Wazuh custom decoder for redhat ldap audit logs
265 views
Skip to first unread message
Irakli Shavgulidze
Mar 14, 2023, 10:23:24 AM3/14/23
to Wazuh mailing list
Hello, I have such log entries from redhat idm server ldap audit log file, which is being parsed by wazuh agent:
__________________________
time: 20230207103518
dn: uid=john.walker,cn=users,cn=accounts,dc=acme, dc=com
result: 0
changetype: modify
replace: employeeType
employeeType: Hr
-
replace: modifiersname
modifiersname: uid=smith.wesson,cn=users,cn=accounts,dc=acme, dc=com
-
replace: modifytimestamp
modifytimestamp: 20230207103518Z
-
replace: entryusn
entryusn: 25095017
dn: uid=john.walker,cn=users,cn=accounts,dc=acme, dc=com
result: 0
changetype: modify
replace: employeeType
employeeType: Hr
-
replace: modifiersname
modifiersname: uid=smith.wesson,cn=users,cn=accounts,dc=acme, dc=com
-
replace: modifytimestamp
modifytimestamp: 20230207103518Z
-
replace: entryusn
entryusn: 25095017
__________________________
I need to create custom decoder that will be able to decode this logs not line by line, but as one log entry with multiple lines and then use values - time, modifytimestamp, dn, changetype:, modifiersname, entryusn in alert rules.
Is it possible and how can I do this?
Christian Borla
Mar 14, 2023, 11:08:04 AM3/14/23
to Wazuh mailing list
Hi Irakli Shavgulidze
I hope you are doing fine.
To create a decoder for this kind of events, it will necessary collect them in a single line, there is an option in localfile configuration to collect events from multiple lines.
This is a localfile configuration example:
<localfile>
<log_format>multi-line-regex</log_format>
<location>/oracle/oradata/TESTWSL/oraarch/adump/*</location>
<multiline_regex match="start" replace="no-replace">^\w+ \w+ \d+ \d+:\d+:\d+ \d+ \W\d+:\d+</multiline_regex>
</localfile>
The idea is starts doing some test with this options, when you find the event in /var/ossec/logs/archive/archives.json file in a single line, a decoder could be created to extract each field.
If archives.json doesn't exist set following config and restart the manager, into ossec.conf manager side enable
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
After restar the manager, every received event will be included in archives.json file.
To create a custom decoder you can follow this documentation.
For example:
<decoder name="redhat-ldap-audit-logs">
<program_name>redhat-ldap-audit-logs</program_name>
</decoder>
<decoder name="redhat-ldap-audit-logs-child">
<parent>redhat-ldap-audit-logs</parent>
<regex>time: (\d+)</regex>
<order>time</order>
</decoder>
<decoder name="redhat-ldap-audit-logs-child">
<parent>redhat-ldap-audit-logs</parent>
<regex>result: (\d+)</regex>
<order>result</order>
</decoder>
<decoder name="redhat-ldap-audit-logs-child">
<parent>redhat-ldap-audit-logs</parent>
<regex>changetype: (\w+)</regex>
<order>changetype</order>
</decoder>
And finaly to make it easier to find/process the event, I would include a header into localfile to collected data.
<localfile>
<log_format>multi-line-regex</log_format>
<location>/oracle/oradata/TESTWSL/oraarch/adump/*</location>
<multiline_regex match="start" replace="no-replace">^\w+ \w+ \d+ \d+:\d+:\d+ \d+ \W\d+:\d+</multiline_regex>
<out_format>$(timestamp) $(hostname) redhat-ldap-audit-logs: $(log)</out_format>
</localfile>
This way the program name will match with redhat-ldap-audit-logs, and been processed by first decoder.
Let me knos if this information is useful.
Regards.
I hope you are doing fine.
To create a decoder for this kind of events, it will necessary collect them in a single line, there is an option in localfile configuration to collect events from multiple lines.
This is a localfile configuration example:
<localfile>
<log_format>multi-line-regex</log_format>
<location>/oracle/oradata/TESTWSL/oraarch/adump/*</location>
<multiline_regex match="start" replace="no-replace">^\w+ \w+ \d+ \d+:\d+:\d+ \d+ \W\d+:\d+</multiline_regex>
</localfile>
The idea is starts doing some test with this options, when you find the event in /var/ossec/logs/archive/archives.json file in a single line, a decoder could be created to extract each field.
If archives.json doesn't exist set following config and restart the manager, into ossec.conf manager side enable
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
After restar the manager, every received event will be included in archives.json file.
To create a custom decoder you can follow this documentation.
For example:
<decoder name="redhat-ldap-audit-logs">
<program_name>redhat-ldap-audit-logs</program_name>
</decoder>
<decoder name="redhat-ldap-audit-logs-child">
<parent>redhat-ldap-audit-logs</parent>
<regex>time: (\d+)</regex>
<order>time</order>
</decoder>
<decoder name="redhat-ldap-audit-logs-child">
<parent>redhat-ldap-audit-logs</parent>
<regex>result: (\d+)</regex>
<order>result</order>
</decoder>
<decoder name="redhat-ldap-audit-logs-child">
<parent>redhat-ldap-audit-logs</parent>
<regex>changetype: (\w+)</regex>
<order>changetype</order>
</decoder>
And finaly to make it easier to find/process the event, I would include a header into localfile to collected data.
