Custom rules don't work
1,416 views
Skip to first unread message
blue mint
Apr 13, 2022, 6:50:23 AM4/13/22
to Wazuh mailing list
Hi,
I'd like to customize the default Nextcloud rules located in "/var/ossec/ruleset/rules/0630-nextcloud_rules.xml". Here is what I did:
1- I disabled the default rule. I added the following to the 'ossec.conf' config file for all the Wazuh nodes (master and workers):
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0630-nextcloud_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0630-nextcloud_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
2- I copied the default rule to "/var/ossec/etc/rules/" and renamed it:
ll /var/ossec/etc/rules/
total 24
drwxrwx--- 2 root ossec 4096 Apr 13 12:15 ./
drwxrwx--- 7 ossec ossec 4096 Apr 13 12:44 ../
-rw-rw---- 1 ossec ossec 1351 Apr 13 11:41 local_rules.xml
-rw-rw---- 1 ossec ossec 9603 Apr 13 12:15 nextcloud_rules.xml
total 24
drwxrwx--- 2 root ossec 4096 Apr 13 12:15 ./
drwxrwx--- 7 ossec ossec 4096 Apr 13 12:44 ../
-rw-rw---- 1 ossec ossec 1351 Apr 13 11:41 local_rules.xml
-rw-rw---- 1 ossec ossec 9603 Apr 13 12:15 nextcloud_rules.xml
3- I restarted the Wazuh master:
systemctl restart wazuh-manager.service
It seems that Wazuh stopped generating alerts. Actually, even my custom rules in "/var/ossec/etc/rules/local_rules.xml" are not taken into account.
What am I missing?
Thanks!
Christian Borla
Apr 13, 2022, 8:02:07 AM4/13/22
to Wazuh mailing list
Hi blumint22
I hope you are doing fine!
I followed steps that you share and looks like it works for me, the log message show it can load the file.
1- I disabled the default rule. I added the following to the 'ossec.conf' configuration:
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0630-nextcloud_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
2- I enabled wazuh-analysisd message log. Added following configuration in /var/ossec/etc/local_internal_options.conf.
# Analysisd (server or local)
analysisd.debug=2
3- I restarted the Wazuh Manager, and checked /var/ossec/logs/ossec.log messages.
Excluding rule message:
2022/04/13 08:12:42 wazuh-analysisd[125411] rules-config.c:193 at Read_Rules(): DEBUG: Adding decoder dir: ruleset/decoders
2022/04/13 08:12:42 wazuh-analysisd[125411] rules-config.c:223 at Read_Rules(): DEBUG: Adding rules dir: ruleset/rules
2022/04/13 08:12:42 wazuh-analysisd[125411] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0215-policy_rules.xml
2022/04/13 08:12:42 wazuh-analysisd[124455] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0630-nextcloud_rules.xml
Final rule message make sense: Rules added: 158 / excluded: 2
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: etc/rules
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 158 / excluded: 2
4- Then I copied the default rule as it is, but I changed the name to nextcloud_rules.xml.
ls -l /var/ossec/etc/rules/
total 12
-rw-rw---- 1 wazuh wazuh 781 mar 28 17:06 local_rules.xml
-rw-r----- 1 root root 5958 abr 13 08:16 nextcloud_rules.xml
5- I restarted the Wazuh Manager, and checked /var/ossec/logs/ossec.log messages.
Excluding rule message:
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:193 at Read_Rules(): DEBUG: Adding decoder dir: ruleset/decoders
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:223 at Read_Rules(): DEBUG: Adding rules dir: ruleset/rules
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0215-policy_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0630-nextcloud_rules.xml
Final rule message: Rules added: 159 / excluded: 2, it include the new nextcloud_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: etc/rules
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 159 / excluded: 2
I wonder if it's a permission issue, Could you check /var/ossec/ruleset/rules/ permission and try to set same to /var/ossec/etc/rules/?
Which Wazuh version do you have?
