Help with custom decoders Synology
484 views
Skip to first unread message
gustavo rodriguez
Feb 14, 2023, 9:02:09 AM2/14/23
to Wazuh mailing list
Good morning, can you help me with a decoder?
I have these logs that I am sending by syslog to wazuh, and I wanted to create this decoder but it doesn't work for me when I restart the wazuh manager.
I have these logs that I am sending by syslog to wazuh, and I wanted to create this decoder but it doesn't work for me when I restart the wazuh manager.
Logs : Feb 14 09:55:44 NAS-Synology postfix/smtp[17472]: DCCA1125281: to=<frigorific...@hotmail.com.ar>, relay=farmesa-com.mail.protection.outlook.com[104.47.56.110 ]:25, conn_use=5, delay=9.8, delays=0.07/7.5/0.19/2, dsn=2.6.0, status=sent (250 2.6.0 <ADR48000...@farmesa.com> [InternalId=16041702861101, Hostname= RO2PR80MB6309.lamprd80.prod.outlook.com] 614444 bytes in 0.632, 948.331 KB/sec Queued mail for delivery)
Feb 14 09:55:44 NAS-Synology postfix/qmgr[16585]: DCCA1125281: removed
Decoders:
<decoder name="synology-postfix-smtp" format="regex">
<program_name>synology-smtp</program_name>
<rule id="synology-postfix-smtp" message="Synology Postfix SMTP log">
<regex>^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2})\s(\S+)\s(\S+ \/\S+)\[(\d+)\]:\s(.+)$</regex>
<location>full_log</location>
<fields>
<field name="timestamp" number="1" />
<field name="hostname" number="2" />
<field name="process" number="3" />
<field name="pid" number="4" />
<field name="message" number="5" />
<field name="status" number="5" />
</fields>
</rule>
</decoder>
Feb 14 09:55:44 NAS-Synology postfix/qmgr[16585]: DCCA1125281: removed
Decoders:
<decoder name="synology-postfix-smtp" format="regex">
<program_name>synology-smtp</program_name>
<rule id="synology-postfix-smtp" message="Synology Postfix SMTP log">
<regex>^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2})\s(\S+)\s(\S+ \/\S+)\[(\d+)\]:\s(.+)$</regex>
<location>full_log</location>
<fields>
<field name="timestamp" number="1" />
<field name="hostname" number="2" />
<field name="process" number="3" />
<field name="pid" number="4" />
<field name="message" number="5" />
<field name="status" number="5" />
</fields>
</rule>
</decoder>
Damian Nicastro
Feb 14, 2023, 9:09:31 AM2/14/23
to Wazuh mailing list
Hi Gustavo:
I hope you are fine.
Please, let me know the Wazuh manager version you have so I can create and test the decoders in a similar environment. To get the Wazuh version info, please execute:
For versions older thant 4.2.0:
# cat /var/ossec/etc/ossec-init.conf
For 4.2.0 and higher:
# /var/ossec/bin/wazuh-control info
Thanks
gustavo rodriguez
Feb 14, 2023, 9:11:05 AM2/14/23
to Wazuh mailing list
Yes, here I go
WAZUH_VERSION="v4.3.1"
WAZUH_REVISION="40311"
WAZUH_TYPE="server"
WAZUH_REVISION="40311"
WAZUH_TYPE="server"
gustavo rodriguez
Feb 14, 2023, 11:19:12 AM2/14/23
to Wazuh mailing list
I tried with this decoder:
<decoder name="postfix">
<prematch>postfix/qmgr[\S+]|postfix/smtp[\S+]|postfix/lmtp[\S+]</prematch>
</decoder>
<decoder name="postfix-1">
<parent>postfix</parent>
<regex>(\S+): from=\<(\S+)>, size=(\S+), nrcpt=(\S+)</regex>
<order>id, from, size, nrcpt</order>
</decoder>
<decoder name="postfix-1">
<parent>postfix</parent>
<regex>(\S+): to=\<(\S+)>, relay=(\S+), delay=(\S+), delays=(\S+), dsn=(\S+), status=(\ .+)</regex>
<order>id, to, relay, delay, delays, dsn, status</order>
</decoder>
<decoder name="postfix-1">
<parent>postfix</parent>
<regex offset="after_parent">(\S+): (\S+)</regex>
<order>id, status</order>
</decoder>
But it brings me another field where it says "status" it is precisely the field that I want to make a rule.
