Wazuh and Checkpoint integration by S3
101 views
Skip to first unread message
Oleh Pelyno
Jan 30, 2025, 4:59:07 AM1/30/25
to Wazuh | Mailing List
Hello Team,
I've been able to send CheckPoint logs to an S3 bucket named checkpoint-logs-new in the logs folder. However, after adding a new S3 integration for these Check Point logs, it isn’t working as expected.
My existing CloudTrail integration is still functioning correctly, and I’ve confirmed that the necessary IAM permissions is correct.
Could you please help me troubleshoot why this new S3 integration for Check Point logs isn’t working? Below is the relevant ossec_config snippet:
<ossec_config>
<!-- Other configuration elements -->
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<!-- First S3 bucket configuration (CloudTrail) -->
<bucket type="cloudtrail">
<name>aws-cloudtrail-logs-********-******</name>
<!-- Additional configurations -->
</bucket>
<!-- Second S3 bucket configuration (Check Point logs) -->
<bucket type="custom">
<name>checkpoint-logs-new</name>
<!-- Additional configurations -->
</bucket>
</wodle>
<!-- Other configuration elements -->
</ossec_config>
Oleh
Jan 30, 2025, 5:08:50 AM1/30/25
to Wazuh | Mailing List
Also was tried to get logs by syslog, it's also don't working (log format syslog)
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>**.***.**.**/32</allowed-ips>
</remote>
</ossec_config>
root@ip-10-5-94-74:/home/ubuntu# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 296141/wazuh-remote
root@ip-10-5-94-74:/home/ubuntu# ss -natup | grep 514
tcp LISTEN 0 128 0.0.0.0:514 0.0.0.0:* users:(("wazuh-remoted",pid=296141,fd=4))
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>**.***.**.**/32</allowed-ips>
</remote>
</ossec_config>
root@ip-10-5-94-74:/home/ubuntu# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 296141/wazuh-remote
root@ip-10-5-94-74:/home/ubuntu# ss -natup | grep 514
tcp LISTEN 0 128 0.0.0.0:514 0.0.0.0:* users:(("wazuh-remoted",pid=296141,fd=4))
четвер, 30 січня 2025 р. о 11:59:07 UTC+2 Oleh Pelyno пише:
hasitha.u...@wazuh.com
Jan 30, 2025, 5:50:54 AM1/30/25
to Wazuh | Mailing List
Hi
Oleh,
I believe you need to create custom decoders and rules to extract and generate alerts on the Wazuh side.
If that is capable of forwarding logs using syslog, I suggest you follow these steps to verify.
Once you configured it from the checkpoint side, you can configure the Wazuh manager to receive the logs.
You can add this configuration to the Wazuh manager ossec.conf file.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>**.***.**.**/32</allowed-ips>
</remote>
To have an proper idea related to remote code block you can refer to this.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html#configuring-syslog-on-the-wazuh-server
Once you configured then enable the archive logs in Wazuh manager to verify logs reaching the manager.
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
Then restart the Wazuh manager to apply changes.
systemctl restart wazuh-manager
And then check the full log of your SEPM server. and share the output of this.
cat /var/ossec/logs/archives/archives.json | grep -i -E "<part_of_your_checkpoint_log>"
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
If you found checkpoint-related logs in archives.json
Once you confirm you can test your logs and apply any custom decoders and rules to extract the fields and generate alerts.
You can simply copy the sample log and paste it after executing the below command. This will give you an idea it will apply any decoders and rules.
/var/ossec/bin/wazuh-logtest
Please make sure you are testing logs after the full_log field from /var/ossec/logs/archives/archives.json.
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis. One of the archives.json events should look like this (the field of interest is in bold):
For example, if the log is like this archives.json.
{"timestamp":"2025-01-25T10:19:40.221+0100","agent":{"id":"000","name":"TESTWAZUH"},"manager":{"name":"TESTWAZUH"},"id":"1737796780.79261954","full_log":"1 2025-01-25T10:19:37+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP) IN=A1 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:aa:fd:44:62:04:08:00 SRC=192.168.215.207 DST=255.255.255.255 LEN=770 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=40144 DPT=1900 LEN=750 MARK=0 ","decoder":{},"location":"192.168.201.17"}
You need to test the logs using wash-logtest is this.
1 2025-01-25T10:19:37+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP) IN=A1 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:aa:fd:44:62:04:08:00 SRC=192.168.215.207 DST=255.255.255.255 LEN=770 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=40144 DPT=1900 LEN=750 MARK=0
Further, you can learn more about how to create custom decoders and rules by following documents.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
If you need further assistance, Please share some sample full logs from archives.json file.
Regards,
Hasitha Upekshitha
I believe you need to create custom decoders and rules to extract and generate alerts on the Wazuh side.
If that is capable of forwarding logs using syslog, I suggest you follow these steps to verify.
Once you configured it from the checkpoint side, you can configure the Wazuh manager to receive the logs.
