Windows Application, System and Sophos network traffic logs not appearing

[M.Ali]

Hi everybody,

I deploy WAZUH.ovf on a virtual server with all available decoders and rules. Add some nodes with windows, Ubuntu and a Sophos firewall but Windows and Ubuntu's application and system logs not appearing anywhere and Sophos firewall traffic logs also missing.

I am new with Wazuh please guide be step by step process.

Thanks in advance.

Regards

M. Ali

   

[Juan Pablo Saez]

Hello M. Ali,

After deploying the Wazuh manager on a virtual server:

• Firstly, you should install the Wazuh agent in the nodes that you want to monitor. Here you can download the Wazuh agent for al the supported platforms.
• Only registered agents can report to the Wazuh manager. That's why after the agent installation, you should register each agent against the manager. Here you have the available register methods.
• You need to add the manager IP on the agent /var/ossec/etc/ossec.conf  if it is a Linux agent or C:\Program Files (x86)\ossec-agent\ossec.conf for a windows agent. 
  
• You also should run /var/ossec/bin/agent-auth -m MANAGER_IP (this is just one of the multiple register methods)
  
• If your agents are correctly registered they should start sending events to the manager which will evaluate these events and will generate alerts based on rules.
• You can check if your agents are connected to the manager using the /var/ossec/bin/agent_control binary in manager side i.e:
  root@vagrant /home/vagrant $ agent_control -l

  
  

  Wazuh agent_control. List of available agents:

     ID: 000, Name: vagrant (server), IP: 127.0.0.1, Active/Local

     ID: 006, Name: WIN10, IP: 192.168.75.141, Active

     ID: 005, Name: SERV2k16, IP: 192.168.75.133, Active

     ID: 007, Name: workerCentos, IP: 192.168.33.32, Active
• Your agents should appear Active to be able to send events to the manager.

Please, let me know if you have correctly installed and registered your agents. Then we can keep tuning your Wazuh configuration to monitor the firewall and other software.

Greetings, JP Sáez

[M.Ali]

Hi Juan Pablo Saez, 

Thanks for the above details. I do all the above things and receiving logs from all nodes. 

But problem is that I want to implement rules which can create alert if an IP try to scan my server's port or any other VA tool try to scan the system. For the servers 

And for the Sophos firewall

I want to create a table or count list which show me network traffic like e.g IP 192.168.x.x access IP: 192.X.X.X at port 1111.

Right now I am not able to view these things. WAZUH deployed rules only showing me the security events.

[Juan Pablo Saez]

Hello again M.Ali,

• You have to options to monitor the Sophos firewall:
• If the firewall node has the Wazuh agent installed, you should monitor the logs placing <localfile> stanzas in the agent ossec.conf file(linux systems:/var/ossec/etc/ossec.conf windows systems:C:\Program Files (x86)\ossec-agent\ossec.conf ).  i.e:
    <localfile>

      <log_format>syslog</log_format>

      <location>/path/to/sophos/log.log</location>

    </localfile>
  ---------------------------------------------------------------------------------------
  This way the log collection module will ingest logs from the specified path

• If the firewall node doesn't have the Wazuh agent installed, you should forward the logs from the node to the Wazuh manager using the Syslog protocol. You should enable log forwarding from Sophos to wazuh manager IP and set the further block for receiving the logs in the manager side:
  <remote>

    <connection>syslog</connection>

    <port>514</port>

    <protocol>udp</protocol>

    <allowed-ips>10.0.0.0/24</allowed-ips> <!-- here you should place the firewall node ip -->

    <local_ip>10.0.0.1</local_ip>

  </remote>

Let's first configure the firewall log ingest and alerting. Then we can continue with more tuning to suit Wazuh to your needs.

I hope it helps. Greetings, 

JP Sáez

[M.Ali]

Really sorry for the late reply.

I do the above steps but sophos firewall is not apearing as agent in agent list. 

when I try to add it as a new agent with it's IP it status appeared as never connected.

[Juan Pablo Saez]

Hello again M.Ali,

I do the above steps but sophos firewall is not apearing as agent in agent list. 

• If your Sophos logs are placed in an endpoint and you installed the Wazuh agent there, the first step should be pairing the agent with the manager. If this is your environment, please, review our registration process documentation and after correctly registering the agent, add the <localfile> block option as I explained above. 

