ESET Protect syslog on Wazuh
1,153 views
Skip to first unread message
Julian Tang
Apr 3, 2024, 6:30:21 AM4/3/24
to Wazuh | Mailing List
I'm using the on-prem version of ESET Protect, and I've enabled syslog. Through the command "tcpdump -i any udp port 514 -AA" on Wazuh, I can see the logs coming in, but I'm unable to capture data in Wazuh.
Marcos Darío Buslaiman
Apr 3, 2024, 10:28:34 AM4/3/24
to Wazuh | Mailing List
Hi Jualian,
As you verified with the tcpdump, it seems that the events are coming to the Wazuh Manager, but you need to take into account that if the events don't match any rules, you don't get any alerts.
Thanks for using Wazuh!
We have two options for sending logs to Wazuh. One is using an agent with rsyslog, so you will use rsyslog on that agent to receive the logs and Wazuh Agent to send the logs to Wazuh Manager, you can verify this document about this procedure.
The other option is sending the logs directly to Wazuh Manager from your device, as is described in this document
Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:
Where:
<connection> specifies the type of connection to accept. This value can either be secure or syslog.
<port> is the port used to listen for incoming syslog messages from endpoints. We use port 514 in the example above.
<protocol> is the protocol used to listen for incoming syslog messages from endpoints. The allowed values are either tcp or udp.
<allowed-ips> is the IP address or network range of the endpoints forwarding events to the Wazuh server. In the example above, we use 192.168.2.15/24.
<local_ip> is the IP address of the Wazuh server listening for incoming log messages. In the example above, we use 192.168.2.10.
Refer to remote - local configuration documentation for more information on remote syslog options.
Restart the Wazuh manager to apply the changes:
The allowed-ips label is mandatory. The configuration will not take effect without it.
If you have a central logging server like Syslog or Logstash in place, you can install the Wazuh agent on that server to streamline log collection. This setup enables seamless forwarding of logs from multiple sources to the Wazuh server, facilitating comprehensive analysis.
As you verified with the tcpdump, it seems that the events are coming to the Wazuh Manager, but you need to take into account that if the events don't match any rules, you don't get any alerts.
To verify this, I recommend you enable archives.json to determine if the logs need custom rules and decoders to generate an alert.
To enable archives you need to set on ossec.conf on Wazuh Manager the following parameter. <logall_json>yes</logall_json>
And Restart Wazuh Manager.
Then, you can verify the file /var/ossec/logs/archives/archives.json if you have the events from your device.
Ref. Doc. https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html
Please let me know about any doubts.
Ref. Doc. https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html
Please let me know about any doubts.
Marcos
Julian Tang
Apr 7, 2024, 10:25:30 PM4/7/24
to Wazuh | Mailing List
Thanks a lot, Marcos.
I did what you suggested, turned on "archives.json" and got this message. I also gave "wazuh-logtest" a shot to see what's up, and here's what I found. If I'm messing something up, please give me a heads-up.
[root@wazuh-server ~]# cat /var/ossec/logs/archives/archives.json | grep 'Authenticating native user'
{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'wazuh-server'
full_log: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
id: '1712538952.144165043'
location: '192.168.10.12'
manager.name: 'wazuh-server'
rule.description: 'Unknown problem somewhere in the system.'
rule.firedtimes: '1'
rule.gpg13: '['4.3']'
rule.groups: '['syslog', 'errors']'
rule.id: '1002'
rule.level: '2'
rule.mail: 'false'
timestamp: '2024-04-08T09:15:52.374+0800'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
Starting wazuh-logtest v4.7.3
Type one log per line
{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'wazuh-server'
full_log: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
id: '1712538952.144165043'
location: '192.168.10.12'
manager.name: 'wazuh-server'
rule.description: 'Unknown problem somewhere in the system.'
rule.firedtimes: '1'
rule.gpg13: '['4.3']'
rule.groups: '['syslog', 'errors']'
rule.id: '1002'
rule.level: '2'
rule.mail: 'false'
timestamp: '2024-04-08T09:15:52.374+0800'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
Marcos Darío Buslaiman 在 2024年4月3日 星期三晚上10:28:34 [UTC+8] 的信中寫道:
Marcos Darío Buslaiman
Apr 8, 2024, 10:47:12 AM4/8/24
to Wazuh | Mailing List
Hi Julian,
1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}
**Phase 3: Completed filtering (rules).
What you did is correct; enabling the archives.json lets you see all the events from your device.
