Re: full_log decoder

[Eduardo Leon Aldazoro]

Hi, Thanks for using Wazuh!

A General solution would be to add a decoder that adds everything after a "=" sign to a variable and then create rules that fits your needs.

You can find more on how to do it an Decoders in our documentation here.

Can you please answer the following questions to try to find a more specific answer:

- Does all related logs have the same Keys? or do they change?

- Does the values format remain always the same? or do they change?

- Are these logs from a specific service?

Will wait for your answer

Best Regards,

On Monday, March 6, 2023 at 8:52:47 AM UTC-3 Alert SMS wrote:

Hello,

I'm new here and very happy with wazuh.
I configured a master and 2 workers, so far I have 3500 agents and everything seems to be going well.

However, I have an atypical situation regarding full_log decoding

I have the following log and I want to use absolutely all the fields in it.

type=SYSCALL msg=audit(1678101598.199:881873): arch=c000003e syscall=59 success=yes exit=0 a0=556766b4fe10 a1=556766c3da40 a2=556766b54e40 a3=8 items=2 ppid=1243421 pid=1254978 auid=367007056 uid=367007056 gid=367000513 euid=367007056 suid=367007056 fsuid=367007056 egid=367000513 sgid=367000513 fsgid=367000513 tty=pts40 ses=13410 comm="ping" exe="/usr/bin/ping" key="auditcmd"␝ARCH=x86_64 SYSCALL=execve AUID="user.test" UID="user.test" GID=646F6D61696E207573657273 EUID="user.test" SUID="user.test" FSUID="user.test" EGID=646F6D61696E207573657273 SGID=646F6D61696E207573657273 FSGID=646F6D61696E207573657273 type=BPRM_FCAPS msg=audit(1678101598.199:881873): fver=2 fp=0000000000002000 fi=0 fe=1 old_pp=0 old_pi=0 old_pe=0 old_pa=0 pp=0000000000002000 pi=0 pe=0000000000002000 pa=0 frootid=0 type=EXECVE msg=audit(1678101598.199:881873): argc=2 a0="ping" a1="10.10.20.123" type=CWD msg=audit(1678101598.199:881873): cwd="/home/user.test" type=PATH msg=audit(1678101598.199:881873): item=0 name="/usr/bin/ping" inode=4195170 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000002000 cap_fi=0 cap_fe=1 cap_fver=2 cap_frootid=0␝OUID="root" OGID="root" type=PATH msg=audit(1678101598.199:881873): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=4203695 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0␝OUID="root" OGID="root" type=PROCTITLE msg=audit(1678101598.199:881873): proctitle=70696E670031302E3133312E3235342E313233


Is there any decoder that can extract all fields, absolutely all?

I don't know regex at all and it's very difficult for me.

Can someone help me ?

Thanks in advance

[Eduardo Leon Aldazoro]

Hi,

Sure i will create a custom rule example for the first keys of the log following the same steps as explained in our guide here.

First we create a new decoder in /var/ossec/etc/decoders/local_decoders.xml

<decoder name="full_log_decoding_example">

   <program_name> ^full_log_decoding_example</program_name>

</decoder>

<decoder name="first_key_example">

   <parent> full_login_decoding_example</parent>

   <regex> Type '(\=w+)' msg '(=\w+\(\d+.\d+:\d+\):)'

   <order> type, msg </order>

</decoder>

Then we create a custom rule in  /var/ossec/etc/rules/local_rules.xml

<rule id="100010"  level="0"> 

   <program_name> full_log_decoding_example </program_name>

   <description> Type msg</description>

</rule>

 

I recommend check this guide to learn how to use regex to get all the info from logs. 

For example: 

- \w : Matches any word character 

- \d : Matches any digit character

 It's important to confirm that the formats are constant before creating a decoder to always match the received log.

Hope this helps.

Best Regards,

On Tuesday, March 7, 2023 at 4:40:39 AM UTC-3 Alert SMS wrote:

I want all fields to be dynamic, everything that comes to me from /var/log/audit.log from the agents
I use the same key, it doesn't change

Can you give me a step by step example on the log above?