Does anyopne have VCenter 7 logs going into Wazuh
578 views
Skip to first unread message
Tom Powers
Oct 27, 2022, 5:35:30 PM10/27/22
to Wazuh mailing list
We are syslogging VCenter logs and ESXi logs into wauh, but the decoders arent seeing it as vmware...it sees Hostd or Rhttpproxy.
Occasionay it will detect a message as vmkernel...but otherwise a message like this just comes up as Hostd and doesnt parse past decoder phase.
{"timestamp":"2022-10-27T21:15:48.649+0000","agent":{"id":"000","name":"sd-wazuh"},"manager":{"name":"sd-wazuh"},"id":"1666905348.1896384294","full_log":"2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2","predecoder":{"program_name":"Hostd","timestamp":"2022-10-27T21:15:48.652Z SD-VMH"},"decoder":{},"location":" [01;31m [K10.0.0.237 [m [K"}
Rule test shows:
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2022-10-27T21:15:48.649+0000","agent":{"id":"000","name":"sd-wazuh"},"manager":{"name":"sd-wazuh"},"id":"1666905348.1896384294","full_log":"2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2","predecoder":{"program_name":"Hostd","timestamp":"2022-10-27T21:15:48.652Z SD-VMH"},"decoder":{},"location":"[01;31m[K10.0.0.237[m[K"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'sd-wazuh'
full_log: '2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2'
id: '1666905348.1896384294'
location: '[01;31m[K10.0.0.237[m[K'
manager.name: 'sd-wazuh'
predecoder.program_name: 'Hostd'
predecoder.timestamp: '2022-10-27T21:15:48.652Z SD-VMH'
timestamp: '2022-10-27T21:15:48.649+0000'
Occasionay it will detect a message as vmkernel...but otherwise a message like this just comes up as Hostd and doesnt parse past decoder phase.
{"timestamp":"2022-10-27T21:15:48.649+0000","agent":{"id":"000","name":"sd-wazuh"},"manager":{"name":"sd-wazuh"},"id":"1666905348.1896384294","full_log":"2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2","predecoder":{"program_name":"Hostd","timestamp":"2022-10-27T21:15:48.652Z SD-VMH"},"decoder":{},"location":" [01;31m [K10.0.0.237 [m [K"}
Rule test shows:
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2022-10-27T21:15:48.649+0000","agent":{"id":"000","name":"sd-wazuh"},"manager":{"name":"sd-wazuh"},"id":"1666905348.1896384294","full_log":"2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2","predecoder":{"program_name":"Hostd","timestamp":"2022-10-27T21:15:48.652Z SD-VMH"},"decoder":{},"location":"[01;31m[K10.0.0.237[m[K"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'sd-wazuh'
full_log: '2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2'
id: '1666905348.1896384294'
location: '[01;31m[K10.0.0.237[m[K'
manager.name: 'sd-wazuh'
predecoder.program_name: 'Hostd'
predecoder.timestamp: '2022-10-27T21:15:48.652Z SD-VMH'
timestamp: '2022-10-27T21:15:48.649+0000'
Adebayo Kalejaiye
Oct 31, 2022, 8:53:20 AM10/31/22
to Wazuh mailing list
Dear Thomas,
Apologies for the late response. You will need to create a decoder for the log below and not the json log
2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2
Kindly see below custom decoder and rule based on your use case:
<decoder name="vcenter">
<program_name>^Hostd</program_name>
</decoder>
<program_name>^Hostd</program_name>
</decoder>
<decoder name="vcenter">
<parent>vcenter</parent>
<regex>warning (\.+) from (\d+.\d+.\d+.\d+)</regex>
<order>variable, srcip</order>
</decoder>
<parent>vcenter</parent>
<regex>warning (\.+) from (\d+.\d+.\d+.\d+)</regex>
<order>variable, srcip</order>
</decoder>
**Messages:
WARNING: (7003): '96f8d8e9' token expires
INFO: (7202): Session initialized with token '1cc72bb3'
**Phase 1: Completed pre-decoding.
full event: '2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2'
timestamp: '2022-10-27T21:15:48.652Z SD-VMH'
program_name: 'Hostd'
**Phase 2: Completed decoding.
name: 'vcenter'
srcip: '10.252.1.2'
variable: 'hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local'
WARNING: (7003): '96f8d8e9' token expires
INFO: (7202): Session initialized with token '1cc72bb3'
**Phase 1: Completed pre-decoding.
full event: '2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2'
timestamp: '2022-10-27T21:15:48.652Z SD-VMH'
program_name: 'Hostd'
**Phase 2: Completed decoding.
name: 'vcenter'
srcip: '10.252.1.2'
variable: 'hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local'
While for the rules:
<group name="vcenter,">
<rule id="100011" level="3">
<decoded_as>vcenter</decoded_as>
<description>vcenter logs</description>
</rule>
</group>
<rule id="100011" level="3">
<decoded_as>vcenter</decoded_as>
<description>vcenter logs</description>
</rule>
</group>
**Messages:
WARNING: (7003): '96f8d8e9' token expires
INFO: (7202): Session initialized with token '9ea9544f'
**Phase 1: Completed pre-decoding.
full event: '2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2'
timestamp: '2022-10-27T21:15:48.652Z SD-VMH'
program_name: 'Hostd'
**Phase 2: Completed decoding.
name: 'vcenter'
srcip: '10.252.1.2'
variable: 'hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local'
**Phase 3: Completed filtering (rules).
id: '100011'
level: '3'
description: 'vcenter logs'
groups: '["vcenter"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
WARNING: (7003): '96f8d8e9' token expires
INFO: (7202): Session initialized with token '9ea9544f'
**Phase 1: Completed pre-decoding.
full event: '2022-10-27T21:15:48.652Z SD-VMHOST02.fake.name Hostd: warning hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local from 10.252.1.2'
timestamp: '2022-10-27T21:15:48.652Z SD-VMH'
program_name: 'Hostd'
**Phase 2: Completed decoding.
name: 'vcenter'
srcip: '10.252.1.2'
variable: 'hostd[2100984] [Originator@6876 sub=Default opID=esxui-afae-eab2] Rejected password for user admini...@vsphere.local'
**Phase 3: Completed filtering (rules).
id: '100011'
level: '3'
description: 'vcenter logs'
groups: '["vcenter"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
I hope this helps.
Best Regards,
Adebayo Kalejaiye
Reply all
Reply to author
Forward
0 new messages