename is not valid, might be malicious </prematch>
<regex offset="after_prematch">;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
I only have problem with NextCloud alerts. Other alerts is showing up in my dashboard.
NextCloud generates two log files:
nextcloud.log --> errors or operation fails
audit.log --> Activity such as user logins and file activities
In my case, the alerts from file "nextcloud.log" (when login failed) are generated in alerts.log of Wazuh server and are displayed on my dashboard.
The alerts from file "audit.log" (when login successful) are generated in alerts.log of Wazuh server but are not displayed on my dashboard.
Nextcloud rules :
<group name="json,nextcloud,">
<rule id="88200" level="0">
<decoded_as>json</decoded_as>
<field name="@source">NextCloud</field>
<options>no_full_log</options>
<description>NextCloud messages grouped.</description>
</rule>
<rule id="88201" level="0">
<decoded_as>nextcloud</decoded_as>
<options>no_full_log</options>
<description>NextCloud messages grouped.</description>
</rule>
<rule id="88212" level="6">
<if_sid>88200,88201</if_sid>
<match>Login failed: </match>
<options>no_full_log</options>
<description>NextCloud authentication failed.</description>
<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="88211" level="3">
<if_sid>88200,88201</if_sid>
<match>Login successful: </match>
<options>no_full_log</options>
<description>NextCloud authentication successful.</description>
<group>authentication_success,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
JSON decoders :
<decoder name="json">
<prematch>^{\s*"</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
NextCloud decoders :
<decoder name="nextcloud">
<program_name>^NextCloud</program_name>
</decoder>
<decoder name="nextcloud-failed1">
<parent>nextcloud</parent>
<prematch>Login failed: user </prematch>
<regex offset="after_prematch">^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+)</regex>
<order>user, srcip</order>
</decoder>
<decoder name="nextcloud-failed2">
<parent>nextcloud</parent>
<prematch>Login failed: </prematch>
<regex offset="after_prematch">^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+)</regex>
<order>user, srcip</order>
</decoder>
<decoder name="nextcloud-malicious">
<parent>nextcloud</parent>
<prematch>Passed filename is not valid, might be malicious </prematch>
<regex offset="after_prematch">;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
Marcelo Hamra
May 17, 2023, 11:35:43 AM5/17/23
to Wazuh mailing list
Hi Valentin,
If you receive alerts in the "/var/ossec/logs/alerts/alerts.json" file, the problem could be on Filebeat because it is down or not reading the mentioned or some issues in the Wazuh-indexer.
Please check that Filebeat is up and running and is connecting correctly to the Wazuh-indexer server:
# systemctl status filebeat -l
# filebeat test output
# lsof /var/ossec/logs/alerts/alerts.json
It looks strange that some alerts are being shown in the dashboard, but others are not ...
Valentin Nguyen
May 22, 2023, 3:53:02 AM5/22/23
to Wazuh mailing list
Hi Marcelo,
Yes it's very strange..
Here is output of the commands :
service filebeat status
* filebeat is not running
* filebeat is not running
filebeat test output
elasticsearch: https://wazuh.indexer:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 172.16.0.2
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://wazuh.indexer:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 172.16.0.2
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
lsof /var/ossec/logs/alerts/alerts.json
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
filebeat 793 root 8r REG 252,1 2737129 2889688 /var/ossec/logs/alerts/alerts.json
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
filebeat 793 root 8r REG 252,1 2737129 2889688 /var/ossec/logs/alerts/alerts.json
And when i try to start filebeat :
service filebeat start
2023-05-22T07:43:25.868Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2023-05-22T07:43:25.868Z INFO instance/beat.go:653 Beat ID: c2ed0715-9c6a-2577-ba32-29d2ccc11717
2023-05-22T07:43:25.869Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c2ed0715-9c6a-2577-ba32-29d2ccc11717"}}}
2023-05-22T07:43:25.869Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca57c475b16874a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2023-05-22T07:43:25.869Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.14.12"}}}
2023-05-22T07:43:25.870Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-05-16T07:15:41Z","containerized":true,"name":"wazuh.manager","ip":["127.0.0.1/8","172.16.0.4/16"],"kernel_version":"4.18.0-372.19.1.el8_6.x86_64","mac":["02:42:ac:13:00:04"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.5 LTS (Focal Fossa)","major":20,"minor":4,"patch":5,"codename":"focal"},"timezone":"UTC","timezone_offset_sec":0}}}
2023-05-22T07:43:25.871Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 60866, "ppid": 60865, "seccomp": {"mode":"filter","no_new_privs":false}, "start_time": "2023-05-22T07:43:25.760Z"}}}
2023-05-22T07:43:25.871Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2023-05-22T07:43:25.872Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2023-05-22T07:43:25.873Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2023-05-22T07:43:25.877Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
service filebeat start
2023-05-22T07:43:25.868Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2023-05-22T07:43:25.868Z INFO instance/beat.go:653 Beat ID: c2ed0715-9c6a-2577-ba32-29d2ccc11717
2023-05-22T07:43:25.869Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c2ed0715-9c6a-2577-ba32-29d2ccc11717"}}}
2023-05-22T07:43:25.869Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca57c475b16874a8", "libbeat": "7.10.2", "time": "2021-01-12T22:10:33.000Z", "version": "7.10.2"}}}
2023-05-22T07:43:25.869Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.14.12"}}}
2023-05-22T07:43:25.870Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-05-16T07:15:41Z","containerized":true,"name":"wazuh.manager","ip":["127.0.0.1/8","172.16.0.4/16"],"kernel_version":"4.18.0-372.19.1.el8_6.x86_64","mac":["02:42:ac:13:00:04"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.5 LTS (Focal Fossa)","major":20,"minor":4,"patch":5,"codename":"focal"},"timezone":"UTC","timezone_offset_sec":0}}}
2023-05-22T07:43:25.871Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 60866, "ppid": 60865, "seccomp": {"mode":"filter","no_new_privs":false}, "start_time": "2023-05-22T07:43:25.760Z"}}}
2023-05-22T07:43:25.871Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2023-05-22T07:43:25.872Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2023-05-22T07:43:25.873Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2023-05-22T07:43:25.877Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
Config OK
Marcelo Hamra
May 22, 2023, 8:51:15 AM5/22/23
to Wazuh mailing list
Hi Valentin,
Please use wazuh-logtest utility with some lines of the audit.log file to verify that Nextcloud's decoders and rules are correctly processing the events. Could you post your results to see if all looks ok?
