Problem with postgres monitoring

117 views
Skip to first unread message

T Mukaev

unread,
Feb 9, 2023, 11:19:16 PM2/9/23
to Wazuh mailing list
Hello everyone, I have wazuh version 4.3.10 and one of the agents has postgresql installed.
I want to see the events of my database on dashboards, I configured it from the agent side and I see that the events get into the archive .json.
But it does not process the decoder, I tried to change the decoder from:

<decoder name="postgresql_log">
<prematch>^[\d\d\d\d-\d\d-\d\d \S+ \w+] </prematch>
<regex offset="after_prematch">^\S+ (\w+): </regex>
<order>status</order>
</decoder>

to:
<decoder name="postgresql_log">
<prematch>^\d\d\d\d-\d\d-\d\d \S+ \w+ </prematch>
<regex offset="after_prematch">^\S+ (\w+): </regex>
<order>status</order>
</decoder>

but it did not help, I'm bad at regular expressions, so it's hard for me to figure out what he doesn't like.

my log format example:

2023-02-09 17:05:17.257 +06 [6233] root@root FATAL: role "root" does not exist

I try to solve it myself but it doesn't work :((

T Mukaev

unread,
Feb 10, 2023, 12:34:47 AM2/10/23
to Wazuh mailing list
Full log:
Feb 9 17:01:17 srv-name postgres[2992]: [760-1] 2023-02-09 17:01:17.462 +06 [2992] postgres@db_name LOG: AUDIT: SESSION,740,1,MISC,SHOW,,,SHOW TRANSACTION ISOLATION LEVEL,<not logged>

пятница, 10 февраля 2023 г. в 10:19:16 UTC+6, T Mukaev:

Cedrick Foko

unread,
Feb 10, 2023, 4:57:58 AM2/10/23
to Wazuh mailing list
Hi Mukaev
Thank you for using Wazuh!

Your decoder cannot work with your logs because your prematch value is incorrect.

Please find attached an example file with a decoder working fine with your full log.

Note that this decoder will work on logtest but alerts will not be triggered and displayed on the dashboard until you create a rule to work with your decoder.

I hope you find this helpful. Don't hesitate to ask if you have any other question.

postgres_decoder.xml

T Mukaev

unread,
Feb 10, 2023, 5:17:58 AM2/10/23
to Wazuh mailing list

I put new decoders in local_decoders, they work with days of months with numbers (eg Feb 3, Feb 4) and don't work with single months with 2 digits (eg Feb 12, Feb 10).
Please tell me what is the reason? Thanks a lot
пятница, 10 февраля 2023 г. в 15:57:58 UTC+6, Cedrick Foko:
Screenshot 2023-02-10 at 16.14.00.png

Cedrick Foko

unread,
Feb 10, 2023, 6:39:13 AM2/10/23
to Wazuh mailing list
Hi Mukaev.
It seems the logs with days of months in 2 digits are decoded differently. You can notice that you get the program_name in the predecoding phase.
We then need a new decoder taking account of the program_name instead of prematch.

Find attached a new file with a decoder using program_name.
Note: keep the two files so that your logs will use one or other.

I hope this helps. Let me know if you have any other question.

postgres_decoder2.xml

T Mukaev

unread,
Feb 10, 2023, 8:18:56 AM2/10/23
to Wazuh mailing list
Good afternoon again :)
I want some advice to make sure I'm doing the right thing.

In order not to change all the rules, I wrote decoders like this:

<decoder name="postgresql_log">
  <prematch type="pcre2">^\w+ \d+ \d+:\d+:\d+ \S+ postgres\[\d+\]: \[\d+\-\d+\] \d\d\d\d-\d\d-\d\d \d+:\d+:\d+.\d+ \S+ \[\d+\] \S+ </prematch>
  <regex offset="after_prematch">^(\w+): </regex>
  <order>status</order>
</decoder>

<decoder name="postgresql_log">
  <program_name>^postgres</program_name>
</decoder>

<decoder name="postgres_fields">
  <parent>postgresql_log</parent>
  <regex>\S*@\S* (\w*)</regex>
  <order>status </order>
</decoder>


how correct would that be?

many thanks for the help :)
пятница, 10 февраля 2023 г. в 17:39:13 UTC+6, Cedrick Foko:
Reply all
Reply to author
Forward
0 new messages