You can add this configuration to the Wazuh manager ossec.conf file.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>**.***.**.**/32</allowed-ips>
</remote>
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html#configuring-syslog-on-the-wazuh-server
Once you configured then enable the archive logs in Wazuh manager to verify logs reaching the manager.
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
- <ossec_config>
- <global>
- ----
- <logall>no</logall>
- <logall_json>yes</logall_json>
- -----
- </global>
- -----
- </ossec_config>
Then restart the Wazuh manager to apply changes.
systemctl restart wazuh-manager
And then check the full log of your SEPM server. and share the output of this.
cat /var/ossec/logs/archives/archives.json | grep -i -E "<part_of_your_checkpoint_log>"
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
If you found checkpoint-related logs in archives.json
Once you confirm you can test your logs and apply any custom decoders and rules to extract the fields and generate alerts.
You can simply copy the sample log and paste it after executing the below command. This will give you an idea it will apply any decoders and rules.
/var/ossec/bin/wazuh-logtest
Please make sure you are testing logs after the full_log field from /var/ossec/logs/archives/archives.json.
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis. One of the archives.json events should look like this (the field of interest is in bold):
For example, if the log is like this archives.json.
{"timestamp":"2025-01-25T10:19:40.221+0100","agent":{"id":"000","name":"TESTWAZUH"},"manager":{"name":"TESTWAZUH"},"id":"1737796780.79261954","full_log":"1 2025-01-25T10:19:37+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP) IN=A1 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:aa:fd:44:62:04:08:00 SRC=192.168.215.207 DST=255.255.255.255 LEN=770 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=40144 DPT=1900 LEN=750 MARK=0 ","decoder":{},"location":"192.168.201.17"}
You need to test the logs using wash-logtest is this.
1 2025-01-25T10:19:37+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP) IN=A1 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:aa:fd:44:62:04:08:00 SRC=192.168.215.207 DST=255.255.255.255 LEN=770 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=40144 DPT=1900 LEN=750 MARK=0
Further, you can learn more about how to create custom decoders and rules by following documents.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
If you need further assistance, Please share some sample full logs from archives.json file.
Regards,
Hasitha Upekshitha
Oleh
Jan 30, 2025, 8:05:57 AM1/30/25
to Wazuh | Mailing List
Hello, could you please provide information on where I can find the decoder and rules for Check Point Harmony Email & Collaboration? Thank you.
четвер, 30 січня 2025 р. о 12:50:54 UTC+2 hasitha.u...@wazuh.com пише:
hasitha.u...@wazuh.com
Feb 6, 2025, 4:24:36 AM2/6/25
to Wazuh | Mailing List
Hi Oleh,
Basically Wazuh default decoders and rules are located at /var/ossec/ruleset/decoders and /var/ossec/ruleset/rules folder.
Before checking the decoder and rule file. I suggest you to check logs reaching the Wazuh manager by enabling archive logs.
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
You can enable JSON-format archive logging by modifying your ossec.conf file on the Wazuh manager:
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making these changes, restart the Wazuh manager to apply them:
systemctl restart wazuh-manager
Once enabled, check if the relevant logs are present in the archive logs using grep:
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
If you find relevant logs, please share the full_log field from the archives.json file.
For example, if you receive a log like this:
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Please share the full_log part:
Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Once you found the Check Point Harmony Email & Collaboration related logs copy the full_log part as I mentioned above.
Then test that log apply for any decoders and rules by using wazuh logtest
Once you confirm you can test your logs and apply any custom decoders and rules to extract the fields and generate alerts.
You can simply copy the sample log and paste it after executing the below command. This will give you an idea it will apply any decoders and rules.
/var/ossec/bin/wazuh-logtest
If the logs not apply any decoders and rules you need to create custom decoders and rules.
If you need further assistance on creating custom decoders and rules, please share the sample logs, so then we can assist you further.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Let me know the update on this.
Regards,
Hasitha Upekshitha
Basically Wazuh default decoders and rules are located at /var/ossec/ruleset/decoders and /var/ossec/ruleset/rules folder.
Before checking the decoder and rule file. I suggest you to check logs reaching the Wazuh manager by enabling archive logs.
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
You can enable JSON-format archive logging by modifying your ossec.conf file on the Wazuh manager:
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making these changes, restart the Wazuh manager to apply them:
systemctl restart wazuh-manager
Once enabled, check if the relevant logs are present in the archive logs using grep:
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
If you find relevant logs, please share the full_log field from the archives.json file.
For example, if you receive a log like this:
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Please share the full_log part:
Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Then test that log apply for any decoders and rules by using wazuh logtest
Once you confirm you can test your logs and apply any custom decoders and rules to extract the fields and generate alerts.
You can simply copy the sample log and paste it after executing the below command. This will give you an idea it will apply any decoders and rules.
/var/ossec/bin/wazuh-logtest
If you need further assistance on creating custom decoders and rules, please share the sample logs, so then we can assist you further.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages