Import CSV file to wazuh

[Ayoub MM]

Hello all,

Thank for your support.

I have a csv file of logs i would like to import this csv file in wazuh to visualise and crete dashboard with this date

If anyone here can help me to how we can do that ?

Thanks in advance for your support:

Regards

[elw...@wazuh.com]

Hello Ayoub,

You can configure the Wazuh agent to read your CSV file while adding a predefined header for the decoder prematch to function correctly. An example would be the following:

Configuration:

<localfile> <log_format>syslog</log_format> <location>/var/log/data.csv</location> <target>agent</target> <out_format>CSVData : $(log)</out_format> </localfile>
Decoder:

Assuming that the fields are separated with `,`  and you have 4 fields:

<decoder name="csv-decoder"> <prematch>^CSVData : </prematch> </decoder>

<decoder name="csv-decoder-fields">
  <parent>csv-decoder</parent>
  <regex offset="after_parent">(\.*),(\.*),(\.*),(\.*)$</regex>
  <order>field1, field2, field3, field4</order>
</decoder>

Rule:

<rule id="120500" level="3"> <decoded_as>csv-decoder</decoded_as> <description>CSV grouping.</description> </rule>

I hope it helps.

Regards,
Wali

[Ayoub MM]

Hello elwali ,

Thank you for your detailed response, I apprcaite your Help and support.

Regards.

[elw...@wazuh.com]

You're welcome and do not hesitate to open new threads if you have any further questions.

Regards,

[Ayoub MM]

hello Elwali ,

Hope you're doing well.

Please i try this configuration in an linux agent deont work i need to change something in case of linux egent ?

Thanks in advance for your help.

[Ayoub MM]

@elw...@wazuh.com 

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/356bf237-4912-4148-8d1c-119a90281137n%40googlegroups.com.

[Dmitry Mikheev]

Tell me please

1. <prematch>^CSVData : </prematch> does the agent add this information to the beginning of the line?
How to enable it?

I just have this format in my log file:

Time,Event,Action,Source,Target,Protocol,Rule/worm name,Application path,Application,Hash,User,Signer,Package name,Service

11.7.2024 11.00.52,Security vulnerability exploitation attempt,Blocked,159.65.94.104:39010,192.168.8.183:443,TCP,EsetIpBlacklist.B,System,System,,,,,

11.7.2024 11.39.14,Security vulnerability exploitation attempt,Blocked,45.148.10.251:32798,192.168.8.183:80,TCP,EsetIpBlacklist.B,System,System,,,,,

2. in the agent log I see events that coincide in time with my change in the csv file

2024/07/23 08:47:25 wazuh-agent[17544] logcollector.c:504 at LogCollectorStart(): DEBUG: Performing file check.

2024/07/23 08:47:29 wazuh-agent[17544] notify.c:129 at run_notify(): DEBUG: Sending agent notification.

2024/07/23 08:47:39 wazuh-agent[17544] notify.c:129 at run_notify(): DEBUG: Sending agent notification.

2024/07/23 08:47:49 wazuh-agent[17544] notify.c:129 at run_notify(): DEBUG: Sending agent notification.

and nothing comes to archives.log at this time, although <logall>yes</logall> is enabled.

Is it possible to see what the agent is sending?