Binary decoder

[Tomas Beinaravičius]

Hey,

I'm looking into way to parse binary log files, think about anything proprietary, that has possibility to be converted to any known format, for example MacOS plist, which can be converted to json.

So my question what is the easiest way to run a command before sending the log to decoder, knowing that the log is incremental.

Kindest,

tomas

[Chema Martinez]

Hi Tomas,

Regarding your purpose, you can create a script to convert the binary file into a readable format such as JSON. 

That script can be launched by the Wazuh agent through the Command module. To do this, in your Wazuh agent you can configure it as follows:

<wodle name="command">

    <disabled>no</disabled>

    <tag>convert-binary</tag>

    <command>/bin/bash script.sh</command>

    <interval>1m</interval>

    <ignore_output>yes</ignore_output>

    <run_on_start>yes</run_on_start>

    <timeout>0</timeout>

</wodle>

The goal of the script is to generate the output file that will be read by the Logcollector module. However, you have to take into account a couple of facts:

• Use the JSON log format when reading JSON events from a log file.
• If the log file doesn't exist when the agent starts to run, you have to use a wildcard in the location field. That way, the module will start to monitor the log file when it is created.

A valid configuration, keeping in mind the previous points, would look like this:

<localfile>

    <log_format>json</log_format>

    <location>/path/to/converted-logs/*.json</location>

</localfile>

Joining both modules, the Wazuh agent should be able to monitor the logs from the binary files. Finally, you would have to create custom rules and decoders in the manager side to be able to process those events and fire alerts based on the information they contain.

Best regards,

Chema.