nextcloud alerts

630 views
Skip to first unread message

Daniel Kingsley

unread,
Sep 12, 2022, 8:12:10 AM9/12/22
to Wazuh mailing list
I have several nextcloud instances which succesfully send alerts to the dashboard, however i have created two new instances and added the same config to the local ossec.conf and the logs get parsed and show in the stats, however no alerts are generated for nextcloud..

any ideas on how to find the issue

Damian Nicastro

unread,
Sep 12, 2022, 12:10:46 PM9/12/22
to Wazuh mailing list
Hello  tacticalnetdefence:

I hope you are fine.
Please, let me know the following details to help you further:
1) Your wazuh version:
For versions from 4.2.0 onwards:
# /var/ossec/bin/wazuh-control info
For versions older than 4.2.0:
# cat /var/ossec/etc/ossec-init.conf 

2) The configuration block that you are using to get the logs of Nextcloud. Are using Wazuh agents or you are sending the logs directly to the Wazuh manager? 

3) The logs in the Wazuh manager and in the agent (if you are using it):
# less /var/ossec/logs/ossec.log | grep -iE 'WARN|ERROR'

4) You can also enable the archives.json file temporarily to confirm if the Nextcloud events from these instances are reaching the Wazuh manager:
# vi /var/ossec/etc/ossec.conf
...
<global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
....
# systemctl restart wazuh-manager

Then you can check in this file if you have Nextcloud events like this:
# less /var/ossec/logs/archives/archives.json | grep -i nextcloud | grep '"srcip":"instance_ip"'

I hope this helps.
Thanks

Daniel Kingsley

unread,
Sep 13, 2022, 3:00:25 AM9/13/22
to Wazuh mailing list
/var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.7"
WAZUH_REVISION="40320"
WAZUH_TYPE="server"

I'm using the agent on each instance with the following ;

<localfile>
    <location>/var/log/nextcloud/audit.log</location>
    <log_format>json</log_format>
    <label key="@source">NextCloud</label>
  </localfile>

for less /var/ossec/logs/ossec.log | grep -iE 'WARN|ERROR' 

in the server  just a few of these lines relating to the agents that lack the data
2022/09/13 00:04:07 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '016' OS. Skipping it.

in the agent just a warning relating to the rootchecks as i haven't downloaded them yet

rootcheck: ERROR: No rootcheck_files file: 'etc/shared/rootkit_files.txt'

will check the output of archives.json and post that too

Daniel Kingsley

unread,
Sep 13, 2022, 3:11:31 AM9/13/22
to Wazuh mailing list
less /var/ossec/logs/archives/archives.json | grep -i nextcloud | grep '"instance_ip"'

example;


{"timestamp":"2022-09-13T05:20:02.755+0100","rule":{"level":2,"description":"NextCloud INFO message.","id":"88208","firedtimes":9,"mail":false,"groups":["json","nextcloud"]},"agent":{"id":"017","name":"xxxx","ip":"192.168..x.x."},"manager":{"name":"wazuh"},"id":"1663042802.218606907","full_log":"{\"reqId\":\"ZTVmExNLx4qvoPpQJOk3\",\"level\":1,\"time\":\"2022-09-13T05:20:02+01:00\",\"remoteAddr\":\"\",\"user\":\"--\",\"app\":\"admin_audit\",\"method\":\"\",\"url\":\"--\",\"message\":\"Console command executed: preview:pre-generate\",\"userAgent\":\"--\",\"version\":\"24.0.5.1\",\"data\":{\"app\":\"admin_audit\"},\"@source\":\"NextCloud\"}","decoder":{"name":"json"},"data":{"url":"--","reqId":"ZTVmExNLx4qvoPpQJOk3","level":"1","time":"2022-09-13T05:20:02+01:00","user":"--","app":"admin_audit","message":"Console command executed: preview:pre-generate","userAgent":"--","version":"24.0.5.1","data":{"app":"admin_audit"},"@source":"NextCloud"},"location":"/var/log/nextcloud/audit.log"}


example;

"Login attempt: \\\"user\\\"\",\"userAgent\":\"dav\",\"version\":\"24.0.5.1\",\"data\":{\"app\":\"admin_audit\"},\"@source\":\"NextCloud\"}","decoder":{"name":"json"},"data":{"url":"/remote.php/dav/files/user/","reqId":"E8v1B9UqrfO3dZLaPACh","level":"1","time":"2022-09-13T05:12:19+01:00","remoteAddr":"x.x.x.x","user":"--","app":"admin_audit","method":"PROPFIND","message":"Login attempt: \"user\"","userAgent":"dav","version":"24.0.5.1","data":{"app":"admin_audit"},"@source":"NextCloud"},"location":"/var/log/nextcloud/audit.log"}


all seems good but no events fired....