With the log test tool, you have checked that it does not match our stock rules, so you must create a custom rule according to your criteria.
This document will help you to create custom decoders and rules:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
I created the following decoder and rule to give you an example:
eset_custom_decoder:
<decoder name="ESET">
<prematch> ESETSRV ERAServer </prematch>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>\d (\d+-\d+-\.+:\d+:\d+.\.+) ESETSRV (\.+ \.+) - - </regex>
<order>timestamp,hostname</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>{"event_type":"(\w+)","ipv4":"(\.+)","hostname":"(\.+)","source_uuid":"(\.+),"occured":"(\.+)","severity":"(\.+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+).","user":"(\.*)","result":"(\.+)"}</regex>
<order>eset_event_type,eset_ipv4,eset_hostname,eset_source_uuid,eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>"occured":"(\.+)","severity":"(\w+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+)","user":"(\.+)","result":"(\.+)"}</regex>
<order>eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoder name="ESET">
<prematch> ESETSRV ERAServer </prematch>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>\d (\d+-\d+-\.+:\d+:\d+.\.+) ESETSRV (\.+ \.+) - - </regex>
<order>timestamp,hostname</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>{"event_type":"(\w+)","ipv4":"(\.+)","hostname":"(\.+)","source_uuid":"(\.+),"occured":"(\.+)","severity":"(\.+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+).","user":"(\.*)","result":"(\.+)"}</regex>
<order>eset_event_type,eset_ipv4,eset_hostname,eset_source_uuid,eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>"occured":"(\.+)","severity":"(\w+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+)","user":"(\.+)","result":"(\.+)"}</regex>
<order>eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
eset_custom_rule
<group name="local,syslog,eset_custom,">
<rule id="100001" level="5">
<decoded_as>ESET</decoded_as>
<field name="eset_severity">Error</field>
<description>ESET syslog $(eset_domain), $(eset_action) - $(eset_detail)</description>
</rule>
</group>
Here is my test by using Wazuh Logtest tool:
<rule id="100001" level="5">
<decoded_as>ESET</decoded_as>
<field name="eset_severity">Error</field>
<description>ESET syslog $(eset_domain), $(eset_action) - $(eset_detail)</description>
</rule>
</group>
Here is my test by using Wazuh Logtest tool:
wazuh-testrule: Type one log per line.
1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}
**Phase 1: Completed pre-decoding.
full event: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
timestamp: '(null)'
hostname: 'wazuh-server'
program_name: '(null)'
log: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
**Phase 2: Completed decoding.
decoder: 'ESET'
timestamp: '2024-04-08T01:15:52.373Z'
hostname: 'ERAServer 3348'
eset_event_type: 'Audit_Event'
eset_ipv4: '192.168.10.12'
eset_hostname: 'ESETSRV'
eset_source_uuid: '89dbe6b0-a42f-45bc-bdae-36709f45c656"'
eset_occured: '08-Apr-2024 01:15:52'
eset_severity: 'Error'
eset_domain: 'Native user'
eset_action: 'Login attempt'
eset_detail: 'Authenticating native user 'abc''
eset_user: ''
eset_result: 'Access denied'
full event: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
timestamp: '(null)'
hostname: 'wazuh-server'
program_name: '(null)'
log: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
**Phase 2: Completed decoding.
decoder: 'ESET'
timestamp: '2024-04-08T01:15:52.373Z'
hostname: 'ERAServer 3348'
eset_event_type: 'Audit_Event'
eset_ipv4: '192.168.10.12'
eset_hostname: 'ESETSRV'
eset_source_uuid: '89dbe6b0-a42f-45bc-bdae-36709f45c656"'
eset_occured: '08-Apr-2024 01:15:52'
eset_severity: 'Error'
eset_domain: 'Native user'
eset_action: 'Login attempt'
eset_detail: 'Authenticating native user 'abc''
eset_user: ''
eset_result: 'Access denied'
**Phase 3: Completed filtering (rules).
Rule id: '100001'
Level: '5'
Description: 'ESET syslog Native user, Login attempt - Authenticating native user 'abc''
**Alert to be generated.
Level: '5'
Description: 'ESET syslog Native user, Login attempt - Authenticating native user 'abc''
**Alert to be generated.
Please let me know of any doubts or questions.