This how my permission looks like.
ll /var/ossec/etc/rules/
total 20
drwxrwx--- 2 root wazuh 4096 abr 13 08:16 ./
drwxrwx--- 7 wazuh wazuh 4096 abr 13 08:18 ../
-rw-rw---- 1 wazuh wazuh 781 mar 28 17:06 local_rules.xml
-rw-r----- 1 root root 5958 abr 13 08:16 nextcloud_rules.xml
Another possible test is move a default rule file to /var/ossec/etc/rules/ directory without any change. and check if that rule is added successfully.
Please let me know the test result.
Regards.
I hope you are doing fine!
I followed steps that you share and looks like it works for me, the log message show it can load the file.
1- I disabled the default rule. I added the following to the 'ossec.conf' configuration:
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0630-nextcloud_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
# Analysisd (server or local)
analysisd.debug=2
3- I restarted the Wazuh Manager, and checked /var/ossec/logs/ossec.log messages.
Excluding rule message:
2022/04/13 08:12:42 wazuh-analysisd[125411] rules-config.c:193 at Read_Rules(): DEBUG: Adding decoder dir: ruleset/decoders
2022/04/13 08:12:42 wazuh-analysisd[125411] rules-config.c:223 at Read_Rules(): DEBUG: Adding rules dir: ruleset/rules
2022/04/13 08:12:42 wazuh-analysisd[125411] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0215-policy_rules.xml
2022/04/13 08:12:42 wazuh-analysisd[124455] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0630-nextcloud_rules.xml
Final rule message make sense: Rules added: 158 / excluded: 2
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: etc/rules
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0
2022/04/13 08:12:42 wazuh-analysisd[124318] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 158 / excluded: 2
4- Then I copied the default rule as it is, but I changed the name to nextcloud_rules.xml.
ls -l /var/ossec/etc/rules/
total 12
-rw-rw---- 1 wazuh wazuh 781 mar 28 17:06 local_rules.xml
-rw-r----- 1 root root 5958 abr 13 08:16 nextcloud_rules.xml
5- I restarted the Wazuh Manager, and checked /var/ossec/logs/ossec.log messages.
Excluding rule message:
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:193 at Read_Rules(): DEBUG: Adding decoder dir: ruleset/decoders
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:223 at Read_Rules(): DEBUG: Adding rules dir: ruleset/rules
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0215-policy_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:177 at Read_Rules(): DEBUG: Excluding rule: 0630-nextcloud_rules.xml
Final rule message: Rules added: 159 / excluded: 2, it include the new nextcloud_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: etc/rules
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0
2022/04/13 08:20:39 wazuh-analysisd[125411] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 159 / excluded: 2
I wonder if it's a permission issue, Could you check /var/ossec/ruleset/rules/ permission and try to set same to /var/ossec/etc/rules/?
Which Wazuh version do you have?
This how my permission looks like.
ll /var/ossec/etc/rules/
total 20
drwxrwx--- 2 root wazuh 4096 abr 13 08:16 ./
drwxrwx--- 7 wazuh wazuh 4096 abr 13 08:18 ../
-rw-rw---- 1 wazuh wazuh 781 mar 28 17:06 local_rules.xml
-rw-r----- 1 root root 5958 abr 13 08:16 nextcloud_rules.xml
Another possible test is move a default rule file to /var/ossec/etc/rules/ directory without any change. and check if that rule is added successfully.
Please let me know the test result.
Regards.
blue mint
Apr 13, 2022, 8:50:42 AM4/13/22
to Wazuh mailing list
Hi Christian,
Thanks for the quick answer! I hope that you're doing fine too!
I'm running Wazuh version 4.2.5-1 on Ubuntu 20.04
I followed exactly what you did and here is what I get from the "ossec.log":
2022/04/13 14:27:55 wazuh-analysisd[230799] rules-config.c:175 at Read_Rules(): DEBUG: Excluding rule: 0630-nextcloud_rules.xml
2022/04/13 14:27:55 wazuh-analysisd[230799] rules-config.c:316 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0485-nextcloud_decoders.xml
2022/04/13 14:27:55 wazuh-analysisd[230799] rules-config.c:369 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 14:27:56 wazuh-analysisd[230799] rules.c:258 at Rules_OP_ReadRules(): DEBUG: etc/rules/nextcloud_rules.xml is the rulefile
2022/04/13 14:28:02 wazuh-analysisd[230916] rules-config.c:175 at Read_Rules(): DEBUG: Excluding rule: 0630-nextcloud_rules.xml
2022/04/13 14:28:02 wazuh-analysisd[230916] rules-config.c:316 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0485-nextcloud_decoders.xml
2022/04/13 14:28:02 wazuh-analysisd[230916] rules-config.c:369 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 14:28:02 wazuh-analysisd[230916] analysisd.c:565 at main(): DEBUG: Reading decoder file ruleset/decoders/0485-nextcloud_decoders.xml.