You can find the wazuh-logtest documentation in this link.
Please share with me what is your wazuh architecture. Do you have a single-node or multi-node deployment?
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Marcelo Hamra
May 28, 2023, 10:45:36 AM5/28/23
to Wazuh mailing list
Hi Valentin,
I'm posting your email to follow the conversation in this group.
------
I'm taking the liberty of contacting you because the messages get deleted all the time.
I have a single-node and i followed the Wazuh documentation for install it
Full log from audit.log :
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.1
Type one log per line
{"reqId":"XXX","level":1,"time":"May 22, 2023 14:53:50","remoteAddr":"XXX","X":"X","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"X\"","XAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"}}
**Phase 1: Completed pre-decoding.
full event: '{"reqId":"XXX","level":1,"time":"May 22, 2023 14:53:50","remoteAddr":"XXX","X":"X","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"X\"","XAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"}}'
**Phase 2: Completed decoding.
name: 'json'
app: 'admin_audit'
data.app: 'admin_audit'
level: '1'
message: 'Login successful: "X"'
method: 'POST'
remoteAddr: 'XXX'
reqId: 'XXX'
time: 'May 22, 2023 14:53:50'
url: '/nextcloud/login'
X: 'X'
XAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36'
version: '24.0.3.2'
And full log from alerts.log :
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.1
Type one log per line
{"reqId":"X","level":1,"time":"May 16, 2023 16:37:56","remoteAddr":"XXX","X":"X","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"X\"","XAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"},"@source":"NextCloud"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
@source: 'NextCloud'
app: 'admin_audit'
data.app: 'admin_audit'
level: '1'
message: 'Login successful: "X"'
method: 'POST'
remoteAddr: 'XXX'
reqId: 'X'
time: 'May 16, 2023 16:37:56'
url: '/nextcloud/login'
X: 'X'
XAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36'
version: '24.0.3.2'
**Phase 3: Completed filtering (rules).
id: '88211'
level: '3'
description: 'NextCloud authentication successful.'
groups: '['json', 'nextcloud', 'authentication_success']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Full log from audit.log :
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.1
Type one log per line
{"reqId":"XXX","level":1,"time":"May 22, 2023 14:53:50","remoteAddr":"XXX","X":"X","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"X\"","XAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"}}
**Phase 1: Completed pre-decoding.
full event: '{"reqId":"XXX","level":1,"time":"May 22, 2023 14:53:50","remoteAddr":"XXX","X":"X","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"X\"","XAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"}}'
**Phase 2: Completed decoding.
name: 'json'
app: 'admin_audit'
data.app: 'admin_audit'
level: '1'
message: 'Login successful: "X"'
method: 'POST'
remoteAddr: 'XXX'
reqId: 'XXX'
time: 'May 22, 2023 14:53:50'
url: '/nextcloud/login'
X: 'X'
XAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36'
version: '24.0.3.2'
And full log from alerts.log :
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.1
Type one log per line
{"reqId":"X","level":1,"time":"May 16, 2023 16:37:56","remoteAddr":"XXX","X":"X","app":"admin_audit","method":"POST","url":"/nextcloud/login","message":"Login successful: \"X\"","XAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"24.0.3.2","data":{"app":"admin_audit"},"@source":"NextCloud"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
@source: 'NextCloud'
app: 'admin_audit'
data.app: 'admin_audit'
level: '1'
message: 'Login successful: "X"'
method: 'POST'
remoteAddr: 'XXX'
reqId: 'X'
time: 'May 16, 2023 16:37:56'
url: '/nextcloud/login'
X: 'X'
XAgent: 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36'
version: '24.0.3.2'
**Phase 3: Completed filtering (rules).
id: '88211'
level: '3'
description: 'NextCloud authentication successful.'
groups: '['json', 'nextcloud', 'authentication_success']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Marcelo Hamra
May 28, 2023, 11:04:36 AM5/28/23
to Wazuh mailing list
Hi Valentin,
Let's go ahead and verify what happens with your events. Please try to find WARN or ERROR log messages using GREP and post the output. You can also find nextcloud login events using grep with fields values.
You can find Filebeat log in /var/log/filebeat.
Let's go ahead and verify what happens with your events. Please try to find WARN or ERROR log messages using GREP and post the output. You can also find nextcloud login events using grep with fields values.
You can find Filebeat log in /var/log/filebeat.
Reply all
Reply to author
Forward
0 new messages