This is the example log:
Feb 14 09:55:44 NAS-Synology postfix/smtp[17524]: 0D000125267: to=<m.de...@fiambresdj.com.ar>, relay=farmesa-com.mail.protection.outlook.com[104.47.57.110 ]:25, conn_use=2, delay=15, delays=0.08/7.8/0.33/6.5, dsn=2.6.0, status=sent (250 2.6.0 <ADR48000...@farmesa.com> [InternalId=24502788433552, Hostname= CP2PR80MB4499.lamprd80.prod.outlook.com] 614065 bytes in 3.432, 174.706 KB/sec Queued mail for delivery)
<decoder name="postfix">
<prematch>postfix/qmgr[\S+]|postfix/smtp[\S+]|postfix/lmtp[\S+]</prematch>
</decoder>
<decoder name="postfix-1">
<parent>postfix</parent>
<regex>(\S+): from=\<(\S+)>, size=(\S+), nrcpt=(\S+)</regex>
<order>id, from, size, nrcpt</order>
</decoder>
<decoder name="postfix-1">
<parent>postfix</parent>
<regex>(\S+): to=\<(\S+)>, relay=(\S+), delay=(\S+), delays=(\S+), dsn=(\S+), status=(\ .+)</regex>
<order>id, to, relay, delay, delays, dsn, status</order>
</decoder>
<decoder name="postfix-1">
<parent>postfix</parent>
<regex offset="after_parent">(\S+): (\S+)</regex>
<order>id, status</order>
</decoder>
But it brings me another field where it says "status" it is precisely the field that I want to make a rule.
This is the example log:
Feb 14 09:55:44 NAS-Synology postfix/smtp[17524]: 0D000125267: to=<m.de...@fiambresdj.com.ar>, relay=farmesa-com.mail.protection.outlook.com[104.47.57.110 ]:25, conn_use=2, delay=15, delays=0.08/7.8/0.33/6.5, dsn=2.6.0, status=sent (250 2.6.0 <ADR48000...@farmesa.com> [InternalId=24502788433552, Hostname= CP2PR80MB4499.lamprd80.prod.outlook.com] 614065 bytes in 3.432, 174.706 KB/sec Queued mail for delivery)
El martes, 14 de febrero de 2023 a las 11:09:31 UTC-3, Damian Nicastro escribió:
Damian Nicastro
Feb 15, 2023, 10:46:44 AM2/15/23
to Wazuh mailing list
Hi Gustavo:
I hope you are fine.
Your decoder is not working basically because is matching a default decoder for "Postfix" Since the default decoders have priority in the Analysis, once it finds the match it will stop there.
The solution for this is to copy the default "postfix" decoders XML file in the custom decoders folder and exclude it from the Anlysis:
# cp -p /var/ossec/ruleset/decoders/0220-postfix_decoders.xml /var/ossec/etc/decoders/custom_postfix_decoders.xml
# vi /var/ossec/etc/ossec.conf
...
<ruleset><!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<decoder_exclude>ruleset/decoders/0220-postfix_decoders.xml</decoder_exclude> <<< add this line
...
Restart the Wazuh-manger to load the config changes:
# systemctl restart wazuh-manager
Add this decoder for the mentioned line in the /var/ossec/etc/decoders/custom_postfix_decoders.xml file:
<decoder name="postfix-id">
<parent>postfix</parent>
<!--prematch>^\S+: to=\<\S+>, relay=\S+, </prematch-->
<regex>(\S+): to=\<(\S+)>, relay=(\.+), conn_use=(\d+), delay=(\d+), delays=(\S+), dsn=(\S+), status=(\w+) \((\d+) (\S+) \<(\S+)> [InternalId=(\d+), Hostname= (\S+)] \d+ \w+ \w+ \S+, (\S+ \S+) (\.+)\)</regex>
<order>id,to,relay,conn_use,delay,delays,dsn,status,result,dsn2,from,internal_id,host_fqdn,throughput,desc</order>
</decoder>
<parent>postfix</parent>
<!--prematch>^\S+: to=\<\S+>, relay=\S+, </prematch-->
<regex>(\S+): to=\<(\S+)>, relay=(\.+), conn_use=(\d+), delay=(\d+), delays=(\S+), dsn=(\S+), status=(\w+) \((\d+) (\S+) \<(\S+)> [InternalId=(\d+), Hostname= (\S+)] \d+ \w+ \w+ \S+, (\S+ \S+) (\.+)\)</regex>
<order>id,to,relay,conn_use,delay,delays,dsn,status,result,dsn2,from,internal_id,host_fqdn,throughput,desc</order>
</decoder>
The result using the logtest tool is the following:
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
Feb 14 09:55:44 NAS-Synology postfix/smtp[17524]: 0D000125267: to=<m.de...@fxxxxj.com.ar>, relay=fxxxxsa-com.mail.prxxxx.outlook.com[104.47.57.110 ]:25, conn_use=2, delay=15, delays=0.08/7.8/0.33/6.5, dsn=2.6.0, status=sent (250 2.6.0 <ADR48000...@fxxxxxa.com> [InternalId=24502788433552, Hostname= CPXXXXX.laxxxxx.prod.outlook.com] 614065 bytes in 3.432, 174.706 KB/sec Queued mail for delivery)