Message has been deleted
Julian Tang
Apr 9, 2024, 1:16:32 AM4/9/24
to Wazuh | Mailing List
Thank you, Marcos. I'm still encountering issues during testing. Here are the test results. What settings should I check?
wazuh-testrule: Type one log per line.
rule.description: 'Unknown problem somewhere in the system.'
**Phase 3: Completed filtering (rules).
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest-legacy
2024/04/09 13:15:13 wazuh-testrule: INFO: Started (pid: 7885).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
2024/04/09 13:15:13 wazuh-testrule: INFO: Started (pid: 7885).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
wazuh-testrule: Type one log per line.
{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}'
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}'
timestamp: '(null)'
hostname: 'wazuh-server'
program_name: '(null)'
hostname: 'wazuh-server'
program_name: '(null)'
log: '{"timestamp":"2024-04-08T09:15:52.374+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712538952.144165043","full_log":"1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"ESETSRV\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"08-Apr-2024 01:15:52\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'abc'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}'
**Phase 2: Completed decoding.
decoder: 'json'
timestamp: '2024-04-08T09:15:52.374+0800'
rule.level: '2'
**Phase 2: Completed decoding.
decoder: 'json'
timestamp: '2024-04-08T09:15:52.374+0800'
rule.level: '2'
rule.description: 'Unknown problem somewhere in the system.'
rule.id: '1002'
rule.firedtimes: '1'
rule.mail: 'false'
rule.groups: '["syslog", "errors"]'
rule.gpg13: '["4.3"]'
agent.id: '000'
agent.name: 'wazuh-server'
manager.name: 'wazuh-server'
id: '1712538952.144165043'
full_log: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
location: '192.168.10.12'
rule.firedtimes: '1'
rule.mail: 'false'
rule.groups: '["syslog", "errors"]'
rule.gpg13: '["4.3"]'
agent.id: '000'
agent.name: 'wazuh-server'
manager.name: 'wazuh-server'
id: '1712538952.144165043'
full_log: '1 2024-04-08T01:15:52.373Z ESETSRV ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"ESETSRV","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"08-Apr-2024 01:15:52","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'abc'.","user":"","result":"Access denied"}'
location: '192.168.10.12'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
Marcos Darío Buslaiman 在 2024年4月8日 星期一晚上10:47:12 [UTC+8] 的信中寫道:
Julian Tang
Apr 9, 2024, 4:46:05 AM4/9/24
to Wazuh | Mailing List
Thank you, Marco,
I think I need to clarify the entire process first, as I'm a bit confused about some parts. Sorry, I'm a newcomer.
The log I found in archives.json is this:
{"timestamp":"2024-04-09T09:38:09.692+0800","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":1,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1712626689.38390761","full_log":"1 2024-04-09T01:38:09.691Z TPE10VESET ERAServer 3348 - - {\"event_type\":\"Audit_Event\",\"ipv4\":\"192.168.10.12\",\"hostname\":\"TPE10VESET\",\"source_uuid\":\"89dbe6b0-a42f-45bc-bdae-36709f45c656\",\"occured\":\"09-Apr-2024 01:38:09\",\"severity\":\"Error\",\"domain\":\"Native user\",\"action\":\"Login attempt\",\"detail\":\"Authenticating native user 'rrr'.\",\"user\":\"\",\"result\":\"Access denied\"}","decoder":{},"location":"192.168.10.12"}
But when I execute decode, it looks like it starts from "full_log" for the entire regex expression?
<decoder name="ESET">
<program_name>ERAServer</program_name>
<prematch> TPE10VESET ERAServer </prematch>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<order>timestamp,hostname</order>
</decoder>
Julian Tang 在 2024年4月9日 星期二下午1:16:32 [UTC+8] 的信中寫道:
Marcos Darío Buslaiman
Apr 9, 2024, 2:44:24 PM4/9/24
to Wazuh | Mailing List
Hi Julian,
You must use the full_log: field to create the decoder and rule.
Using your logline with the decoders and rule that I shared with you, the test alert is triggered. (take into account to remove the \)
Using your logline with the decoders and rule that I shared with you, the test alert is triggered. (take into account to remove the \)
Let me know if you have any questions
Regards!
Message has been deleted
Julian Tang
Apr 10, 2024, 5:30:48 AM4/10/24
to Wazuh | Mailing List
Thank you, Marcos. I'm still encountering issues. Here are my current test results and the XML configuration.
