Sending Nessus logs to wazuh
430 views
Skip to first unread message
Syrine ZOUARI
Apr 3, 2024, 6:18:25 AM4/3/24
to Wazuh | Mailing List
Hello guys,
I'm trying to send logs from nessus using this file /opt/nessus/var/nessus/logs/backend.log
I focused on these lines :
[26/Jan/2024:11:48:30 -0500] [info] [http] [username=Syrine, request_id=mug/1706287709:0:490] user: Syrine successful login from ip: 127.0.0.1
[26/Jan/2024:11:50:42 -0500] [info] [http] [username=Syrine, schedule_id=5, request_id=mug/1706287842:0:525] Started scan 'OOUC' as '37bc4c77-014d-4211-d076-4633a2f13727e467b8d0eb470b68'
[26/Jan/2024:11:50:42 -0500] [info] [http] [username=Syrine, schedule_id=5, request_id=mug/1706287842:0:525] Started scan 'OOUC' as '37bc4c77-014d-4211-d076-4633a2f13727e467b8d0eb470b68'
So I started by configuring the wazuh agent by adding this line in the ossec.conf file
<localfile>
<log_format>syslog</log_format>
<location>/opt/nessus/var/nessus/logs/backend.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/opt/nessus/var/nessus/logs/backend.log</location>
</localfile>
Then, I added this decoder in the wazuh manager
<decoder name="backendlog">
<prematch type="pcre2">^[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\]</prematch>
</decoder>
<decoder name="backendlog_test">
<parent>backendlog</parent>
<regex type="pcre2" offset="after_parent">\[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \[info\] \[http\] \[username=[A-Za-z]+, request_id=[A-Za-z\/\d:]+\] user: [A-Za-z]+ successful login from ip: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}</regex>
<order>full_log,fecha_accion,hora_accion,user_id,ip</order>
</decoder>
<decoder name="nessus_log">
<prematch type="pcre2">^[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\]</prematch>
</decoder>
<decoder name="nessus_log">
<parent>nessus_log</parent>
<regex type="pcre2" offset="after_parent">\[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} -\d{4}\] \[info\] \[http\] \[username=[A-Za-z]+, schedule_id=\d+, request_id=[A-Za-z\/\d:]+\] Started scan '[A-Za-z0-9]+' as '[A-Za-z0-9-]+'</regex>
<order>full_log,fecha_accion,hora_accion,scan_name,scan_id</order>
</decoder>
And this rule :
<decoder name="backendlog">
<prematch type="pcre2">^[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\]</prematch>
</decoder>
<decoder name="backendlog_test">
<parent>backendlog</parent>
<regex type="pcre2" offset="after_parent">\[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \[info\] \[http\] \[username=[A-Za-z]+, request_id=[A-Za-z\/\d:]+\] user: [A-Za-z]+ successful login from ip: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}</regex>
<order>full_log,fecha_accion,hora_accion,user_id,ip</order>
</decoder>
<decoder name="nessus_log">
<prematch type="pcre2">^[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\]</prematch>
</decoder>
<decoder name="nessus_log">
<parent>nessus_log</parent>
<regex type="pcre2" offset="after_parent">\[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} -\d{4}\] \[info\] \[http\] \[username=[A-Za-z]+, schedule_id=\d+, request_id=[A-Za-z\/\d:]+\] Started scan '[A-Za-z0-9]+' as '[A-Za-z0-9-]+'</regex>
<order>full_log,fecha_accion,hora_accion,scan_name,scan_id</order>
</decoder>
And this rule :
<group name="Nessus">
<rule id="120003" level="3">
<decoded_as>backendlog_test</decoded_as>
<srcip>192.168.230.128</srcip>
<description>Nessus user successful login</description>
</rule>
<rule id="120004" level="3">
<decoded_as>nessus_log</decoded_as>
<srcip>192.168.230.128</srcip>
<description>Nessus scan started</description>
</rule>
</group>
<rule id="120003" level="3">
<decoded_as>backendlog_test</decoded_as>
<srcip>192.168.230.128</srcip>
<description>Nessus user successful login</description>
</rule>
<rule id="120004" level="3">
<decoded_as>nessus_log</decoded_as>
<srcip>192.168.230.128</srcip>
<description>Nessus scan started</description>
</rule>
</group>
However, in return after starting to test the configuration, and I received nothing in return. Any idea ?
Dario Menten
Apr 5, 2024, 9:54:29 AM4/5/24
to Wazuh | Mailing List
Hello Syrine,
Thank you for posting in the community.
It seems the Regular expression for the prematch is not correct (check it here), please try this:
^\[\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} [\+-\-]\d{4}\] \[[a-z]*\] \[[a-z]*\]Remember you can make use of standard fields like srcuser instead of user_id, this can help you in the future with logs correlation.
I leave you here some documentation about decoders and rules:
I hope this information could be helpful.
Reply all
Reply to author
Forward
0 new messages