Custom Rules not working

[Sundas Latif]

Wazuh Team,

I am facing trouble in alerts of custom rules. I have installed sysmon for Linux in the machine(of which alerts  I am analyzing), and added decoder and rules files from wazuh manager web interface. Decoder test and ruletest both fail in WUI, whereas testing of the decoder in working from CLI of wazuh manager machine. Can you please assist why I am not getting alerts, I am able to see sysmon logs in my host machine in Syslog folder.

Please find screenshots for reference.

[Francis Timilehin Jeremiah]

Hello, 
I will recommend doing your tests mostly from the CLI, sometimes tests from the WUI can behave in unexpected ways. 

Can you confirm that the logs are being processed on the Wazuh manager? 

1. Set logall_json to "yes" in the manager ossec.conf.  

2. Restart manager

3. tail -f /var/ossec/logs/archives/archives.json | grep sysmon

If you can see Sysmon logs, that's great. Pick a desired log and do decoder testing to be sure the decoders work. Then write your rules, try using a moderate rule level(above 3). By default rules have to be above level 3 to be generated on the WUI, you can confirm the rule level in your manager ossec.conf. 
If you've confirmed that everything is in check and alerts are still not being generated. Paste a screenshot of logtest test result here and the text form of the rule.

[Sundas Latif]

Hi Francis,

Thanks for your response.

1. I have set logall_json to "yes" in the manager ossec.conf. 

2. I am not able to see sysmon logs in wazuh manager, whereas events are being logged(/var/log/syslog) in the machine on which agent is installed.

Regarding CLI-based testing, in CLI decoder is working fine.

Why sysmon logs are not received in manager while I have configurations for Syslog in ossec.conf?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/68ac64d9-4dc2-4f7b-a083-c98cc1d064c2n%40googlegroups.com.

[Sundas Latif]

Moreover,  I guess there is issue with Wazuh API, when  I restart wazuh manager from WUI after saving rules, I get below error;

However if I navigate to API section in Wazuh WUI, it shows normal status.

[Francis Timilehin Jeremiah]

From your screenshot I see you are checking archives.log instead archives.json. Please confirm that  logall_json is set to "yes". Restart manager.

Then do   tail -f /var/ossec/logs/archives/archives.json | grep sysmon

For the second issue, after restarting and getting the API error. Since when you check you see the API status as online, just try browsing normally to the agent tab. 

[Sundas Latif]

Processed on the manager. Please find below.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/97617964-a397-405a-bf67-9aebe3c77d30n%40googlegroups.com.

[Francis Timilehin Jeremiah]

Awesome! Sorry for my late reply. You can go on to writing the rules now. If you need further help, please write to me. 

[Sundas Latif]

Hi Francis, 

Thanks for your response. 

Working now, I created decoders and rules in "/var/ossec/ruleset/decoders" and "/var/ossec/ruleset/rules"  and now decoders and rules are working without any change. Earlier I was creating rules inside /var/ossec/etc/decoders and /var/ossec/etc/rules.

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/OAJVhLhlSSQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3520b9b0-3c26-4616-9377-8038e9308cd8n%40googlegroups.com.

[Francis Timilehin Jeremiah]

Great!