• If you are forwarding the Sophos events through Syslog protocol, you will see no related agent in the list as this is an agentless configuration.

Let me know which configuration are you using and some more details on your environment so I can provide further guidance. Greetings, 

JP Sáez

[M.Ali]

I am trying it with agentless approach logos are receiving on wazuh server but I dont know how to manage them from there or how to create alerts for them.

I already share my details and issue I am facing in agentless configuration here: https://groups.google.com/forum/#!topic/wazuh/zuagRgIZqDM

Please help me in this or suggest me work around in this so I can create alerts for firewall.  

[Juan Pablo Saez]

Hi again M.Ali,

My mate Eva will keep providing you guidance in the other thread.

I think that you're already sending Sophos events to the manager via Syslog properly. In that case, you just need to use appropriate decoders and rules. For me, seems like you want to put agentless in the recipe when it is not necessary.

Greetings, JP Sáez

[M.Ali]

Thanks JP Sáez,

if  it is not necessary then can you plz help me in Decoders I tried by myself but not working.

logs files are attached and please help me in decoders and basic rules.

so I can show sophos  logs to my manager.

thank you very much in advance.

regards,

Ali

[Juan Pablo Saez]

Hello M.Ali,

Count on me to create these custom decoders and rules. The problem is that I can’t use the files attached to your message above as they are in CSV format. I need the original events. You can get these events enabling the log_all option in the ossec.conf manager configuration file.

<logall>yes</logall>

After enabling the logall option you can find the events in the /var/ossec/logs/archives/archives.log file. Please, send me several examples (admin, authentication, firewall, ips) from the archives.log file so I can create the right decoders and rules.

Greetings, JP Sáez

[M.Ali]

hi JP Sáez,

sorry for the late response.

Sir, our organization policy not allow us to share logs. but somehow I have managed some sample logs attached in file.

Can you please help with these logs?

thanks in advance.

Regards,

M.Ali

[Juan Pablo Saez]

Hi again M.Ali,

Let me work on these decoders and rules, I'll let you know when I finish.

Greetings, JP Sáez

[Juan Pablo Saez]

Hey M.Ali,

I have written some custom decoders for your events so you can extract the most relevant fields. Here you have the steps to use them in your environment:

• You should create a new file inside /var/ossec/etc/decoders. While you can include these custom decoders in the /var/ossec/etc/decoders/local_decoder.xml file I think it’s better to place them in a separate file.

1. Creating the new custom decoders file
# touch /var/ossec/etc/decoders/custom_firewall_decoders.xml

----------------------------------------------------------------------------------------------------------------------
<decoder name="firewall-custom">
 <prematch>^device="\S+" date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d</prematch>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex>^device="(\S+)" date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) </regex>
 <order>device, date, time</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">timezone="(\S+)" device_name="(\S+)" device_id=(\S+) log_id=(\S+) log_type="(\S+)" </regex>
 <order>timezone, device_name, device_id, log_id, log_type</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">log_component="(\.+)" log_subtype="(\S+)" status="(\S+)" priority=(\S+) </regex>
 <order>log_component, log_subtype, status, priority, priority</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">log_component="(\S+)" </regex>
 <order>log_component</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">duration=(\S+) </regex>
 <order>duration</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">fw_rule_id=(\S+) </regex>
 <order>fw_rule_id</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">policy_type=(\S+) </regex>
 <order>policy_type</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">user_name="(\S*)"</regex>
 <order>user_name</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">src_mac=(\S+) </regex>
 <order>src_mac</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">src_ip=(\S+) </regex>
 <order>src_ip</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">dst_ip=(\S+) </regex>
 <order>dst_ip</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">protocol="(\S+)" </regex>
 <order>protocol</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">src_port=(\S+) </regex>
 <order>src_port</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">dst_port=(\S+) </regex>
 <order>dst_port</order>
</decoder>

<decoder name="firewall-custom1">
 <parent>firewall-custom</parent>
 <regex offset="after_regex">message="(\.*)"</regex>
 <order>message</order>
</decoder>

---------------------------------------------------------------------------------------------------------------------------