2022/04/13 14:28:03 wazuh-analysisd[230916] analysisd.c:690 at main(): DEBUG: Reading rules file: 'etc/rules/nextcloud_rules.xml'
2022/04/13 14:28:03 wazuh-analysisd[230916] rules.c:258 at Rules_OP_ReadRules(): DEBUG: etc/rules/nextcloud_rules.xml is the rulefile
2022/04/13 14:27:55 wazuh-analysisd[230799] rules-config.c:316 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0485-nextcloud_decoders.xml
2022/04/13 14:27:55 wazuh-analysisd[230799] rules-config.c:369 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 14:27:56 wazuh-analysisd[230799] rules.c:258 at Rules_OP_ReadRules(): DEBUG: etc/rules/nextcloud_rules.xml is the rulefile
2022/04/13 14:28:02 wazuh-analysisd[230916] rules-config.c:175 at Read_Rules(): DEBUG: Excluding rule: 0630-nextcloud_rules.xml
2022/04/13 14:28:02 wazuh-analysisd[230916] rules-config.c:316 at Read_Rules(): DEBUG: Adding decoder: ruleset/decoders/0485-nextcloud_decoders.xml
2022/04/13 14:28:02 wazuh-analysisd[230916] rules-config.c:369 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 14:28:02 wazuh-analysisd[230916] analysisd.c:565 at main(): DEBUG: Reading decoder file ruleset/decoders/0485-nextcloud_decoders.xml.
2022/04/13 14:28:03 wazuh-analysisd[230916] analysisd.c:690 at main(): DEBUG: Reading rules file: 'etc/rules/nextcloud_rules.xml'
2022/04/13 14:28:03 wazuh-analysisd[230916] rules.c:258 at Rules_OP_ReadRules(): DEBUG: etc/rules/nextcloud_rules.xml is the rulefile
So it seems that the Nextcloud default rule is being excluded and the customized one is being successfully loaded. By the way, I changed nothing in the Nextcloud default rule. So "
etc/rules/nextcloud_rules.xm" is an exact copy of "
0630-nextcloud_rules.xm". When checking the "archives.json" log file, I can see the evening coming. However, no alerts are being generated.
For the permissions, I don't have the "wazuh" use as you have but rather, i have "ossec". Here you are:
ll /var/ossec/etc/rules/
total 24
drwxrwx--- 2 root ossec 4096 Apr 13 14:19 ./
drwxrwx--- 7 ossec ossec 4096 Apr 13 14:27 ../
-rw-rw---- 1 ossec ossec 1351 Apr 13 11:42 local_rules.xml
-rw-rw---- 1 ossec ossec 9603 Apr 13 14:19 nextcloud_rules.xml
total 24
drwxrwx--- 2 root ossec 4096 Apr 13 14:19 ./
drwxrwx--- 7 ossec ossec 4096 Apr 13 14:27 ../
-rw-rw---- 1 ossec ossec 1351 Apr 13 11:42 local_rules.xml
-rw-rw---- 1 ossec ossec 9603 Apr 13 14:19 nextcloud_rules.xml
What should I do next?
Regards
Christian Borla
Apr 13, 2022, 11:05:35 AM4/13/22
to Wazuh mailing list
Hi blumint22
I hope you are doing fine!
I repeated the test but with a different rule file, because I look for some commons events into my alert.json file to trigger after changes.I hope you are doing fine!
I chose 0580-win-security_rules.xml, I added the exception in ossec.conf
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<rule_exclude>0580-win-security_rules.xml</rule_exclude><list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
ls -l /var/ossec/etc/rules/
total 64
-rw-rw---- 1 wazuh wazuh 781 mar 28 17:06 local_rules.xml
After restarted Wazuh server, I found a permission error:
2022/04/13 11:05:40 wazuh-analysisd[130320] analysisd.c:705 at main(): WARNING: analysisd/rules.c:254 at Rules_OP_ReadRules(): (1103): Could not open file 'etc/rules/win-security_rules.xml' due to [(13)-(Permission denied)].
