Sophos Xg logs in Wazuh

[wesley staenle]

Good morning , In my case Wazuh is receiving the logs in /var/log/sophos-xg.log ( Rsyslog) :

root@wazuh:/var/ossec/ruleset/rules# tail -f /var/log/sophos-xg.log | grep wesley Dec 6 08:38:10 10.192.206.242 device="SFW" date=2021-12-06 time=08:38:10 timezone="-03" device_name="XG450" device_id=C4307BPTPBKHMB6 log_id=062009617507 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="wesleystaenle" src_ip=10.206.104.43 N/A message="User wesleystaenle logged in successfully to Web Admin Console through Local authentication mechanism"

it even generates the events in alerts.jason :

root@wazuh:/var/ossec/ruleset/rules# tail -f /var/ossec/logs/alerts/alerts.json | grep wesley

{"timestamp":"2021-12-06T08:49:02.427-0300","rule":{"level":3,"description":"Traffic Allowed: from 10.206.104.43 to 142.251.129.234","id":"70022","firedtimes":1950109,"mail":false,"groups":["sophos-fw"]},"agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1638791342.7204340536","full_log":"Dec  6 08:49:00 10.192.206.248 device=\"SFW\" date=2021-12-06 time=08:49:00 timezone=\"-03\" device_name=\"XG310\" device_id=C32078XQ9FK92ED log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=3 nat_rule_id=0 policy_type=2 user_name=\"wesleystaenle\" user_gp=\"OU=Seguranca-TI,OU=ADM,OU=Usuarios,OU=ZL,DC=tmkt,DC=servicos,DC=mkt\" iap=12 ips_policy_id=2 appfilter_policy_id=9 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"LAG_LAN\" in_display_interface=\"LAG_LAN\" out_interface=\"\" out_display_interface=\"\" src_mac=00:1A:30:4C:BC:00 dst_mac=00:E0:20:AC:B5:05 src_ip=10.206.104.43 src_country_code=R1 dst_ip=142.251.129.234 dst_country_code=USA protocol=\"TCP\" src_port=54973 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip=10.192.206.248 tran_dst_port=3128 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2596541440\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0","predecoder":{"timestamp":"Dec  6 08:49:00","hostname":"10.192.206.248"},"decoder":{"name":"sophos-fw"},"data":{"protocol":"TCP","device":"SFW","date":"2021-12-06","time":"08:49:00","timezone":"-03","appfilter_policy_id":"9","application_risk":"0","appresolvedby":"Signature","connevent":"Start","connid":"2596541440","device_id":"C32078XQ9FK92ED","device_name":"XG310","dst_country_code":"USA","dst_ip":"142.251.129.234","dst_port":"443","dstzone":"WAN","dstzonetype":"WAN","duration":"0","fw_rule_id":"3","hb_health":"No Heartbeat","iap":"12","in_interface":"LAG_LAN","ips_policy_id":"2","log_component":"Firewall Rule","log_id":"010101600001","log_subtype":"Allowed","log_type":"Firewall","name":"XG310","policy_type":"2","priority":"Information","recv_bytes":"0","recv_pkts":"0","sent_bytes":"0","sent_pkts":"0","src_country_code":"R1","src_ip":"10.206.104.43","src_mac":"00:1A:30:4C:BC:00","src_port":"54973","srczone":"LAN","srczonetype":"LAN","sophos_fw_status_msg":"Allow","th":"No Heartbeat","tran_dst_ip":"10.192.206.248","tran_dst_port":"3128","tran_src_port":"0","user_gp":"OU=Seguranca-TI,OU=ADM,OU=Usuarios,OU=ZL,DC=tmkt,DC=servicos,DC=mkt","user_name":"wesleystaenle"},"location":"/var/log/sophos-xg.log"}

 the problem is that i only view Firewall events , how could i view admin events ? how do I customize a rule for admin events? 

[Christian Borla]

Hi wesley staenle.

I hope you are doing fine!

As you mentioned Wazuh already support some Sophos Xg events log. You can test how the decoder and rules process the events, into Manager side run /var/ossec/bin/wazuh-logtest, and past a sample log, the result of your sample log is:

Dec  6 08:38:10 10.192.206.242 device="SFW" date=2021-12-06 time=08:38:10 timezone="-03" device_name="XG450" device_id=C4307BPTPBKHMB6 log_id=062009617507 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="wesleystaenle" src_ip=10.206.104.43 N/A message="User wesleystaenle logged in successfully to Web Admin Console through Local authentication mechanism"

**Phase 1: Completed pre-decoding.

full event: 'Dec  6 08:38:10 10.192.206.242 device="SFW" date=2021-12-06 time=08:38:10 timezone="-03" device_name="XG450" device_id=C4307BPTPBKHMB6 log_id=062009617507 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="wesleystaenle" src_ip=10.206.104.43 N/A message="User wesleystaenle logged in successfully to Web Admin Console through Local authentication mechanism"'

timestamp: 'Dec  6 08:38:10'

hostname: '10.192.206.242'

