Help for creating a custom decoder for pfBlockerNG logs (dnsbl.log exactly)
106 views
Skip to first unread message
walid
Sep 29, 2023, 8:59:04 AM9/29/23
to Wazuh | Mailing List
Dear Users,
I recently started collecting external logs provided by pfBlockerNG package (available and installed in pfSense) in Wazuh.
I recently started collecting external logs provided by pfBlockerNG package (available and installed in pfSense) in Wazuh.
Unfortunately, I'm having some problem processing these logs using decoders/rules.
This is an examlpe of one line from dnsbl.log received by wazuh in /var/log/syslog :
Sep 28 15:01:53 pfSense - DNSBL-Full,Sep 28 14:55:43,abcxyz.com,x.x.x.x,-|GET / HTTP/1.1|Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0,DNSBL,DNSBL_UT1,
abcxyz.com ,UT1_drogue,+
Could you please help me to extract relevant fields from the logs using regex?
Watching the log line mentioned above, the relevant fields are:
Event time: Sep 28 14:55:43
domain_name: abcxyz.com
SRC IP: x.x.x.x
Could you please help me to extract relevant fields from the logs using regex?
Watching the log line mentioned above, the relevant fields are:
Event time: Sep 28 14:55:43
domain_name: abcxyz.com
SRC IP: x.x.x.x
.
.
.
blacklist_domain: UT1_drogue
Thank you in advance,
Walid
blacklist_domain: UT1_drogue
Thank you in advance,
Walid
Javier Bejar
Oct 2, 2023, 5:44:59 AM10/2/23
to Wazuh | Mailing List
Hi Walid,
Sorry for the late response.
Add the following regex and order sections to your custom decoder:
<regex type="pcre2">^(\w{3} \d{2} \d{2}:\d{2}:\d{2}) pfSense - .+,.+,(\S+),(\S+),.+,.+,.+,(.+),.+$</regex>
Sorry for the late response.
Add the following regex and order sections to your custom decoder:
<regex type="pcre2">^(\w{3} \d{2} \d{2}:\d{2}:\d{2}) pfSense - .+,.+,(\S+),(\S+),.+,.+,.+,(.+),.+$</regex>
<order>event.time, domain_name, src.ip, blacklist_domain</order>
Note this expression will work as long as the number and order of comma-separated fields remain the same.
For more details about the regex see:
- regex101 example
For more details about decoder syntax see:
- Decoder syntax documentation
I hope this helps,
Javier Bejar
Note this expression will work as long as the number and order of comma-separated fields remain the same.
For more details about the regex see:
- regex101 example
For more details about decoder syntax see:
- Decoder syntax documentation
I hope this helps,
Javier Bejar
walid
Oct 18, 2023, 3:20:02 PM10/18/23
to Wazuh | Mailing List
thank you for your help
Reply all
Reply to author
Forward
0 new messages