VMware Decoders/Rules
568 views
Skip to first unread message
Alan Garner
May 9, 2023, 2:36:52 PM5/9/23
to Wazuh mailing list
Hello,
I am seeking assistance in getting vSphere/ESXi logs into Wazuh alerts. I have a single-node cluster using the OVA installation option. I have my esx and vcenter logs showing up in /var/log/messages but unable to figure out how to see them anywhere in the web UI.
Attached is my REDACTED ossec.conf file for your review. This is the only file I have modified in the system other than changing the system networking information after OVA deployment.
Thoughts?
Marcelo Hamra
May 10, 2023, 11:21:57 AM5/10/23
to Wazuh mailing list
Hi Alan,
Thanks for using wazuh.
Let me review your ossec.conf log and some investigation, and I'll get you back
Marcelo Hamra
May 10, 2023, 12:12:02 PM5/10/23
to Wazuh mailing list
Hi Alan,
ESX syslogs could be received by the Wazuh manager configuring remote syslogs, as it is possible to see in your ossec.conf file.
In this post, you can find a lot of helpful information about how to configure VMware monitoring and how to check the configuration.
Please, first confirm if messages are being received by OK the manager using the suggested post's tests.
Best regards!
Alan Garner
May 11, 2023, 10:14:30 AM5/11/23
to Wazuh mailing list
Marcelo,
{"timestamp":"2023-05-11T13:36:11.504+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683812171.287664022","full_log":"May 11 09:36:10 <REDACTED> vpxd[3732] Event [6736048] [1-1] [2023-05-11T13:36:10.500955Z] [vim.event.EventEx] [info] [] [ICI-Datacenter] [6736047] [Hot migrating <REDACTED> from <REDACTED> , NBLVOLB in ICI-Datacenter to <REDACTED>, NBLVOLB in ICI-Datacenter with encryption]","predecoder":{"program_name":"vpxd","timestamp":"May 11 09:36:10","hostname":"<REDACTED> "},"decoder":{},"location":"/var/log/messages"}
{"timestamp":"2023-05-11T13:36:11.504+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683812171.287664022","full_log":"May 11 09:36:11 <REDACTED> vpxd[3732] Event [6736049] [1-1] [2023-05-11T13:36:11.079607Z] [vim.event.VmEmigratingEvent] [info] [] [ICI-Datacenter] [6736047] [Migrating <REDACTED> off host <REDACTED> in ICI-Datacenter]","predecoder":{"program_name":"vpxd","timestamp":"May 11 09:36:11","hostname":"<REDACTED> "},"decoder":{},"location":"/var/log/messages"}
{"timestamp":"2023-05-11T13:37:27.597+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683812247.314484853","full_log":"May 11 09:37:25 <REDACTED> vpxd[3732] Event [6736060] [1-1] [2023-05-11T13:37:25.966797Z] [vim.event.DrsVmMigratedEvent] [info] [] [ICI-Datacenter] [6736047] [DRS migrated <REDACTED> from <REDACTED> to <REDACTED> in cluster ICI-Cluster in ICI-Datacenter]","predecoder":{"program_name":"vpxd","timestamp":"May 11 09:37:25","hostname":"<REDACTED> "},"decoder":{},"location":"/var/log/messages"}
Thanks for the reply. I followed that specific post before posting myself. Yes, I can see the ESX logs are successfully making it into the alerts.json file but still nothing in the dashboard or security events.
[wazuh-user@wazuh-server ~]$ sudo grep '<REDACTED> ' /var/ossec/logs/archives/archives.json
{"timestamp":"2023-05-11T13:36:11.504+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683812171.287664022","full_log":"May 11 09:36:10 <REDACTED> vpxd[3732] Event [6736048] [1-1] [2023-05-11T13:36:10.500955Z] [vim.event.EventEx] [info] [] [ICI-Datacenter] [6736047] [Hot migrating <REDACTED> from <REDACTED> , NBLVOLB in ICI-Datacenter to <REDACTED>, NBLVOLB in ICI-Datacenter with encryption]","predecoder":{"program_name":"vpxd","timestamp":"May 11 09:36:10","hostname":"<REDACTED> "},"decoder":{},"location":"/var/log/messages"}
{"timestamp":"2023-05-11T13:36:11.504+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683812171.287664022","full_log":"May 11 09:36:11 <REDACTED> vpxd[3732] Event [6736049] [1-1] [2023-05-11T13:36:11.079607Z] [vim.event.VmEmigratingEvent] [info] [] [ICI-Datacenter] [6736047] [Migrating <REDACTED> off host <REDACTED> in ICI-Datacenter]","predecoder":{"program_name":"vpxd","timestamp":"May 11 09:36:11","hostname":"<REDACTED> "},"decoder":{},"location":"/var/log/messages"}
{"timestamp":"2023-05-11T13:37:27.597+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683812247.314484853","full_log":"May 11 09:37:25 <REDACTED> vpxd[3732] Event [6736060] [1-1] [2023-05-11T13:37:25.966797Z] [vim.event.DrsVmMigratedEvent] [info] [] [ICI-Datacenter] [6736047] [DRS migrated <REDACTED> from <REDACTED> to <REDACTED> in cluster ICI-Cluster in ICI-Datacenter]","predecoder":{"program_name":"vpxd","timestamp":"May 11 09:37:25","hostname":"<REDACTED> "},"decoder":{},"location":"/var/log/messages"}