**Phase 1: Completed pre-decoding.
full event: 'Feb 14 09:55:44 NAS-Synology postfix/smtp[17524]: 0D000125267: to=<m.de...@fxxxxxj.com.ar>, relay=fxxxxxa-com.mail.protection.outlook.com[104.47.57.110 ]:25, conn_use=2, delay=15, delays=0.08/7.8/0.33/6.5, dsn=2.6.0, status=sent (250 2.6.0 <ADXXXXXX...@fxxxxxa.com> [InternalId=24502788433552, Hostname= CPXXXXX.laxxxxx.prod.outlook.com] 614065 bytes in 3.432, 174.706 KB/sec Queued mail for delivery)'
timestamp: 'Feb 14 09:55:44'
hostname: 'NAS-Synology'
program_name: 'postfix/smtp'
**Phase 2: Completed decoding.
name: 'postfix'
conn_use: '2'
delay: '15'
delays: '0.08/7.8/0.33/6.5'
desc: 'Queued mail for delivery'
dsn: '2.6.0'
dsn2: '2.6.0'
from: 'ADXXXX..@fxxxsa.com'
host_fqdn: 'CPXXXXX.laxxxx.prod.outlook.com'
id: '0D000125267'
internal_id: '24502788433552'
relay: 'fxxxsa-com.mail.prxxxx.outlook.com[104.47.57.110 ]:25'
result: '250'
status: 'sent'
throughput: '174.706 KB/sec'
to: 'm.de...@fiaxxxxj.com.ar'
**Phase 3: Completed filtering (rules).
id: '3320'
level: '0'
description: 'Grouping of the postfix rules.'
groups: '['syslog', 'postfix']'
firedtimes: '1'
mail: 'False'
Starting wazuh-logtest v4.3.10
Type one log per line
Feb 14 09:55:44 NAS-Synology postfix/smtp[17524]: 0D000125267: to=<m.de...@fxxxxj.com.ar>, relay=fxxxxsa-com.mail.prxxxx.outlook.com[104.47.57.110 ]:25, conn_use=2, delay=15, delays=0.08/7.8/0.33/6.5, dsn=2.6.0, status=sent (250 2.6.0 <ADR48000...@fxxxxxa.com> [InternalId=24502788433552, Hostname= CPXXXXX.laxxxxx.prod.outlook.com] 614065 bytes in 3.432, 174.706 KB/sec Queued mail for delivery)
**Phase 1: Completed pre-decoding.
full event: 'Feb 14 09:55:44 NAS-Synology postfix/smtp[17524]: 0D000125267: to=<m.de...@fxxxxxj.com.ar>, relay=fxxxxxa-com.mail.protection.outlook.com[104.47.57.110 ]:25, conn_use=2, delay=15, delays=0.08/7.8/0.33/6.5, dsn=2.6.0, status=sent (250 2.6.0 <ADXXXXXX...@fxxxxxa.com> [InternalId=24502788433552, Hostname= CPXXXXX.laxxxxx.prod.outlook.com] 614065 bytes in 3.432, 174.706 KB/sec Queued mail for delivery)'
timestamp: 'Feb 14 09:55:44'
hostname: 'NAS-Synology'
program_name: 'postfix/smtp'
**Phase 2: Completed decoding.
name: 'postfix'
conn_use: '2'
delay: '15'
delays: '0.08/7.8/0.33/6.5'
desc: 'Queued mail for delivery'
dsn: '2.6.0'
dsn2: '2.6.0'
from: 'ADXXXX..@fxxxsa.com'
host_fqdn: 'CPXXXXX.laxxxx.prod.outlook.com'
id: '0D000125267'
internal_id: '24502788433552'
relay: 'fxxxsa-com.mail.prxxxx.outlook.com[104.47.57.110 ]:25'
result: '250'
status: 'sent'
throughput: '174.706 KB/sec'
to: 'm.de...@fiaxxxxj.com.ar'
**Phase 3: Completed filtering (rules).
id: '3320'
level: '0'
description: 'Grouping of the postfix rules.'
groups: '['syslog', 'postfix']'
firedtimes: '1'
mail: 'False'
In this example, some fields were skipped. You can add these fields or change their name in the <order> tag.
I hope this helps.
Thanks
Reply all
Reply to author
Forward
0 new messages