Custom decoder for SAP audit logs

387 views

Skip to first unread message

Dmitriy Sharov

unread,

Mar 13, 2024, 10:31:01 AM3/13/24

to Wazuh | Mailing List

Hello Dear Team, hope you are doing well.

I try to create a custom decoder for SAP audit logs. These logs are a fixed length of 200 characters and have no delimiter between them. I attach an example of 5 SAP audit events below:

2AUW20240311174217002249200028D1 SAPSYS RSDSBUFF 0001RSDSBUFF& 2AUW20240311174217002249200028D1 SAPSYS RSDS_BP_FREEWP 0001RSDS_BP_FREEWP& 2AUW20240311174219002249200028D1 SAPSYS RSDSENQ 0001RSDSENQ& 2AUW20240311174219002249200028D1 SAPSYS RS_UPDATE_STATUS 0001RS_UPDATE_STATUS& 2AUW20240311174219002249200028D1 SAPSYS RSSHM_CCMS_COLLECTOR 0001RSSHM_CCMS_COLLECTOR&

I created custom decoder for this log:

<decoder name="sap">

<prematch type="pcre2">([23])([A-Z][A-Z][A-Z0-9])(\d\d\d\d\d\d\d\d)(\d\d\d\d\d\d)</prematch>

</decoder>

<decoder name="sap">

<parent>sap</parent>

<regex type="pcre2">([23])([A-Z][A-Z][A-Z0-9])(\d\d\d\d\d\d\d\d)(\d\d\d\d\d\d)</regex>

<order>id,message_id,date,time</order>

</decoder>

<decoder name="sap">

<parent>sap</parent>

<regex type="pcre2">(\w\w)(.{5})(.{2})(.{3})(.)(.)(.{8})(.{12})(.{20})(.{40})(.{3})(.)(.{64})(.{20})</regex>

<order>term1,os_process_id,term2,work_process_number,sap_process,WP,term3,user,transaction,app,client,term4,message,terminal_name</order>

</decoder>

And siimple rule:

<rule id="104001" level="3">

<decoded_as>sap</decoded_as>

<description>SAP events.</description>

</rule>

If I test on a single event, it works fine:

**Phase 1: Completed pre-decoding.

full event: '2AUW20240311174217002249200028D1 SAPSYS RSDSBUFF 0001RSDSBUFF& '

**Phase 2: Completed decoding.

name: 'sap'

WP: '7'

app: ' RSDSBUFF '

client: ' '

date: '20240311'

dstuser: '49200028D1 '

id: '2'

message: ' 0001RSDSBUFF& '

message_id: 'AUW'

os_process_id: 'UW202'

sap_process: '1'

term1: '2A'

term2: '40'

term3: '42170022'

term4: ' '

terminal_name: ' '

time: '174217'

transaction: ' SAPSYS '

work_process_number: '311'

**Phase 3: Completed filtering (rules).

id: '104001'

level: '3'

description: 'SAP events.'

groups: '["SAP"]'

firedtimes: '1'

mail: 'false'

**Alert to be generated.

But if I try to test multiple original logs, it doesn't work correctly:

**Phase 1: Completed pre-decoding.

full event: '2AUW20240311174217002249200028D1 SAPSYS RSDSBUFF 0001RSDSBUFF& 2AUW20240311174217002249200028D1 SAPSYS RSDS_BP_FREEWP 0001RSDS_BP_FREEWP& 2AUW20240311174219002249200028D1 SAPSYS RSDSENQ 0001RSDSENQ& 2AUW20240311174219002249200028D1 SAPSYS RS_UPDATE_STATUS 0001RS_UPDATE_STATUS& 2AUW20240311174219002249200028D1 SAPSYS RSSHM_CCMS_COLLECTOR 0001RSSHM_CCMS_COLLECTOR& '

**Phase 2: Completed decoding.

name: 'sap'

WP: '7'

app: ' RSDSBUFF '

client: ' '

date: '20240311'

dstuser: '49200028D1 '

id: '2'

message: ' 0001RSDSBUFF& '

message_id: 'AUW'

os_process_id: 'UW202'

sap_process: '1'

term1: '2A'

term2: '40'

term3: '42170022'

term4: ' '

terminal_name: ' '

time: '174217'

transaction: ' SAPSYS '

work_process_number: '311'

**Phase 3: Completed filtering (rules).

id: '104001'

level: '3'

description: 'SAP events.'

groups: '["SAP"]'

firedtimes: '1'

mail: 'false'

**Alert to be generated.

I tested a regular expression at regex101.com . And if you select the "global"(/g) option there, everything works as it should (screen1)

Could you please tell me if it is possible to set /g (global) option in Wazuh decoders? Or maybe there is some other way in which the regular expression in Wazuh will not stop when the first result is found, but will look for all matches.

Thank you.

Screenshot1.jpg

Dario Menten

unread,

Mar 14, 2024, 8:34:59 AM3/14/24

to Wazuh | Mailing List

Hello Dimitriy,
Thank you for posting in the community.

First of all, I would like to advise you to use this as a prematch:

\d[A-Z]{3}[0-9]{26}\w\d\s+

It is less general and will help you identify the beginning of the line.
On the other hand, unfortunately, Wazuh does not provide support for oneliner logs, I mean without a classic start (^) or end of line ($).
My recommendation here is to try to configure SAP to write logs in another format CEF or JSON, if the application can write in JSON you will not need to create your decoder, Wazuh can decode JSON by default.
As a final recommendation, if the application can not do that, you can create a script to transform the logs to a multi-line log and then do the agent to read this new multi-line log. It is a little more complicated but I think it can do the trick without issues.