One thing I noticed is that it shows a predecoder but the entry for decoder is blank. I also am not seeing any rule parsing for these events like I do for sudo events:
{"timestamp":"2023-05-11T13:53:45.004+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":3,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1683813225.403469439","full_log":"May 11 13:53:43 wazuh-server sudo: wazuh-user : TTY=pts/0 ; PWD=/home/wazuh-user ; USER=root ; COMMAND=/bin/grep 172.16.1.170 /var/ossec/logs/archives/archives.json","predecoder":{"program_name":"sudo","timestamp":"May 11 13:53:43","hostname":"wazuh-server"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"wazuh-user","dstuser":"root","tty":"pts/0","pwd":"/home/wazuh-user","command":"/bin/grep 172.16.1.170 /var/ossec/logs/archives/archives.json"},"location":"/var/log/secure"}
Marcelo Hamra
May 15, 2023, 8:48:57 AM5/15/23
to Wazuh mailing list
Hi Alan,
Please confirm if the same log entries appear in alerts.json (note that you've run grep on the archives.json file)
Alan Garner
May 15, 2023, 12:43:14 PM5/15/23
to Wazuh mailing list
Ah! My bad! (I swear I'm not an end user lol!!) OK, so grepping against the correct file does NOT produce any output.
Syslog is receiving the remote logs from venter as can be seen in /var/log/messages but they are NOT making it into alerts.json. What's next?
Marcelo Hamra
May 15, 2023, 4:03:53 PM5/15/23
to Wazuh mailing list
Let me do some internal research, but in the meantime, please send me a couple of lines of the syslog received from VMWare.
Please modify any information that you need to obfuscate. I want to check what is happening with the decoder.
Please modify any information that you need to obfuscate. I want to check what is happening with the decoder.
Alan Garner
May 17, 2023, 10:48:42 AM5/17/23
to Wazuh mailing list
Sure,
Here is the last 10 lines from /var/log/messages.
May 17 10:40:00 <REDACTED> updatemgr 2023-05-17T10:40:00:971Z 'Activation' 140659872032512 INFO [activationValidator, 368] Leave Validate. Succeeded for integrity.VcIntegrity.retrieveHostIPAddresses on target: Integrity.VcIntegrity
May 17 10:40:00 <REDACTED> updatemgr 2023-05-17T10:40:00:971Z 'VcIntegrity' 140659872032512 INFO [vcIntegrity, 1536] Getting IP Address from host name: <REDACTED> .
May 17 10:40:20 <REDACTED> updatemgr 2023-05-17T10:40:20:970Z 'Activation' 140659874428672 INFO [activationValidator, 368] Leave Validate. Succeeded for integrity.VcIntegrity.retrieveHostIPAddresses on target: Integrity.VcIntegrity
May 17 10:40:20 <REDACTED> updatemgr 2023-05-17T10:40:20:970Z 'VcIntegrity' 140659874428672 INFO [vcIntegrity, 1536] Getting IP Address from host name: <REDACTED> .
May 17 10:40:35 <REDACTED> vpxd[3732] Event [6773665] [1-1] [2023-05-17T14:39:52.97034Z] [vim.event.UserLoginSessionEvent] [info] [root] [ICI-Datacenter] [6773665] [User <REDACTED> logged in as Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000)]
May 17 10:40:40 <REDACTED> updatemgr 2023-05-17T10:40:40:970Z 'Activation' 140659866973952 INFO [activationValidator, 368] Leave Validate. Succeeded for integrity.VcIntegrity.retrieveHostIPAddresses on target: Integrity.VcIntegrity
May 17 10:40:40 <REDACTED> updatemgr 2023-05-17T10:40:40:970Z 'VcIntegrity' 140659866973952 INFO [vcIntegrity, 1536] Getting IP Address from host name: <REDACTED>.
May 17 10:40:41 <REDACTED> vpxd[3732] Event [6773666] [1-1] [2023-05-17T14:40:41.981853Z] [vim.event.UserLogoutSessionEvent] [info] [<REDACTED>] [] [6773666] [User <REDACTED> logged out (login time: Wednesday, 17 May, 2023 02:05:42 PM, number of API invocations: 2, user agent: Java/1.8.0_212)]
May 17 10:40:42 <REDACTED> vmcad t@140143742662400: VMCACheckAccessKrb: Authenticated user <REDACTED>
Marcelo Hamra
May 17, 2023, 2:07:23 PM5/17/23
to Wazuh mailing list
Hi Alan,
Please let me know what is your wazuh version. You can find your wazuh version by running the following command:
# /var/ossec/bin/wazuh-control info
Please let me know what is your wazuh version. You can find your wazuh version by running the following command:
# /var/ossec/bin/wazuh-control info
I've run the wazuh-logtest tool in a wazuh version 4.4.2 with the first line of your /var/log/messages to test your log format, and no decoder could decode the string.