Please forgive my stupidity.
[root@wazuh-server ruleset]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
1 2024-04-10T04:53:16.322Z TPE10VESET ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"TPE10VESET","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"10-Apr-2024 04:53:16","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'rrrrrr'.","user":"","result":"Access denied"}
**Phase 1: Completed pre-decoding.
full event: '1 2024-04-10T04:53:16.322Z TPE10VESET ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"TPE10VESET","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"10-Apr-2024 04:53:16","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'rrrrrr'.","user":"","result":"Access denied"}'
**Phase 2: Completed decoding.
name: 'ESET'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '2'
gpg13: '['4.3']'
mail: 'False'
[root@wazuh-server ruleset]# cat decoders/eset_custom_decoder.xml
<decoder name="ESET">
<prematch> TPE10VESET ERAServer </prematch>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>\d (\d+-\d+-\d+.\d+\d+:\d+:\d+.\d+.) (\w.*) ERAServer \d+.-.- </regex>
<order>timestamp,hostname</order>
</decoder>
<regex>{"event_type":"(\w+)","ipv4":"(\d+\.\d+\.\d+\.\d+)","hostname":"(\w+)","source_uuid":"(\w+-\w+-\w+-\w+-\w+)","occured":"(\d+-\D+-\d+ \d+:\d+:\d+)","severity":"(\w+)","domain":"(\w.*)","action":"(\w.*)","detail":"(\w.*)","user":"(.*)","result":"(\w.*)"}</regex>
<order>eset_event_type,eset_ipv4,eset_hostname,eset_source_uuid,eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>"occured":"(\.+)","severity":"(\w+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+)","user":"(\.+)","result":"(\.+)"}</regex>
<order>eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<regex>{"event_type":"(\w+)","ipv4":"([^"]+)","hostname":"([^"]+)","source_uuid":"([^"]+)","occured":"([^"]+)","severity":"([^"]+)","domain":"([^"]+)","action":"([^"]+)","detail":"([^"]+)","user":"([^"]*)","result":"([^"]+)"}</regex>
<order>eset_event_type,eset_ipv4,eset_hostname,eset_source_uuid,eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoded_as>ESET</decoded_as>
<field name="eset_severity">Error</field>
<description>ESET syslog $(eset_domain), $(eset_action) - $(eset_detail)</description>
</rule>
</group>
Please forgive my stupidity.
[root@wazuh-server ruleset]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.3
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '1 2024-04-10T04:53:16.322Z TPE10VESET ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.10.12","hostname":"TPE10VESET","source_uuid":"89dbe6b0-a42f-45bc-bdae-36709f45c656","occured":"10-Apr-2024 04:53:16","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'rrrrrr'.","user":"","result":"Access denied"}'
**Phase 2: Completed decoding.
name: 'ESET'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
gpg13: '['4.3']'
mail: 'False'
[root@wazuh-server ruleset]# cat decoders/eset_custom_decoder.xml
<decoder name="ESET">
<prematch> TPE10VESET ERAServer </prematch>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<order>timestamp,hostname</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<parent>ESET</parent>
<order>eset_event_type,eset_ipv4,eset_hostname,eset_source_uuid,eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<regex>"occured":"(\.+)","severity":"(\w+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+)","user":"(\.+)","result":"(\.+)"}</regex>
<order>eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoder name="ESET-child">
<parent>ESET</parent>
<parent>ESET</parent>
<order>eset_event_type,eset_ipv4,eset_hostname,eset_source_uuid,eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
[root@wazuh-server ossec]# cat /var/ossec/ruleset/rules/eset_custom_rule.xml
<group name="local,syslog,eset_custom,">
<rule id="100002" level="5">
<group name="local,syslog,eset_custom,">
<rule id="100002" level="5">
<decoded_as>ESET</decoded_as>
<field name="eset_severity">Error</field>
<description>ESET syslog $(eset_domain), $(eset_action) - $(eset_detail)</description>
</rule>
</group>
Marcos Darío Buslaiman 在 2024年4月10日 星期三凌晨2:44:24 [UTC+8] 的信中寫道:
Julian Tang
Apr 10, 2024, 9:53:03 PM4/10/24
to Wazuh | Mailing List
Thank you, Marcos. It appears that I have succeeded, I greatly appreciate your assistance.
Julian Tang 在 2024年4月10日 星期三下午5:30:48 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
Message has been deleted
0 new messages