3. Let's adjust the permissions and owner for the custom decoder file
# chown ossec:ossec /var/ossec/etc/decoders/custom_firewall_decoders.xml
# chmod 660 /var/ossec/etc/decoders/custom_firewall_decoders.xml

• Now the Wazuh manager should be able to decode your firewall events. Rules are needed to create alerts over the decoded events:

I have created the rule above that groups your firewall events. You should place it in your /var/ossec/etc/rules/local_rules.xml file

<rule id="222000" level="3">
      <decoded_as>firewall-custom</decoded_as>
      <description>Syslog firewall messages grouped</description>
</rule>

• To apply the changes you should restart the Wazuh manager.

In the example below, you can check the decoders and rule working. It was tested using the ossec-logtest binary:

device="SFW" date=2019-12-03 time=14:08:21 timezone="PKT" device_name="XG210" device_id=C230 log_id=062009517502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Notice user_name="admin" src_ip=192.168.8.83 VIRTUAL_HOST_NAME='U_to_i' message="Virtual Host 'U_to_i' settings were changed by 'admin' from '192.168.8.83' using 'GUI'"

**Phase 1: Completed pre-decoding.
       full event: 'device="SFW" date=2019-12-03 time=14:08:21 timezone="PKT" device_name="XG210" device_id=C230 log_id=062009517502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Notice user_name="admin" src_ip=192.168.8.83 VIRTUAL_HOST_NAME='U_to_i' message="Virtual Host 'U_to_i' settings were changed by 'admin' from '192.168.8.83' using 'GUI'"'
       timestamp: '(null)'
       hostname: 'nanoPill'
       program_name: '(null)'
       log: 'device="SFW" date=2019-12-03 time=14:08:21 timezone="PKT" device_name="XG210" device_id=C230 log_id=062009517502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Notice user_name="admin" src_ip=192.168.8.83 VIRTUAL_HOST_NAME='U_to_i' message="Virtual Host 'U_to_i' settings were changed by 'admin' from '192.168.8.83' using 'GUI'"'

**Phase 2: Completed decoding.
       decoder: 'firewall-custom'
       device: 'SFW'
       date: '2019-12-03'
       time: '14:08:21'
       timezone: 'PKT'
       device_name: 'XG210'
       device_id: 'C230'
       log_id: '062009517502'
       log_type: 'Event'
       log_component: 'GUI'
       log_subtype: 'Admin'
       status: 'Successful'
       priority: 'Notice'
       user_name: 'admin'
       src_ip: '192.168.8.83'
       message: 'Virtual Host 'U_to_i' settings were changed by 'admin' from '192.168.8.83' using 'GUI''

**Phase 3: Completed filtering (rules).
       Rule id: '222000'
       Level: '3'
       Description: 'Syslog firewall messages grouped.'
**Alert to be generated.

I hope it helps. You can count on me if you think there are missing fields in the decoders I wrote or if you need help writing useful rules.

Greetings, JP Sáez

[M.Ali]

Thanks for the help. I really appreciate the effort you put for this. Thank you very much.

 I am facing some problems. Decoders implemented successfully and displaying firewall traffic logs in discover tab.

but when I try to test these decoder with ossec-logtest command and use traffic log for testing phase 2 and phase 3 not completed successfully.

Did these decoder also work for admin logs and other firewall logs?

Again thanks for help.

Regards,

M. Ali    

[Juan Pablo Saez]

Hello again M.Ali,

Sorry for the late reply, I was AFK for some days.

but when I try to test these decoder with ossec-logtest command and use traffic log for testing phase 2 and phase 3 not completed successfully.