If you like, you can also try to use that tool to test the first line. We may have to set up a custom decoder if no decoder can decode the log. Here's the link in the documentation for wazuh-logtest
Alan Garner
May 17, 2023, 2:33:55 PM5/17/23
to Wazuh mailing list
Control Info output:
WAZUH_VERSION="v4.4.1"
WAZUH_REVISION="40406"
WAZUH_TYPE="server"
WAZUH_REVISION="40406"
WAZUH_TYPE="server"
I tried that tool previously and it doesn't match any decoders.
Marcelo Hamra
May 18, 2023, 2:02:34 PM5/18/23
to Wazuh mailing list
Hi Alan,
You can find the preconfigured decoders of wazuh 4.4.1 for Vmware in this link.
In the 0360-vmware_decoders.xml file, there are two parent decoders, "vmware" and "wmware-syslog," but none match the lines you've sent. You must create custom decoders and rules to get events from these logs or find a way that the events reported by Vmware match the default decoders and rules.
These are some helpful documentation links to create custom rules and decoders:
Let me know if you need further assistance.
EXPLANATION OF THE DEFAULT VMWARE DECODERS WITH YOUR EXAMPLES
The decoder "vmware" doesn't match any line you've sent because it expects an event that starts with the "[" character.
The decoder "vmware-syslog" matches the events whose program name is vmware. None of the lines you've sent has vmware as the program name.
Using the first line you've sent with minor modifications as input to wazuh-logtest, the program name isn't recognized. Logtest shows
**Phase 1: Completed pre-decoding.
full event: 'May 17 10:39:42 localhost vmcad t@140143742662400: VMCACheckAccessKrb: Authenticated user user_xxx'
timestamp: 'May 17 10:39:42'
hostname: 'localhost'
full event: 'May 17 10:39:42 localhost vmcad t@140143742662400: VMCACheckAccessKrb: Authenticated user user_xxx'
timestamp: 'May 17 10:39:42'
hostname: 'localhost'
Using the same event and adding a [12345] to the program name (the process id), the program_name is recognized. Logtest shows:
**Phase 1: Completed pre-decoding.
full event: 'May 17 10:39:42 localhost vmcad[12345] t@140143742662400: VMCACheckAccessKrb: Authenticated user user_xxx'
timestamp: 'May 17 10:39:42'
hostname: 'localhost'
program_name: 'vmcad'
full event: 'May 17 10:39:42 localhost vmcad[12345] t@140143742662400: VMCACheckAccessKrb: Authenticated user user_xxx'
timestamp: 'May 17 10:39:42'
hostname: 'localhost'
program_name: 'vmcad'
The same event but modifying the program_name vmcad to vmware-vmcad is recognized by vmware-syslog decoder. Logtest shows:
**Phase 1: Completed pre-decoding.
full event: 'May 17 10:39:42 localhost vmware-vmcad[12345] t@140143742662400: VMCACheckAccessKrb: Authenticated user user_xxx'
timestamp: 'May 17 10:39:42'
hostname: 'localhost'
program_name: 'vmware-vmcad'
**Phase 2: Completed decoding.
name: 'vmware-syslog'
full event: 'May 17 10:39:42 localhost vmware-vmcad[12345] t@140143742662400: VMCACheckAccessKrb: Authenticated user user_xxx'
timestamp: 'May 17 10:39:42'
hostname: 'localhost'
program_name: 'vmware-vmcad'
**Phase 2: Completed decoding.
name: 'vmware-syslog'
Marcelo Hamra
May 19, 2023, 11:00:35 AM5/19/23
to Wazuh mailing list
Hi Alan,
A new article recently published on the wazuh blog may be helpful; follow this link Monitoring VMware ESXi with Wazuh
Ricardo
May 19, 2023, 3:41:12 PM5/19/23
to Wazuh mailing list
Hi, I'm sending logs from vcenter to wazuh. Do you have any solution for this scenario? I followed the tutorial but it doesn't work.
I analyzed the regular expressions from the tutorial and noticed that the logs that I'm receiving are slightly different.
For example:
The tutorial have the regex "Event (\d+) : (\S+) on (\S+) in (\S+) has powered on" and I receiving the message: [VMNAME on HOSTNAME in DATACENTERNAME is powered on]
I analyzed the regular expressions from the tutorial and noticed that the logs that I'm receiving are slightly different.
For example:
The tutorial have the regex "Event (\d+) : (\S+) on (\S+) in (\S+) has powered on" and I receiving the message: [VMNAME on HOSTNAME in DATACENTERNAME is powered on]
Reply all
Reply to author
Forward
0 new messages