So I change permission, owner and group of win-security_rules.xml. and it fix the problem.
-rw-rw---- 1 wazuh wazuh 59642 abr 13 11:05 win-security_rules.xml
Your file permissions looks good. but maybe you can check it. Did you find any "Could not open file" message?
Then I restarted Wazuh server and found new alerts from rules included in win-security_rules.xml file. An example.
{"timestamp":"2022-04-13T11:39:56.428-0300","rule":{"level":3,"description":"Windows workstation logon success.","id":"60118",....
My test works into my environment, my doubt now is, Why it works for me? Could you test this procedure with another rule file? look for some common alerts, and move that rule file to /ossec/etc/rules/.
Another option is following the documentation procedure to overwrite rules. link
Also we can check the events with wazuh-logtest tool, Could you share some nextcloud events from archive.json file?
Documentation recommend the custom rules id should be between 100.000 and 120.000, maybe overwriting the ids from nextcloud_rules.xml makes it work.
Let me know if it works.
Regards.
blue mint
Apr 13, 2022, 2:39:27 PM4/13/22
to Wazuh mailing list
Hi Christian,
I double checked the "ossec.log" file for any permissions related errors but couldn't find any. So we can safely assume that the permissions are set correctly.
I repeated the same test but with a different rule file, just as what you did, and I chose "0095-sshd_rules.xml". So I excluded it in ossec.conf as you can see below:
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0630-nextcloud_rules.xml</rule_exclude>
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<rule_exclude>0630-nextcloud_rules.xml</rule_exclude>
<rule_exclude>0095-sshd_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
And I copied the rule file, without changing anything, to /var/ossec/etc/rules/ and set the permissions appropriately as you see below:
ll /var/ossec/etc/rules/
total 40
drwxrwx--- 2 root ossec 4096 Apr 13 19:55 ./
drwxrwx--- 7 ossec ossec 4096 Apr 13 20:19 ../
-rw-rw---- 1 ossec ossec 1359 Apr 13 19:55 local_rules.xml
-rw-rw---- 1 ossec ossec 6038 Apr 13 15:13 nextcloud_rules.xml
-rw-rw---- 1 ossec ossec 18203 Apr 13 19:49 sshd_rules.xml
total 40
drwxrwx--- 2 root ossec 4096 Apr 13 19:55 ./
drwxrwx--- 7 ossec ossec 4096 Apr 13 20:19 ../
-rw-rw---- 1 ossec ossec 1359 Apr 13 19:55 local_rules.xml
-rw-rw---- 1 ossec ossec 6038 Apr 13 15:13 nextcloud_rules.xml
-rw-rw---- 1 ossec ossec 18203 Apr 13 19:49 sshd_rules.xml
and restarted the Wazuh manager. It seems that it's working as it should. When I try to ssh with a user that doesn't exist, I get security events in Kibana. So that SSH default rules work.
I also tried to overwrite one of the Nextcloud default rules in "local_rules.xml" following the same document you shared but it didn't work.