I think that the event format could be the issue here. When using ossec-logtest you should avoid entering the Syslog events source hostname and IP piece. So, for the further event log

Full example log

2019 Dec 03 00:00:00 wazuhmanager->192.168.8.251 device="SFW" date=2019-12-02 time=23:52:32 timezone="PKT" device_name="XG210" device_id=C230 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=46 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port8" src_mac=00:00:00:00:00:00 src_ip=192.168.8.83 src_country_code=R1 dst_ip=192.168.13.11 dst_country_code=R1 protocol="TCP" src_port=63382 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="LAN" dstzone="LB" dir_disp="" connevent="Start" connid="373049056" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0

You should discard the hostname and IP piece 2019 Dec 03 00:00:00 wazuhmanager->192.168.8.251 and enter the remaining:

device="SFW" date=2019-12-02 time=23:52:32 timezone="PKT" device_name="XG210" device_id=C230 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=46 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port8" src_mac=00:00:00:00:00:00 src_ip=192.168.8.83 src_country_code=R1 dst_ip=192.168.13.11 dst_country_code=R1 protocol="TCP" src_port=63382 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="LAN" dstzone="LB" dir_disp="" connevent="Start" connid="373049056" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0

ossec-logtest example

Full event example

2019 Dec 03 00:00:00 wazuhmanager->192.168.8.251 device="SFW" date=2019-12-02 time=23:52:32 timezone="PKT" device_name="XG210" device_id=C230 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=46 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port8" src_mac=00:00:00:00:00:00 src_ip=192.168.8.83 src_country_code=R1 dst_ip=192.168.13.11 dst_country_code=R1 protocol="TCP" src_port=63382 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="LAN" dstzone="LB" dir_disp="" connevent="Start" connid="373049056" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0

**Phase 2: Completed decoding.
       No decoder matched.

Event without Syslog timestamp, hostname and IP:

device="SFW" date=2019-12-02 time=23:52:32 timezone="PKT" device_name="XG210" device_id=C230 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=46 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port8" src_mac=00:00:00:00:00:00 src_ip=192.168.8.83 src_country_code=R1 dst_ip=192.168.13.11 dst_country_code=R1 protocol="TCP" src_port=63382 dst_port=443 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="LAN" dstzone="LB" dir_disp="" connevent="Start" connid="373049056" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0

**Phase 2: Completed decoding.
       decoder: 'firewall-custom'
       device: 'SFW'
       date: '2019-12-02'
       time: '23:52:32'
       timezone: 'PKT'
       device_name: 'XG210'
       device_id: 'C230'
       log_id: '010101600001'
       log_type: 'Firewall'
       log_component: 'Firewall Rule'
       log_subtype: 'Allowed'
       status: 'Allow'
       priority: 'Information'
       duration: '0'
       fw_rule_id: '46'
       policy_type: '1'
       user_name: ''
       src_mac: '00:00:00:00:00:00'
       src_ip: '192.168.8.83'
       dst_ip: '192.168.13.11'
       protocol: 'TCP'
       src_port: '63382'
       dst_port: '443'
       message: ''

**Phase 3: Completed filtering (rules).
       Rule id: '222000'
       Level: '3'
       Description: 'Syslog firewall messages grouped'
**Alert to be generated.

Wazuh automatically strips the timestamp, hostname and IP information after receiving the event but it doesn't happen with ossec-logtest where you should remove it prior to entering the event.

Did these decoder also work for admin logs and other firewall logs?

It should decode the most relevant fields for admin logs and other ones. Anyway, if you find logs that aren't properly generating alerts let me know and give me some examples so we can work on decoders/rules to suit your use case. Please, let me know how it goes. 

Greetings, JP Sáez

[Carlos López]

Hola Juan Pablo, 

Estoy intentando hacer mi primer decodificador de sophos, pero ya he probado varias cosas sin éxito, crees que me podrías ayudar por favor.

Use exactamente el de aquí y el log de ejemplo, pero igual no funciona la fase 2.

[Juan Pablo Saez]

Hello Carlos,

Estoy intentando hacer mi primer decodificador de sophos, pero ya he probado varias cosas sin éxito, crees que me podrías ayudar por favor.

Use exactamente el de aquí y el log de ejemplo, pero igual no funciona la fase 2.

Seguro, cuenta con ello. Acabo de comprobar en mi entorno que los decoders y reglas de aquí, junto con el log de prueba, funcionan.

• ¿Podrías pegar aqui algunos logs de ejemplo para poder ver la sintaxis de tus logs de Sophos ? A veces hay pequeños cambios en el formato que rompen con los decodificadores.
• ¿Donde has salvado los decoders y reglas de ejemplo en tu entorno? Te recomiendo los ficheros `local_decoders.xml` y `local_rules.xml` respectivamente. 

Un saludo,

JP