Damian Nicastro

unread,
Sep 13, 2022, 8:20:23 AM9/13/22
to Wazuh mailing list
Hello  tacticalnetdefence:

I hope you are fine.
The configurations seems to be ok.
The events in the archives shows that the Nextclouds events are coming into the analysisd module of Wazuh and they are being processed. 
For what we see here, these events trigger rules with lower than "3". That means they will not be written in the /var/ossec/logs/alerts/alerts.json file, therefore they won't fire alerts in the Wazuh dashboard:
...,"rule":{"level":2,"description":"NextCloud INFO message.","id":"88208","firedtimes":9,"mail":false...

You can find all the default Nextcloud rules in the following XML file:

If you need more information about Wazuh rules Syntax, please check:
 
You can also modify this default config putting a lower number to trigger alerts like this:
# vi /var/ossec/etc/ossec.conf
...
<alerts>
    <log_alert_level>3</log_alert_level>   <<< modify this value here
    <email_alert_level>12</email_alert_level>
  </alerts>
...
# systemctl restart wazuh-manager

I hope this helps.
Thanks

Daniel Kingsley

unread,
Sep 13, 2022, 5:47:07 PM9/13/22
to Wazuh mailing list
ok that makes sense, but the rule levels are the same on the ones that do show events afaik.

 I will double check that of course and modify the the alert level as necessary

many thanks  

Daniel Kingsley

unread,
Sep 13, 2022, 5:55:59 PM9/13/22
to Wazuh mailing list
yes sure enough my alert log level I modified to 1 already so I still have no answers :-(

<alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>



Daniel Kingsley

unread,
Sep 13, 2022, 6:19:34 PM9/13/22
to Wazuh mailing list
checked the alerts.json file and i get the alert in there

{"timestamp":"2022-09-13T23:15:42.948+0100","rule":{"level":2,"description":"NextCloud INFO message.","id":"88208","firedtimes":14,"mail":false,"groups":["json","nextcloud"]},"agent":{"id":"018","name":"host","ip":"x.x.x.x"},"manager":{"name":"wazuh"},"id":"1663107342.2525990016","decoder":{"name":"json"},"data":{"url":"/remote.php/dav/files/user/Templates/","reqId":"SEOh8ZMgzQNKfjIdWa6N","level":"1","time":"2022-09-13T23:15:42+01:00","remoteAddr":"x.x.x.x","user":"--","app":"admin_audit","method":"PROPFIND","message":"Login attempt: \"user\"","userAgent":"dav","version":"24.0.4.1","data":{"app":"admin_audit"},"@source":"NextCloud"},"location":"/var/log/nextcloud/audit.log"}

Damian Nicastro

unread,
Sep 14, 2022, 9:14:54 AM9/14/22
to Wazuh mailing list
Hi  tacticalnetdefence:


I hope you are fine.
Ig you receive the corresponding alerts in the "/var/ossec/logs/alerts/alerts.json" file the problem could be on Filebeat beacause is down or not reading the mentioned or some problems in the Wazuh-indexer.
First check that filebeat is up running and is connecting correctly to wazuh-indexer server:
# systemctl status filebeat -l
# filebeat test output

And also check that filebeat is reading the alerts.json file. You have to see the filebeat service listed there:
# lsof /var/ossec/logs/alerts/alerts.json

If all this is ok, check in the Wazuh-dashboard if you are receiving new events. Your shards might be exhausted, or the disk space could be reached the Watermark. By default Wazuh-indexer goes to read only mode when the disk occupation reaches 85%:
Check disk space:
# df -h
Check shards occupation:

Check also the logs of Filebeat and wazuh-indexer:
# journalctl -u filebeat --no-pager | grep -iE 'WARN|ERROR'
or
# less /var/log/filebeat/filebeat  | grep -iE 'WARN|ERROR'
And
# less /var/log/wazuh-indexer/<cluster_name>.log | grep -iE 'WARN|ERROR'

I hope this helps
Reply all
Reply to author
Forward
0 new messages