Here is one of the Nextcloud events I copied from
archive.json file:
{"timestamp":"2022-04-13T20:25:28.452+0200","agent":{"id":"001","name":"nextcloud","ip":"192.168.0.46"},"manager":{"name":"wazuh-worker-01"},"id":"1649874328.115121","cluster":{"name":"wazuh-cluster","node":"wazuh-worker-01"},"full_log":"{\"reqId\":\"rbQ93RGvSQTbv4YMXYLp\",\"level\":1,\"time\":\"2022-04-13T20:25:27+02:00\",\"remoteAddr\":\"10.100.100.25\",\"user\":\"john\",\"app\":\"admin_audit\",\"method\":\"GET\",\"url\":\"/nextcloud/remote.php/dav/files/john/myfiles/image.png\",\"message\":\"File accessed: \\\"/myfiles/image.png\\\"\",\"userAgent\":\"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)\",\"version\":\"22.2.3.1\",\"@source\":\"NextCloud\"}","decoder":{"name":"json"},"data":{"url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","reqId":"rbQ93RGvSQTbv4YMXYLp","level":"1","time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"},"location":"/var/log/nextcloud/audit.log"}
Using wazuh-logtest tool, I got this:
New session was created with token "82c989fc"
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2022-04-13T20:25:28.452+0200","agent":{"id":"001","name":"nextcloud","ip":"192.168.0.46"},"manager":{"name":"wazuh-worker-01"},"id":"1649874328.115121","cluster":{"name":"wazuh-cluster","node":"wazuh-worker-01"},"full_log":"{\"reqId\":\"rbQ93RGvSQTbv4YMXYLp\",\"level\":1,\"time\":\"2022-04-13T20:25:27+02:00\",\"remoteAddr\":\"10.100.100.25\",\"user\":\"john\",\"app\":\"admin_audit\",\"method\":\"GET\",\"url\":\"/nextcloud/remote.php/dav/files/john/myfiles/image.png\",\"message\":\"File accessed: \\\"/myfiles/image.png\\\"\",\"userAgent\":\"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)\",\"version\":\"22.2.3.1\",\"@source\":\"NextCloud\"}","decoder":{"name":"json"},"data":{"url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","reqId":"rbQ93RGvSQTbv4YMXYLp","level":"1","time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"},"location":"/var/log/nextcloud/audit.log"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '001'
agent.ip: '192.168.0.46'
agent.name: 'nextcloud'
cluster.name: 'wazuh-cluster'
cluster.node: 'wazuh-worker-01'
data.@source: 'NextCloud'
data.app: 'admin_audit'
data.level: '1'
data.message: 'File accessed: "/myfiles/image.png"'
data.method: 'GET'
data.remoteAddr: '10.100.100.25'
data.reqId: 'rbQ93RGvSQTbv4YMXYLp'
data.time: '2022-04-13T20:25:27+02:00'
data.url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
data.user: 'john'
data.userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
data.version: '22.2.3.1'
decoder.name: 'json'
full_log: '{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}'
id: '1649874328.115121'
location: '/var/log/nextcloud/audit.log'
manager.name: 'wazuh-worker-01'
timestamp: '2022-04-13T20:25:28.452+0200'
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2022-04-13T20:25:28.452+0200","agent":{"id":"001","name":"nextcloud","ip":"192.168.0.46"},"manager":{"name":"wazuh-worker-01"},"id":"1649874328.115121","cluster":{"name":"wazuh-cluster","node":"wazuh-worker-01"},"full_log":"{\"reqId\":\"rbQ93RGvSQTbv4YMXYLp\",\"level\":1,\"time\":\"2022-04-13T20:25:27+02:00\",\"remoteAddr\":\"10.100.100.25\",\"user\":\"john\",\"app\":\"admin_audit\",\"method\":\"GET\",\"url\":\"/nextcloud/remote.php/dav/files/john/myfiles/image.png\",\"message\":\"File accessed: \\\"/myfiles/image.png\\\"\",\"userAgent\":\"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)\",\"version\":\"22.2.3.1\",\"@source\":\"NextCloud\"}","decoder":{"name":"json"},"data":{"url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","reqId":"rbQ93RGvSQTbv4YMXYLp","level":"1","time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"},"location":"/var/log/nextcloud/audit.log"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '001'
agent.ip: '192.168.0.46'
agent.name: 'nextcloud'
cluster.name: 'wazuh-cluster'
cluster.node: 'wazuh-worker-01'
data.@source: 'NextCloud'
data.app: 'admin_audit'
data.level: '1'
data.message: 'File accessed: "/myfiles/image.png"'
data.method: 'GET'
data.remoteAddr: '10.100.100.25'
data.reqId: 'rbQ93RGvSQTbv4YMXYLp'
data.time: '2022-04-13T20:25:27+02:00'
data.url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
data.user: 'john'
data.userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
data.version: '22.2.3.1'
decoder.name: 'json'
full_log: '{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}'
id: '1649874328.115121'
location: '/var/log/nextcloud/audit.log'
manager.name: 'wazuh-worker-01'
timestamp: '2022-04-13T20:25:28.452+0200'