<localfile>
<log_format>multi-line-regex</log_format>
<location>/oracle/oradata/TESTWSL/oraarch/adump/*</location>
<multiline_regex match="start" replace="no-replace">^\w+ \w+ \d+ \d+:\d+:\d+ \d+ \W\d+:\d+</multiline_regex>
<out_format>$(timestamp) $(hostname) redhat-ldap-audit-logs: $(log)</out_format>
</localfile>
This way the program name will match with redhat-ldap-audit-logs, and been processed by first decoder.
Let me knos if this information is useful.
Regards.
Irakli Shavgulidze
Mar 15, 2023, 3:51:59 AM3/15/23
to Wazuh mailing list
Hi Christian,
Do you mean agent local ossec config for localfile? (I can send this config via Groups, from Manager)
As, I have checked, I need to define match="start" via regex , in my case it is time.
Do I need to define match="end", if all new events are starting with time?
Best regards,
Irakli
Christian Borla
Mar 15, 2023, 10:29:48 AM3/15/23
to Wazuh mailing list
Hi Irakli Shavgulidze
It's possible configure a localfoing collection in agent or manager too, I think in this case will be in the agent side.
I make it works with following configuration.
<localfile>
<location>C:\Users\test.txt</location>
<log_format>multi-line-regex</log_format>
<multiline_regex replace="wspace">^time:</multiline_regex>
</localfile>
The output file in archives.json
{"timestamp":"2023-03-15T11:21:53.560-0300","agent":{"id":"001","name":"DESKTOP","ip":"2803:9800:9882:5E87:5E87:5E87:5E87:5E87"},"manager":{"name":"VBox"},"id":"1678890113.4445400","full_log":"time: 20230207103518 dn: uid=john.walker,cn=users,cn=accounts,dc=acme, dc=com result: 0 changetype: modify replace: employeeType employeeType: Hr - replace: modifiersname modifiersname: uid=smith.wesson,cn=users,cn=accounts,dc=acme, dc=com - replace: modifytimestamp modifytimestamp: 20230207103518Z - replace: entryusn entryusn: 25095017 ","decoder":{},"location":"C:\\Users\\test.txt"}
I couldn't make it works with <out_format>$(timestamp) $(hostname) redhat-ldap-audit-logs: $(log)</out_format> option, so the first decoder should change, and look for any specif word or sentence in the log.
Let me know if that works for you.
Regards.
It's possible configure a localfoing collection in agent or manager too, I think in this case will be in the agent side.
I make it works with following configuration.
<localfile>
<location>C:\Users\test.txt</location>
<log_format>multi-line-regex</log_format>
<multiline_regex replace="wspace">^time:</multiline_regex>
</localfile>
The output file in archives.json
{"timestamp":"2023-03-15T11:21:53.560-0300","agent":{"id":"001","name":"DESKTOP","ip":"2803:9800:9882:5E87:5E87:5E87:5E87:5E87"},"manager":{"name":"VBox"},"id":"1678890113.4445400","full_log":"time: 20230207103518 dn: uid=john.walker,cn=users,cn=accounts,dc=acme, dc=com result: 0 changetype: modify replace: employeeType employeeType: Hr - replace: modifiersname modifiersname: uid=smith.wesson,cn=users,cn=accounts,dc=acme, dc=com - replace: modifytimestamp modifytimestamp: 20230207103518Z - replace: entryusn entryusn: 25095017 ","decoder":{},"location":"C:\\Users\\test.txt"}
I couldn't make it works with <out_format>$(timestamp) $(hostname) redhat-ldap-audit-logs: $(log)</out_format> option, so the first decoder should change, and look for any specif word or sentence in the log.
Let me know if that works for you.
Regards.
Irakli Shavgulidze
Mar 16, 2023, 3:55:29 AM3/16/23
to Wazuh mailing list
Hello Christian,
I did it via agent groups configs in manager and added agents to this group, with such configuration:
<agent_config>
<localfile>
<log_format>multi-line-regex</log_format>
<location>$PATH-TO-LOG/audit</location>
<multiline_regex match="start" replace="no-replace">^time: \d{14}$</multiline_regex>
<out_format>$(timestamp) $(hostname) ldap-audit-logs: $(log)</out_format>
</localfile>
</agent_config>
<localfile>
<log_format>multi-line-regex</log_format>
<location>$PATH-TO-LOG/audit</location>
<multiline_regex match="start" replace="no-replace">^time: \d{14}$</multiline_regex>
<out_format>$(timestamp) $(hostname) ldap-audit-logs: $(log)</out_format>
</localfile>
</agent_config>
It worked for me.
Reply all
Reply to author
Forward
0 new messages