samba fileserver log are not visible in wazuh

[Giacomazzi Gabriele Antonio]

Hi everyone,

i recently installed a wazuh agent in my samba fileserver.

It seems like no log is captured and thus not shown in the wazuh dashboard.

Maybe it's a rule problem?  Because i found the decoder, but i can't find any rule for samba fileserver.

Thanks in advance for the help.

Regards,

Gabriele

[Pedro Nicolás Gomez]

Hi, 

You can check if logs reach the manager by enabling temporarily logall_json in wazuh-manager

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json

To enable logall, go to the manager ossec.conf file and change:
<logall_json>no</logall_json>    

to:
<logall_json>yes</logall_json>    

Restart the manager-

All logs received in the manager will be stored in the file /var/ossec/log/archives/archives.json.

If the log is received by the manager but no alert was generated, you should create custom rules and decoders.

Here I share information about custom rules and decoders.

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html

The wazuh_logtest tool can help with the whole process:

https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html

If the manager does not receive the events, we must verify if the samba server is writing the logs in a file, and then if the agent has the correct logcollector configuration to collect the logs.

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html

I hope it helps.

Best regards,

Pedro Nicolas.

[Giacomazzi Gabriele Antonio]

Hi, sorry for the delayed answer.

I managed to make the wazuh agent monitor the log that i wanted.

Now i need some help to write a regex and maybe adjust the log format for samba (if anyone can help me with that too).

--BEGIN LOG--

2024 Jun 24 09:15:13 (SambaFileServer) any->/var/log/samba/log.smbd [2024/06/24 11:15:12.594672,  2] ../../source3/smbd/close.c:830(close_normal_file)
2024 Jun 24 09:15:13 (SambaFileServer) any->/var/log/samba/log.smbd   user.test closed file testDir/testDir/testDir/testFile (numopen=15) NT_STATUS_OK

--END LOG--

This is a portion of the logs that i need wazuh to monitor and send some alerts.

I appreciate anyone who wants to help me get over this problem.

Best regards,

Gabriele

[Pedro Nicolás Gomez]

Hi,

Could you share the complete log as wazuh-manager receives it? this is by enabling the logall_json, in the previous comment I explain how to configure it.

It should look like the following example log:

{"timestamp":"2024-06-11T10:06:00.083-0300","agent":{"id":"000","name":"nico-VirtualBox"},"manager":{"name":"nico-VirtualBox"},"id":"1718111160.77271","full_log":"2024-01-01 01:23:45,678 [main] INFO com.sample.server.sample.sampletext.SampleController - getSampleList#127.0.0.1#username=sample #Request: [sampleString=1, sampleCode=1, sampleType=1]  ","predecoder":{"timestamp":"2024-01-01 01:23:45,678"},"decoder":{},"location":"/home/nico/log-test/test"}