I also suspected that it could be related to the reserved rules IDs. So I already changed them and tested but unfortunately, no joy. Here is the rule file:
vi etc/rules/nextcloud_rules.xml
<group name="json,nextcloud,">
<rule id="110000" level="0">
<decoded_as>json</decoded_as>
<field name="@source">NextCloud</field>
<description>NextCloud messages grouped.</description>
<options>no_full_log</options>
</rule>
<rule id="110001" level="0">
<decoded_as>nextcloud</decoded_as>
<description>NextCloud messages grouped.</description>
<options>no_full_log</options>
</rule>
<rule id="110002" level="6">
<if_sid>110000,110001</if_sid>
<match>Login successful: </match>
<description>NextCloud authentication successful.</description>
<group>authentication_success,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<options>no_full_log</options>
</rule>
<rule id="110000" level="0">
<decoded_as>json</decoded_as>
<field name="@source">NextCloud</field>
<description>NextCloud messages grouped.</description>
<options>no_full_log</options>
</rule>
<rule id="110001" level="0">
<decoded_as>nextcloud</decoded_as>
<description>NextCloud messages grouped.</description>
<options>no_full_log</options>
</rule>
<rule id="110002" level="6">
<if_sid>110000,110001</if_sid>
<match>Login successful: </match>
<description>NextCloud authentication successful.</description>
<group>authentication_success,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<options>no_full_log</options>
</rule>
<rule id="110003" level="6">
<if_sid>110000,110001</if_sid>
<match>Login failed: </match>
<description>NextCloud authentication failed.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<options>no_full_log</options>
</rule>
<rule id="110004" level="6">
<if_sid>110000,110001</if_sid>
<match>User created: </match>
<description>NextCloud account created.</description>
<options>no_full_log</options>
</rule>
<rule id="110005" level="6">
<if_sid>110000,110001</if_sid>
<match>File accessed: </match>
<description>NextCloud file accessed.</description>
<group>pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<options>no_full_log</options>
</rule>
<if_sid>110000,110001</if_sid>
<match>Login failed: </match>
<description>NextCloud authentication failed.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<options>no_full_log</options>
</rule>
<rule id="110004" level="6">
<if_sid>110000,110001</if_sid>
<match>User created: </match>
<description>NextCloud account created.</description>
<options>no_full_log</options>
</rule>
<rule id="110005" level="6">
<if_sid>110000,110001</if_sid>
<match>File accessed: </match>
<description>NextCloud file accessed.</description>
<group>pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<options>no_full_log</options>
</rule>
</group>
I'm not sure what's special about the Nextcloud default rules.
Regards and thanks again for all your help.
Christian Borla
Apr 13, 2022, 3:52:54 PM4/13/22
to Wazuh mailing list
Hi blumint22
Great, we can test it with the example log.
Maybe it could be an event issue, event from archive.json includes some agent en decoders data, the NextCloud event is storage in full_log section, refactoring it to aply as json format looks like this.
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
1. I tested as default rule is included and log test result was:
/var/ossec/bin/wazuh-logtest
Type one log per line
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
@source: 'NextCloud'
app: 'admin_audit'
level: '1'
message: 'File accessed: "/myfiles/image.png"'
method: 'GET'
remoteAddr: '10.100.100.25'
reqId: 'rbQ93RGvSQTbv4YMXYLp'
time: '2022-04-13T20:25:27+02:00'
url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
user: 'john'
userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
version: '22.2.3.1'
**Phase 3: Completed filtering (rules).
id: '88213'
level: '3'
description: 'NextCloud file accessed.'
groups: '['json', 'nextcloud']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
2. Then I repeated all, excluding <rule_exclude>0630-nextcloud_rules.xml</rule_exclude> file, and added it as custom rule in etc/rules/nextcloud_rules.xml.
ossec.log confirm that it's included.
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: etc/rules
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 159 / excluded: 2
3. Running wazuh-logtest it fails, beacuse I forgot to change permissions
/var/ossec/bin/wazuh-logtest
Type one log per line
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
** Wazuh-Logtest: WARNING: analysisd/rules.c:254 at Rules_OP_ReadRules(): (1103): Could not open file 'etc/rules/nextcloud_rules.xml' due to [(13)-(Permission denied)].
