Sophos central logs not showing in wazuh security events

[Siddhesh Mestry]

Dear Wazuh team

I am new to Wazuh and have installed it in last week, i am trying to ingest the Sophos central logs via API integration to wazuh using the Sophos script for SIEM integration. but the logs are seen in result.txt but not in alert.json nor alert.logs. kindly help on this to resolve it soon.

waiting for your detailed steps on configuring sophos central to wazuh 

[Md. Nazmur Sakib]

Hi Siddhesh Mestry,

Good Day!

Can you enable archive log following this and check if Sophos logs are properly forwarded to Wazuh manager. 

Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall

This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.

Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.

Look for if there are any logs inside the archive log which are relevant to the allowed log . Use grep parameters related to the log.

cat /var/ossec/logs/archives/archives.log | grep Keywoard

Next, you can test those logs using log-test to find out if logs are decoded by decodes and rules.

Check this document to get help with the logtest tool.

https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

If you see your logs are not decoded by any decoder or not tripped by any rules. Write custom decoder and rules for your logs

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

Let me know if you need further assistance.

[Siddhesh Mestry]

Dear  Md. Nazmur Sakib

Thanks for your response 

Having gone through your steps provided i did enabled the logall option in ossec.conf and monitored the archives.log but still not getting the sophos central logs in it.
I also tested the log coming in result.txt in logtest there the log is getting decoded properly. 

[Md. Nazmur Sakib]

Hi  Siddhesh Mestry,

Sorry for the late response. I was on my holiday.

If you are still facing the issue. Can you share some sample logs so that I can test those logs in my lab and guide you accordingly.

[Siddhesh Mestry]

Dear Team

I am still facing issue with sophos central logs, below is the log received in result.txt.

Kindly help to resolve this issue

{"javaUUID": "14f16db6-3876-d428-e943-5f0085563412", "actionable": false, "customer_id": "694e9382-9099-4205-a200-e496dc566f47", "severity": "medium", "event_service_event_id": "411fd66b-8367-4d82-9e34-f50058654321", "description": "Kolkata_to_warli-1 - IPSec Connection Kolkata_to_warli-1 between 115.242.14.4 and 150.242.151.195 for Child Kolkata_to_worli-1 terminated. (Remote: 115.242.14.4)", "type": "Event::Firewall::FirewallVPNTunnelDown", "data": {"created_at": 1713006547146, "endpoint_id": "1f5effe6-5383-466c-84a3-f75b612074cb", "endpoint_java_id": "1f5effe6-5383-466c-84a3-f75b612074cb", "endpoint_platform": "unknown", "endpoint_type": "utm", "event_service_id": {"type": 3, "data": "QR/Wa4NnTYKeNPUAWGVDIQ=="}, "inserted_at": 1713006547146}, "id": "411fd66b-8367-4d82-9e34-f50058654321", "datastream": "alert", "rt": "2024-04-13T11:09:07.160Z", "end": "2024-04-13T11:09:07.141Z", "dhost": "kolkata-office", "name": "Kolkata_to_warli-1 - IPSec Connection Kolkata_to_warli-1 between 115.242.14.4 and 150.242.151.195 for Child Kolkata_to_warli-1 terminated. (Remote: 115.242.14.4)"}

[Md. Nazmur Sakib]

Hi Siddhesh Mestry,

Hope you are doing well today.

With your log and using JSON format, I was able to reproduce this error.

Can you share the configuration you are using to monitor the result.txt file?

2024-04-15T17:56:59.083+0600    WARN    [elasticsearch] elasticsearch/client.go:408     Cannot index event 

{"type":"mapper_parsing_exception","reason":"failed to parse field [data.data] of type [keyword] Preview of field's value: '{endpoint_type=utm, event_service_id={data=QR/Wa4NnTYKeNPUAWGVDIQ==, type=3}, endpoint_platform=unknown, created_at=1713006547146.000000, endpoint_id=1f5effe6-5383-466c-84a3-f75b612074cb, endpoint_java_id=1f5effe6-5383-466c-84a3-f75b612074cb, inserted_at=1713006547146.000000}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:136"}}

With your logs, I was able to generate this error in filebeat log.

If you take a look at the log it says failed to parse field [data.data] of type [keyword] [...]  "reason":"Can't get text on a START_OBJECT, which means that, at some point, one of the indexed events contained a field named data.data mapped as an object, but at a later point in time, a different event contained a field named data.data mapped as a keyword (a type of string).

This can happen because of some scenarios where:

Multiple sources of information, some of them with an object, some others with a string, decode a particular field as data.data.

One way you can solve this is to understand which events include a field that is decoded as object under data.data and modify the decoder so it is stored under a different field (maybe data.data_object).

You can learn more about conflicts here: https://medium.com/@rkaur05/handling-conflicts-of-elastic-search-1efc593358d2

Let me know if you need any further information on this.