Log4shell detection guide produces XMLERR
35 views
Skip to first unread message
nbent...@gmail.com
Jan 10, 2022, 10:02:43 AM1/10/22
to Wazuh mailing list
Hi,
I've been attempting to implement the log4shell guide (https://wazuh.com/blog/detecting-log4shell-with-wazuh/) on/off for about 2 weeks now without any success. The error message is:
2022/01/10 09:55:01 wazuh-analysisd: ERROR: (1227): Error applying XML variables 'etc/rules/local_rules.xml': XMLERR: Unknown variable: '\{\S*\w\}\S*)+'..
2022/01/10 09:55:01 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.
2022/01/10 09:55:01 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.
A few others have posted similar issues with no update/reply so I'm bubbling this up hoping someone can point out the obvious mistake or work to resolve the issue.
Miguel Casares
Jan 10, 2022, 10:05:56 AM1/10/22
to Wazuh mailing list
Hello,
That blog is using pcre variables to parse the logs: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/pcre2.html
This was introduced in Wazuh version 4.1.0. Would it be possible you are running a lower version of Wazuh? If so, those variables are incompatible. I would recommend upgrading to the latest version in that case: https://documentation.wazuh.com/current/upgrade-guide/
I hope that helps. Let me know if you need anything else.
Regards,
Miguel Casares
nbent...@gmail.com
Jan 10, 2022, 5:57:33 PM1/10/22
to Wazuh mailing list
Thanks Miguel,
On a hunch I upgraded to 4.2.5 but I am getting the same error.
evidence of the upgrade:
[bin]# ./wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
Starting wazuh-logtest v4.2.5
Type one log per line
Reply all
Reply to author
Forward
0 new messages