**Phase 1: Completed pre-decoding.
full event: '{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}'
**Phase 2: Completed decoding.
name: 'json'
@source: 'NextCloud'
app: 'admin_audit'
level: '1'
message: 'File accessed: "/myfiles/image.png"'
method: 'GET'
remoteAddr: '10.100.100.25'
reqId: 'rbQ93RGvSQTbv4YMXYLp'
time: '2022-04-13T20:25:27+02:00'
url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
user: 'john'
userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
version: '22.2.3.1'
4. Fixed permission issue. and runnig wazuh-logtest the result was the same as default value
/var/ossec/bin/wazuh-logtest
Type one log per line
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
@source: 'NextCloud'
app: 'admin_audit'
level: '1'
message: 'File accessed: "/myfiles/image.png"'
method: 'GET'
remoteAddr: '10.100.100.25'
reqId: 'rbQ93RGvSQTbv4YMXYLp'
time: '2022-04-13T20:25:27+02:00'
url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
user: 'john'
userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
version: '22.2.3.1'
**Phase 3: Completed filtering (rules).
id: '88213'
level: '3'
description: 'NextCloud file accessed.'
groups: '['json', 'nextcloud']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
The message Alert to be generated in wazuh-logtest tool it's important, that message confirm it will works and create an alert.
Could you try test with wazuh-logtest and clear NextCloud log? and share the result.
Pleasee try to test it with both environments, I mean, run wazuh-ruletest and NextCloud rules by default, and moving them to /ossec/etc/rules/ directory.
Does the rule ID 88213 the expected rule to match with this event?
Let me know if that works.
Regards.
Great, we can test it with the example log.
Maybe it could be an event issue, event from archive.json includes some agent en decoders data, the NextCloud event is storage in full_log section, refactoring it to aply as json format looks like this.
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
1. I tested as default rule is included and log test result was:
/var/ossec/bin/wazuh-logtest
Type one log per line
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
app: 'admin_audit'
level: '1'
message: 'File accessed: "/myfiles/image.png"'
method: 'GET'
remoteAddr: '10.100.100.25'
reqId: 'rbQ93RGvSQTbv4YMXYLp'
time: '2022-04-13T20:25:27+02:00'
url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
user: 'john'
userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
version: '22.2.3.1'
**Phase 3: Completed filtering (rules).
id: '88213'
level: '3'
description: 'NextCloud file accessed.'
groups: '['json', 'nextcloud']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
2. Then I repeated all, excluding <rule_exclude>0630-nextcloud_rules.xml</rule_exclude> file, and added it as custom rule in etc/rules/nextcloud_rules.xml.
ossec.log confirm that it's included.
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:331 at Read_Rules(): DEBUG: Reading rules folder: etc/rules
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/local_rules.xml
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:371 at Read_Rules(): DEBUG: Adding rule: etc/rules/nextcloud_rules.xml
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:385 at Read_Rules(): DEBUG: Decoders added: 120 / excluded: 0
2022/04/13 16:31:26 wazuh-analysisd[144438] rules-config.c:386 at Read_Rules(): DEBUG: Rules added: 159 / excluded: 2
3. Running wazuh-logtest it fails, beacuse I forgot to change permissions
/var/ossec/bin/wazuh-logtest
Type one log per line
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
** Wazuh-Logtest: WARNING: analysisd/rules.c:254 at Rules_OP_ReadRules(): (1103): Could not open file 'etc/rules/nextcloud_rules.xml' due to [(13)-(Permission denied)].
**Phase 1: Completed pre-decoding.
full event: '{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}'
**Phase 2: Completed decoding.
name: 'json'
app: 'admin_audit'
level: '1'
message: 'File accessed: "/myfiles/image.png"'
method: 'GET'
remoteAddr: '10.100.100.25'
reqId: 'rbQ93RGvSQTbv4YMXYLp'
time: '2022-04-13T20:25:27+02:00'
url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
user: 'john'
userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
version: '22.2.3.1'
4. Fixed permission issue. and runnig wazuh-logtest the result was the same as default value
/var/ossec/bin/wazuh-logtest
Type one log per line
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
app: 'admin_audit'
level: '1'
message: 'File accessed: "/myfiles/image.png"'
method: 'GET'
remoteAddr: '10.100.100.25'
reqId: 'rbQ93RGvSQTbv4YMXYLp'
time: '2022-04-13T20:25:27+02:00'
url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
user: 'john'
userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
version: '22.2.3.1'
**Phase 3: Completed filtering (rules).
id: '88213'
level: '3'
description: 'NextCloud file accessed.'
