NGINX PROXY MANAGER DECODER
197 views
Skip to first unread message
Jan Jimwell Panganiban
Oct 2, 2024, 3:10:21 AM10/2/24
to Wazuh | Mailing List
Good Day
Thank You in advance if there is custom decoder
Is there anyone able to decode the NGINX PROXY MANAGER log
this is the log format
[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
this is the sample logs
[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
this is the sample logs
[23/Sep/2024:17:54:30 +0000] - 200 200 - GET https example.com "/home" [Client 192.168.99.10] [Length 8711] [Gzip -] [Sent-to 192.168.100.15] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.6.25" "https://example.com"
Thank You in advance if there is custom decoder
hasitha.u...@wazuh.com
Oct 2, 2024, 4:31:25 AM10/2/24
to Wazuh | Mailing List
Hello Jan,
It seems that when you test this rule, it's picking a default decoder. To fix this, you need to exclude the default decoder first and then create a custom one. Here are the steps:
By default, it's using the Zeus decoder and rules. You can exclude those by adding the following lines to the <ruleset> block in your ossec.conf:
<ruleset>
<decoder_exclude>ruleset/decoders/0390-zeus_decoders.xml</decoder_exclude>
<rule_exclude>ruleset/rules/0255-zeus_rules.xml</rule_exclude>
</ruleset>
After adding this, restart the Wazuh Manager:
systemctl restart wazuh-manager
Test your decoder using
wazuh-logtest:
/var/ossec/bin/wazuh-logtest
You can paste your log here to see if it matches any decoder or rule.
I have created a custom decoder for you. You can add this to the /var/ossec/etc/decoders/local_decoders.xml file, or you can create a new XML file in the /var/ossec/etc/decoders directory:
<decoder name="custom-web-access">
<prematch>[\.+]\.+</prematch>
</decoder>
<decoder name="custom-web-access1">
<parent>custom-web-access</parent>
<regex>[(\.+)]\s-\s\d+\s\d+\s-\s(\w+)\s\S+\s(\S+.\S+)\s"(\.+)"\s[\S+\s(\d+.\d+.\d+.\d+)]\s[\S+\s(\d+)]\s[\.+]\s[\.+\s(\d+.\d+.\d+.\d+)]\s"(\.+)"\s"(\.+)"</regex>
<order>logTime,Method,domain,ResourcePath,ClientIP,ResponseLength,DestinationIP,UserAgent,Referrer</order>
</decoder>
For more details on creating custom decoders, check these guides:
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#custom-decoders
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Let me know if this helps!
It seems that when you test this rule, it's picking a default decoder. To fix this, you need to exclude the default decoder first and then create a custom one. Here are the steps:
By default, it's using the Zeus decoder and rules. You can exclude those by adding the following lines to the <ruleset> block in your ossec.conf:
<ruleset>
<decoder_exclude>ruleset/decoders/0390-zeus_decoders.xml</decoder_exclude>
<rule_exclude>ruleset/rules/0255-zeus_rules.xml</rule_exclude>
</ruleset>
After adding this, restart the Wazuh Manager:
systemctl restart wazuh-manager
Test your decoder using
wazuh-logtest:
/var/ossec/bin/wazuh-logtest
You can paste your log here to see if it matches any decoder or rule.
I have created a custom decoder for you. You can add this to the /var/ossec/etc/decoders/local_decoders.xml file, or you can create a new XML file in the /var/ossec/etc/decoders directory:
<decoder name="custom-web-access">
<prematch>[\.+]\.+</prematch>
</decoder>
<decoder name="custom-web-access1">
<parent>custom-web-access</parent>
<regex>[(\.+)]\s-\s\d+\s\d+\s-\s(\w+)\s\S+\s(\S+.\S+)\s"(\.+)"\s[\S+\s(\d+.\d+.\d+.\d+)]\s[\S+\s(\d+)]\s[\.+]\s[\.+\s(\d+.\d+.\d+.\d+)]\s"(\.+)"\s"(\.+)"</regex>
<order>logTime,Method,domain,ResourcePath,ClientIP,ResponseLength,DestinationIP,UserAgent,Referrer</order>
</decoder>
For more details on creating custom decoders, check these guides:
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#custom-decoders
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Let me know if this helps!
Reply all
Reply to author
Forward
0 new messages