Monitor ClamAV logs - Windows

[Henry Jesus Lastimosa Jr.]

Hi, 

Installed ClamAV (Windows) and trying to monitor ClamAV scans on Windows 

set the agent.conf to monitor the log files but not reflec<ting on Wazuh 

agent.conf 

    <localfile>
        <location>C:\Program Files\ClamAV\*.log</location>
        <log_format>syslog</log_format>
    </localfile>

Anyone encountered this?

[Christian Borla]

Hi! 
I hope you are doing fine!
The configauration looks good, Did you check archive.json file?
In manager side, collected events arrives to manager, before being processed by Wazuh decoders and rules, raw event/logs could be written to a archive.json file.
To enable /var/ossec/logs/archives/archives.json file. To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>

    <ossec_config>
      <global>
         <alerts_log>yes</alerts_log>
         <logall>yes</logall>
         <logall_json>yes</logall_json>
      </global>

Then, restar the manger.
If you find some ClamAV events in archive.json means, that your localfile configuration is working. Events should be processed and trigger ClamAV alerts.
Wazuh alredy include a ruleset of ClamAV, Also, you could check if those rules fit with your events, or maybe it will neccessary create new decoders and rules.
Let me know if that helps.
Regards.

[Henry Jesus Lastimosa Jr.]

Thank you for pointing to the right direction. The archive.json is showing the alerts. Moving on to creating new decoders / rules. Do we have any template for decoders and rules? 

Regards, 

Henry

[Christian Borla]

Hi Henry!
In the Wazuh alert generating process, collected data/logs arrives from agents and those events fall in archives.json file (if it's enabled to create the archive.json file), then events are processed by decoders and rules, firing alerts if they matchs.
Alert generating flow looks like:

Collecting data/logs -> archives.json -> decoding/rules -> alerts.json

The idea is to analyse some events/logs on archive.json and create decoders and rules for them. you can find the custom rules and decoders documentation here, Also Wazuh includes a tool to test each log, /var/ossec/bin/wazuh-logtest, 
This is an example log, where you can see how the decoder and the rules match and capture different fields.

```
Type one log per line

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'

**Phase 1: Completed pre-decoding.
        full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100''
        timestamp: 'Dec 25 20:45:02'
        hostname: 'MyHost'
        program_name: 'example'

**Phase 2: Completed decoding.
        name: 'example'
        dstuser: 'admin'
        srcip: '192.168.1.100'

**Phase 3: Completed filtering (rules).
        id: '100010'
        level: '0'
        description: 'User logged'
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        mail: 'False'
```

Also if you want, I can help you to create some rules, share some example logs (from archive.json file).
To be aware, enabling the archive.json file could increase the disk consumption. 
Let me know if that works.
Regards.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7WMAy1VTtZk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2ffd5e80-b73b-4ec0-94a3-6fadd7b2e3a4n%40googlegroups.com.

[Henry Jesus Lastimosa Jr.]

Got it , tested with logtest and it does not seem to return with a decoder, so I'd have to match it with a custom decoder and appropriate regex? 

Thank you! 

[Christian Borla]

Hi Henry!
That is the idea, I can help to you to create a decoder and rules.
Share the log example, just change the sensitive information.
Regards.