groups: '['json', 'nextcloud']'
firedtimes: '1'
gdpr: '['IV_32.2', 'IV_35.7.d']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AC.7', 'AU.14']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
The message Alert to be generated in wazuh-logtest tool it's important, that message confirm it will works and create an alert.
Could you try test with wazuh-logtest and clear NextCloud log? and share the result.
Pleasee try to test it with both environments, I mean, run wazuh-ruletest and NextCloud rules by default, and moving them to /ossec/etc/rules/ directory.
Does the rule ID 88213 the expected rule to match with this event?
Let me know if that works.
Regards.
blue mint
Apr 14, 2022, 5:24:41 AM4/14/22
to Wazuh mailing list
Hi Christian,
I hope you're doing fine today!
I finally found the issue. Prior to starting working and moving the Nextcloud default rule file, I created some rules for Nextcloud to test in local_rules.xml. It seems that these test rules prevented the logs from being processed by the Nextcloud default rules. I completely forgot about them. Sorry about the troubles! :(
Is there a tool that I can use to see which decoders and rules are used when testing a log event? I checked all the options of wazuh-logtest but couldn't find any. I found on the Internet that the old version used to do something similar to that.
Regards
Christian Borla
Apr 18, 2022, 2:36:06 PM4/18/22
to Wazuh mailing list
Hi blumint22
Great, it's working!
Regarding a tool to see which decoders and rules are used, has an verbose option [ -v Verbose (full) output/rule debugging].
Into **Phase 2 decoder section it's possibole identify the decoder name, in this case name: 'json'
Also it shows a **Rule debugging section where describes which rules matches.
wazuh-logtest example:
/var/ossec/bin/wazuh-logtest -v
Type one log per line
{"reqId":"rbQ93RGvSQTbv4YMXYLp","level":1,"time":"2022-04-13T20:25:27+02:00","remoteAddr":"10.100.100.25","user":"john","app":"admin_audit","method":"GET","url":"/nextcloud/remote.php/dav/files/john/myfiles/image.png","message":"File accessed: \"/myfiles/image.png\"","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)","version":"22.2.3.1","@source":"NextCloud"}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
@source: 'NextCloud'
app: 'admin_audit'
level: '1'
message: 'File accessed: "/myfiles/image.png"'
method: 'GET'
remoteAddr: '10.100.100.25'
reqId: 'rbQ93RGvSQTbv4YMXYLp'
time: '2022-04-13T20:25:27+02:00'
url: '/nextcloud/remote.php/dav/files/john/myfiles/image.png'
user: 'john'
userAgent: 'Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)'
version: '22.2.3.1'
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched
*Trying child rules
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 650 - Active Response JSON Messages Grouped
.
.
.
Trying rule: 92501 - Cloudflare WAF rules
Trying rule: 110000 - NextCloud messages grouped.
*Rule 110000 matched
*Trying child rules
Trying rule: 110002 - NextCloud authentication successful.
Trying rule: 110003 - NextCloud authentication failed.
Trying rule: 110004 - NextCloud account created.
Trying rule: 110005 - NextCloud file accessed.
*Rule 110005 matched
**Phase 3: Completed filtering (rules).
level: '6'
description: 'NextCloud file accessed.'
groups: '['json', 'nextcloud']'
firedtimes: '1'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Regards!
Christian Borla
Apr 18, 2022, 2:53:32 PM4/18/22
to Wazuh mailing list
Hi blumint22
Great, it's working!
Regarding a tool to see which decoders and rules are used,
wazuh-logtest has an verbose option [ -v Verbose (full) output/rule debugging].Great, it's working!
Into **Phase 2 decoder section it's possible identify the decoder name, in this case name: 'json'
Reply all
Reply to author
Forward
0 new messages