IIS log not show on the dashboard

[James Cao]

I config web-accesslog-iis6  in 0380-windows_decoders.xml

default

<decoder name="web-accesslog-iis6">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
  <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\S+) </regex>
  <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
  <order>url, srcip, id</order>
</decoder>

after

<decoder name="web-accesslog-iis6">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^(W3SVC\d+)</prematch>
  <regex>(\S+ \S+) (\S+) (\S+) (\S+) (\S+) (\S+) (\w+) (\S+) (\S+) (\S+) (\S+) (\S+) (\d+) </regex>
  <order>date, sitename, srcip, action, url, query, port, username, dstip, httpver, agent, Referer, code</order>
</decoder>

I use logtest

this is alerts.json

but why not show any event on dashboard ???

[Openime Oniagbi]

Hi James,

Thank you for using Wazuh.

To troubleshoot, could you please confirm that the agent and server are using the same Timezone? Sometimes, you might not see alerts because of differences in time between the agent and the server. Also, could you please expand your search time criteria and filter the Security events on your Wazuh dashboard for the alert ID?

Do this, and reply with a screenshot of your dashboard if it does not work so we can continue troubleshooting.

Regards,
Openime

[James Cao]

HI  I use same Timezone  and I use defalt web-accesslog-iis6  can show dashboard like pic

but I config web-accesslog-iis6 not show any event on the dashboard and I search rule.id:31100 just have default web-accesslog-iis6 event

Openime Oniagbi 在 2023年7月3日 星期一下午3:36:21 [UTC+8] 的信中寫道：

[Openime Oniagbi]

Do you mean when you use the default decoder, it shows up on the dashboard but your custom decoder does not show up on the dashboard?

[James Cao]

Yes this my problem , and I use custom decoder and logtest can work but now show up on the dashboard

Openime Oniagbi 在 2023年7月3日 星期一下午4:00:32 [UTC+8] 的信中寫道：

[Openime Oniagbi]

Okay. I understand.

Please post the full logtest text with your custom decoder.

[James Cao]

2023-07-03 07:43:00 W3SVC4736 192.168.31.129 GET /FileUpload/LicFileload.aspx BColor=B 80 - 192.168.30.158 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 http://192.168.31.129/NewLogin.aspx?Lang=en&PageType= 200 0 0 15

**Phase 1: Completed pre-decoding.
        full event: '2023-07-03 07:43:00 W3SVC4736 192.168.31.129 GET /FileUpload/LicFileload.aspx BColor=B 80 - 192.168.30.158 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0 http://192.168.31.129/NewLogin.aspx?Lang=en&PageType= 200 0 0 15'

**Phase 2: Completed decoding.
        name: 'web-accesslog-iis'
        parent: 'windows-date-format'
        Referer: 'http://192.168.31.129/NewLogin.aspx?Lang=en&PageType='
        action: 'GET'
        agent: 'Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/114.0'
        code: '200'
        date: '2023-07-03 07:43:00'
        dstip: '192.168.30.158'
        httpver: 'HTTP/1.1'
        port: '80'
        query: 'BColor=B'
        sitename: 'W3SVC4736'
        srcip: '192.168.31.129'
        url: '/FileUpload/LicFileload.aspx'
        username: '-'

**Phase 3: Completed filtering (rules).
        id: '31100'
        level: '3'
        description: 'Access log messages grouped.'
        groups: '['web', 'accesslog']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

IIs version 10

agent version 4.4.4

Openime Oniagbi 在 2023年7月3日 星期一下午5:39:28 [UTC+8] 的信中寫道：

[Openime Oniagbi]

Thank you. Did you modify the rule also? 31100?

If so, please let me see what it looks like now?

[James Cao]

Hi I only adjust rule.level 2 > 3 

 <rule id="31100" level="3">
    <category>web-log</category>
    <description>Access log messages grouped.</description>
  </rule>

Openime Oniagbi 在 2023年7月3日 星期一下午5:54:26 [UTC+8] 的信中寫道：

[Openime Oniagbi]

Okay. Everything you have looks perfect.

Did you restart the Wazuh manager after making the changes?

If you did, please simulate the events again and let me know if they appear in alerts.log and the Wazuh dashboard.

[James Cao]

Yes I restart Wazuh manager when I config decoder 

First message I already post alerts.json pic and Wazuh dashboard not show up any event 

'Openime Oniagbi' via Wazuh mailing list <wa...@googlegroups.com>於 2023年7月3日 週一，18:46寫道：

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/30672f60-0a97-4e32-bcdb-56a3908aea41n%40googlegroups.com.

[Openime Oniagbi]

Can you filter for the event ID on the dashboard and increase the time limit to the last 1 year?

[Openime Oniagbi]

I'd appreciate it if you can show me the output.

[Openime Oniagbi]

I understand James.

Please keep your messages under this thread. Don't reply via email.

I understand what you have said. The reason for my suggestion is that I want to expand the timeframe and search specifically for that alert. The log you showed me in your alerts.log shows a rule level of 7 which is different from the rule id of 3. That suggests to me that you might have edited the rules several times.

My goal now is for you to filter for the rule.id with the expanded timeframe and confirm that the alert is indeed not on the dashboard. Try to simulate the alert again, please.

By default, the Wazuh dashboard displays every alert in the alerts.log file but sometimes you might the proper filters to find the alert you are looking for. That is why I am suggesting that you run the simulation again, expand the timeframe, and filter for rule.id:31100 on the Wazuh dashboard.

Please show me the screenshot of your search.

[James Cao]

I  simulate the alert again  

default  is normal 

custom not show up on the dashboard and the latest log stay 2023-07-03 13:27:40 but alerts.json log time is 2023-07-03 13:42:40

SO we can know the dashboard latest log show up after use default decoder and use custom decoder not show up on dashboard anymore

Openime Oniagbi 在 2023年7月3日 星期一晚上8:10:45 [UTC+8] 的信中寫道：

[Openime Oniagbi]

Hi,

Sorry for the late response.

I just got feedback internally that some events will not appear under the agent tab. I think this might be the cause of the issue you are facing. Can you filter for the rule.id on the main security event dashboard?

Please ensure that no agent is selected and that there is no agent filter.

Let me know if this helps.

[James Cao]

Hi , I use discover tab search rule.id 31100 and all results is default decoder alerts,not any custom decoder alerts show up dashboard

Openime Oniagbi 在 2023年7月6日 星期四下午3:45:25 [UTC+8] 的信中寫道：

[Openime Oniagbi]

Okay. In that case, I'd need some time to simulate this behavior. I'll let you know what I find and the next steps.

Thank you for being so patient.

[James Cao]

OK thanks for your help

Openime Oniagbi 在 2023年7月6日 星期四下午4:46:21 [UTC+8] 的信中寫道：

[James Cao]

Hi, I solve this problem thank you

Openime Oniagbi 在 2023年7月6日 星期四下午4:46:21 [UTC+8] 的信中寫道：

Okay. In that case, I'd need some time to simulate this behavior. I'll let you know what I find and the next steps.

[Openime Oniagbi]

Great. Can you share how you solved it?

[James Cao]

Hi 

In Elasticsearch a field can be either an object or a value, it cannot be an object in some documents and a value in others.

Maybe, in other decoders, the port field is used as a JSON object and not as a string (like your decoder), and thus Filebeat is having this issue.I've workarounded this and renamed the port key to portNumber and the conflict was solved

Openime Oniagbi 在 2023年7月6日 星期四下午6:32:14 [UTC+8] 的信中寫道：

[Openime Oniagbi]

Okay, thank you.