**Phase 2: Completed decoding.

name: 'sophos-fw'

date: '2021-12-06'

device: 'SFW'

device_id: 'C4307BPTPBKHMB6'

device_name: 'XG450'

log_component: 'GUI'

log_id: '062009617507'

log_subtype: 'Admin'

log_type: 'Event'

message: 'User wesleystaenle logged in successfully to Web Admin Console through Local authentication mechanism'

name: 'XG450'

priority: 'Information'

sophos_fw_status_msg: 'Successful'

src_ip: '10.206.104.43'

time: '08:38:10'

timezone: '-03'

user_name: 'wesleystaenle'

**Phase 3: Completed filtering (rules).

id: '70020'

level: '0'

description: 'Sophos XG210 Firewall event'

groups: '['sophos-fw']'

firedtimes: '1'

mail: 'False'

I have a doubt about your question and the sample log, that log looks like a Admin event, but rule process it as Firewal event, Does it the change that you want to fix?

Following link show current Sophos rules: https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0705-sophos_fw_rules.xml

As you can see, it trigger the rule number 70020, the base rule, but it doesn't have a specific rule for your example log.

  <rule id="70020" level="0">

    <decoded_as>sophos-fw</decoded_as>

    <description>Sophos XG210 Firewall event</description>

  </rule>

So it's possible to create a new child rule, that match with the new log, 

  <rule id="100000" level="3">

    <if_sid>70020</if_sid>

    <field name="log_subtype">Admin</field>

    <description>User logged in successfully to Web Admin Console</description>

  </rule>

Add that custom rule into /var/ossec/etc/rules/local_rules.xml, restart the manager and test it with /var/ossec/bin/wazuh-logtest

it will looks like:

  **Phase 3: Completed filtering (rules).

id: '100000'

level: '3'

description: 'User logged in successfully to Web Admin Console'

groups: '['local', 'syslog', 'sshd']'

firedtimes: '1'

mail: 'False'

Let me know if that works!.

Regards.

[wesley staenle]

I want to view admin events on firewall

[wesley staenle]

After adding this new rule to the file: /var/ossec/etc/rules/local_rules.xml root@wazuh:/var/ossec/bin# cat /var/ossec/etc/rules/local_rules.xml <!-- Local rules --> <!-- Modify it at your will. --> <!-- Copyright (C) 2015-2020, Wazuh Inc. --> <!-- Example --> <group name="local,syslog,sshd,"> <!-- Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2 --> <rule id="100001" level="5"> <if_sid>5716</if_sid> <srcip>1.1.1.1</srcip> <description>sshd: authentication failed from IP 1.1.1.1.</description> <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> </rule> <rule id = "100002" level = "3"> <if_sid> 70020 </if_sid> <field name = "log_subtype"> Admin </field> <description> User has successfully logged into the Web Admin Console </description> </rule> </group> Displays the error:

restart >

2021/12/06 15:32:24 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/rules/local_rules.xml': XMLERR: Attribute 'id' has no value. (line 21). 2021/12/06 15:32:24 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'. wazuh-analysisd: Configuration error. Exiting

[Christian Borla]

Hi wesley staenle
I tested it with your example configuration, and the issue is the spaces between 'labels' and '='
Sent config is  <rule id = "100002" level = "3">, it should be <rule id="100002" level="3">
Same for <if_sid>  and  <field name    Use: <rule id="100002" level="3"> <if_sid>70020</if_sid> <field name="log_subtype">Admin</field> <description>User has successfully logged into the Web Admin Console</description> </rule>

Let me know if that works.
Regards.

[wesley staenle]

Thank you very much ! All ok , can you indicate if it is possible to trigger an email with this event ?

[Christian Borla]

Hi  wesley staenle, 
You are welcome!! I glad to know that was useful! :)

Regarding email triggering alert! yes it's possible. Could you please open a new thread with that question?

For sure someone will have the answer asap!
Regards!

[Tomas Turina]

Hi Wesley,

Sure, you can get an email from this alert and from any alert you wish.

Here is the documentation you need to follow to configure this feature: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html

If you just want to receive alerts from this rule ID, I suggest you to look at the example with the rule ID filter: https://documentation.wazuh.com/current/user-manual/manager/manual-email-report/index.html#email-based-on-rules-id

<email_alerts>
  <email_to>y...@example.com</email_to>
  <rule_id>100002</rule_id>
  <do_not_delay />
</email_alerts>

I hope this information helps you.

Best regards.

Tomás Turina.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0b4d36f4-6fe9-4d56-924d-0e94af310dfen%40googlegroups.com.