How to add a log file to the monitoring?

[Leandro Maciel]

Hello,

I have some Linux servers which are administered by a third-party company that saves its sudo log on a file called /var/log/sudo.log.

Since We will need to install wazuh on those servers I'm running some tests and trying to make the Wazuh Agent read the /var/log/sudo.log, but it is not working.

The sudo log is a multi-line log, each event is composed by two lines like the ones below:

Oct  3 15:11:21 2017 : usuario : TTY=pts/1 ; PWD=/home/usuario USER=root ;
    COMMAND=/bin/echo teste arquivo de log

In the file /var/ossec/etc/ossec.conf in the machine where I'm testing I added the following lines in the <ossec_config> section

  <localfile>
    <log_format>multi-line:2</log_format>
    <location>/var/log/sudo.log</location>
  </localfile>

I can see in the agent log that the file I added was analyzed

2017/10/03 14:56:19 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/sudo.log'

But I am not seeing this information on Kibana and I don't know what is wrong or if I missed a step in the configuration.

What are the steps to add a custom log file in the wazuh agent.

Thanks!

[Leandro Maciel]

Well,

If I understood correctly, the problem is that the log line isn't matching anything in the rules or decoder.

Since the sudo logfile does not have the hostname and program name fields, how can I create a decoder or edit the sudo decoder to match it based in the filename?

For example, if it matchs the filename sudo.log it will understand the the program name is 'sudo' and match the rest of the line as it was a normal sudo line from /var/log/secure.

This is the only difference between the event logged in a different file and in the /var/log/secure.

[Santiago Bassett]

Hi Leandro,

I think our decoders are expected single-line logs for sudo. What OS are you monitoring? I tested both in Debian and CentOS and they both do generate single-line sudo log messages, see below:

On Debian (/var/log/auth.log):

Oct  3 23:09:20 ag-debian sudo:    admin : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ps aux

On CentOS (/var/log/secure):

Oct  3 23:08:20 demo sudo:    root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ps aux

A good test would be to enable the "logall" option (on the manager), in order to log all incoming events into /var/ossec/logs/archives/archives.log. This way you will be able to know if the second line (in your example) is being appended to the first line or not. 

If it is appended properly then the existing decoders should work fine. You can test them with /var/ossec/bin/ossec-logtest tool. 

I hope it helps,

Santiago.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4277520e-1393-45b2-8e9b-08ec8adb6a25%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Leandro Maciel]

Hello Santiago,

The problem is that the sudo is configured to save logs on a external file (/var/log/sudo.log) and when sudo has the logfile paramenter configured in sudoers, the logged event does not have the hostname and program name fields so the line is different from what it would be in the /var/log/secure.

In the /var/log/secure I will have the event logged as below:

Oct  4 09:26:55 hostname sudo: usuario : TTY=pts/0 ; PWD=/home/usuario ; USER=root ; COMMAND=/bin/su -

Which the wazuh-agent can read without problem.

But on the external file configured for logging sudo events, the same event will be logged as follow:

Oct  4 09:26:55 : usuario : TTY=pts/0 ; PWD=/home/usuario ; USER=root ; COMMAND=/bin/su -

The difference is that I don't have the hostname nor the program name field and this way the wazuh-agent can't decode the file, I already managed to make sudo save the full log on a single line, but it still isn't getting decoded.

How can I solve this problem? I think that I will need to create a custom decoder, but how? The documentation that I found till now does not have examples on how to do that, since I will have to match by the file name, not a field.

Is it possible?

[alberto....@wazuh.com]

Hello Leandro

   It's probably that you have an not updated ruleset. Please find in the following link decoders for your logs:

https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0320-sudo_decoders.xml#L20

The log of this decoder is a little bit different but you probably can change your sudoers configuration in order to include the HOST. 

Hope it helps, please let us know if it works. 

Best regards, 

Alberto R. 

[Leandro Maciel]

Hello,

That's probably the reason

I'm using the last stable version of wazuh (2.1.1), my ruleset version is 2.1.0 and I checked this version in github and the sudo decoder is the same as mine, the decoder which will work with the sudoers log file has the ruleset version of 3.0.0-alpha

If I run /var/ossec/bin/update_ruleset.py and it says that I already have the latest version of ruleset.

I will copy the decoder file for the sudoers and put in my decoders directory to see if it will works.

Thanks!