Extract log fields above from existing decoder.
85 views
Skip to first unread message
Vinícius
Oct 1, 2023, 10:41:51 AM10/1/23
to Wazuh | Mailing List
Hello guys, could you help me?
I need to remove some fields from a specific log on my ASA firewall, however, on wazuh's default decoder, only the 3 fields have already been removed (cisco.facility, cisco.mnemonic, cisco.severity)
This is my log and I need to remove it, for example, the source IP: OUTSIDE-BGP:IP/port
2023-09-24T07:38:55-03:00 FW-ASA : %ASA-6-302016: Teardown UDP connection 142067707 for OUTSIDE-BGP:999.999.999.999/51952 to identity:888.888.888.888/500 duration 0:02 :24 bytes 752
The default decoder on Wazuh is this: <decoder name="cisco-ios">
For example, I made a new decoder, with the cisco-ios as parent, with regex in an attempt to remove the desired field. But I still have no success.
I need to remove some fields from a specific log on my ASA firewall, however, on wazuh's default decoder, only the 3 fields have already been removed (cisco.facility, cisco.mnemonic, cisco.severity)
This is my log and I need to remove it, for example, the source IP: OUTSIDE-BGP:IP/port
2023-09-24T07:38:55-03:00 FW-ASA : %ASA-6-302016: Teardown UDP connection 142067707 for OUTSIDE-BGP:999.999.999.999/51952 to identity:888.888.888.888/500 duration 0:02 :24 bytes 752
The default decoder on Wazuh is this: <decoder name="cisco-ios">
For example, I made a new decoder, with the cisco-ios as parent, with regex in an attempt to remove the desired field. But I still have no success.
Daniel Sappa
Oct 1, 2023, 7:09:07 PM10/1/23
to Wazuh | Mailing List
Hi Vinicius!
First of all, here is the guide to creating Sibling Decoders, although I assume that you have already taken it into account.
On the other hand, it would be useful if you could share the decoder that you have created so that I can test it and help you with this.
On the other hand, it would be useful if you could share the decoder that you have created so that I can test it and help you with this.
Greetings
Vinícius
Oct 3, 2023, 1:44:33 PM10/3/23
to Wazuh | Mailing List
Exactly, I accomplished out tests with Sibling decoders.
Indicating prematch or just regex. I can't extract the IP field.
Indicating prematch or just regex. I can't extract the IP field.
example:
<decoder name="cisco-ios-teardown">
<parent>cisco-ios</parent>
<prematch>Teardown UDP connection \d+ for OUTSIDE-BGP</prematch>
<regex>:(\.+)/</regex>
<order>extra_data</order>
</decoder>
<parent>cisco-ios</parent>
<prematch>Teardown UDP connection \d+ for OUTSIDE-BGP</prematch>
<regex>:(\.+)/</regex>
<order>extra_data</order>
</decoder>
I already test with <decoder name="cisco-ios">, no success.
Daniel Sappa
Oct 4, 2023, 3:43:34 PM10/4/23
to Wazuh | Mailing List
Due to decoders priority, the original decoder "cisco-ios-default" in /var/ossec/ruleset/decoders/0065-cisco-ios_decoders.xml, match previous to any
in this way it is previously analyzed:
decoder defined in /var/ossec/etc/decoders/local_decoders.xml.you
To do this you are Change an existing decoder, follow this example:
* first, disabling 0065-cisco-ios_decoders.xml
* next copy de original one /var/ossec/ruleset/decoders/0065-cisco-ios_decoders.xml and modified this, adding a new decode just before cisco-ios-default
Here is the decoder:
<decoder name="cisco-ios-teardown">
<parent>cisco-ios</parent>
<parent>cisco-ios</parent>
<prematch>%ASA-6\S+:</prematch>
<regex>%(\w+)-(\d)-(\w+): Teardown UDP connection \d+ for OUTSIDE-BGP:(\d+.\d+.\d+.\d+)/(\d+) to identity:(\d+.\d+.\d+.\d+)/(\d+) duration \d+:\d+ :\d+ bytes \d+</regex>
<order>cisco.facility-2, cisco.severity, cisco.mnemonic, ip1, port1, ip2, port2</order>
</decoder>
<regex>%(\w+)-(\d)-(\w+): Teardown UDP connection \d+ for OUTSIDE-BGP:(\d+.\d+.\d+.\d+)/(\d+) to identity:(\d+.\d+.\d+.\d+)/(\d+) duration \d+:\d+ :\d+ bytes \d+</regex>
<order>cisco.facility-2, cisco.severity, cisco.mnemonic, ip1, port1, ip2, port2</order>
</decoder>
I hope I help you.
Vinícius
Oct 4, 2023, 6:59:44 PM10/4/23
to Wazuh | Mailing List
Hello Daniel, thank you for your help. Exactly as you said.
Deny the native decoder in ossec.conf and upload a custom decoder file with the original content, adding the custom decoders above 'cisco-ios-default'.
Thanks!
Reply all
Reply to author
Forward
0 new messages