Wazuh parsing json sended via wodle command
141 views
Skip to first unread message
Viktor Sokhan
Mar 26, 2024, 6:34:03 AM3/26/24
to Wazuh | Mailing List
Hello everyone, I ask you to help me deal with the following problem. I have a voodle that, using Python, takes the log I need from opensearch and sends it to the queue socket. The message to be sent looks like this:
1:Teleport_OS_query:{'addr.remote': '10.20.10.28:59948', 'caller': 'events/emitter.go:278', 'cluster_name': 'test', 'code': 'T3009I', 'component': 'audit', 'ei': 0, 'event': 'kube.request', 'kubernetes_cluster': 'test', 'kubernetes_groups': ['test-admins', 'system:authenticated'], 'kubernetes_labels': {'teleport.internal/resource-id': 'bf1b3e37', 'teleport_cluster_name': 'test'}, 'kubernetes_users': ['teleport-admins'], 'level': 'info', 'login': 'admin@test', 'message': 'kube.request', 'namespace': 'default', 'proto': 'kube', 'request_path': '/version', 'response_code': 200, 'server_id': '266f08f8', 'sid': '', 'time': '2024-03-26T07:23:34.346Z', 'timestamp': '2024-03-26T07:23:34Z', 'uid': '16c5d6e0', 'user': 'admin@test', 'user_kind': 1, 'verb': 'GET'}
The script runs successfully even if you add the following rule:
<rule id="100322" level="0">
<location>Teleport_OS_query</location>
<decoded_as>json</decoded_as>
<description>Teleport audit logs</description>
</rule>
Then I see alerts and everything looks good. But I would like to add rules to filter out unnecessary alerts, for example, I tried the following rule, which does not work:
<rule id="100323" level="3">
<if_sid>100322</if_sid>
<decoded_as>json</decoded_as>
<field name="event" type="pcre2">kube.request</field>
<field name="resource_kind">\.+</field>
<description>Teleport: User $(login) made a request $(verb) to the $(namespace) for the $(resource_kind) in cluster $(kubernetes_cluster) </description>
</rule>
I understand that with a high degree of probability, the problem is that the initial log does not come in the json format and Vazukh does not understand what format it is, and accordingly, cannot get the fields from the log. However, I don’t understand how to specify that vazukh considers this log a valid personal log. Please help me figure it out. Thank you in advance.
1:Teleport_OS_query:{'addr.remote': '10.20.10.28:59948', 'caller': 'events/emitter.go:278', 'cluster_name': 'test', 'code': 'T3009I', 'component': 'audit', 'ei': 0, 'event': 'kube.request', 'kubernetes_cluster': 'test', 'kubernetes_groups': ['test-admins', 'system:authenticated'], 'kubernetes_labels': {'teleport.internal/resource-id': 'bf1b3e37', 'teleport_cluster_name': 'test'}, 'kubernetes_users': ['teleport-admins'], 'level': 'info', 'login': 'admin@test', 'message': 'kube.request', 'namespace': 'default', 'proto': 'kube', 'request_path': '/version', 'response_code': 200, 'server_id': '266f08f8', 'sid': '', 'time': '2024-03-26T07:23:34.346Z', 'timestamp': '2024-03-26T07:23:34Z', 'uid': '16c5d6e0', 'user': 'admin@test', 'user_kind': 1, 'verb': 'GET'}
The script runs successfully even if you add the following rule:
<rule id="100322" level="0">
<location>Teleport_OS_query</location>
<decoded_as>json</decoded_as>
<description>Teleport audit logs</description>
</rule>
Then I see alerts and everything looks good. But I would like to add rules to filter out unnecessary alerts, for example, I tried the following rule, which does not work:
<rule id="100323" level="3">
<if_sid>100322</if_sid>
<decoded_as>json</decoded_as>
<field name="event" type="pcre2">kube.request</field>
<field name="resource_kind">\.+</field>
<description>Teleport: User $(login) made a request $(verb) to the $(namespace) for the $(resource_kind) in cluster $(kubernetes_cluster) </description>
</rule>
I understand that with a high degree of probability, the problem is that the initial log does not come in the json format and Vazukh does not understand what format it is, and accordingly, cannot get the fields from the log. However, I don’t understand how to specify that vazukh considers this log a valid personal log. Please help me figure it out. Thank you in advance.
Pablo D
Mar 27, 2024, 7:26:41 AM3/27/24
to Wazuh | Mailing List
Hi Viktor
<rule id="100322" level="0">
<rule id="100323" level="3">
<if_sid>100322</if_sid>
Thanks for using Wazuh!
Regarding your concerns, I think you could change a little bit the decoder and rules to parse and extract accordingly. No need to use json decoder, because at least, the sample is not formatted in JSON.
I've built some decoders to start extracting the required fields:
<decoder name="Teleport_OS_query">
<prematch>^\d*:Teleport_OS_query</prematch>
</decoder>
<decoder name="Teleport_OS_query">
<parent>Teleport_OS_query</parent>
<regex>addr.remote': '(\d+.\d+.\d+.\d+):</regex>
<order>TeleportAddrRemote</order>
</decoder>
<prematch>^\d*:Teleport_OS_query</prematch>
</decoder>
<decoder name="Teleport_OS_query">
<parent>Teleport_OS_query</parent>
<regex>addr.remote': '(\d+.\d+.\d+.\d+):</regex>
<order>TeleportAddrRemote</order>
</decoder>
You could repeat the 2nd decoder and change regex/order to match additional fields.
For example, if you could also extract the event field, you could add the following decoder block just below the previous one:
<decoder name="Teleport_OS_query">
<parent>Teleport_OS_query</parent>
<regex>'event': '(\.*)'</regex>
<order>TeleportEvent</order>
</decoder>
<parent>Teleport_OS_query</parent>
<regex>'event': '(\.*)'</regex>
<order>TeleportEvent</order>
</decoder>
Now you have the decoders in place, you can easily make rules to use the extracted values as filters/conditions to define when to trigger alerts.
Here are some rules examples:
<group name="Teleport,">
<rule id="100322" level="0">
<decoded_as>Teleport_OS_query</decoded_as>
<description>Generic Teleport OS Query event. While Level=0 this will not trigger any alert</description>
</rule>
<description>Generic Teleport OS Query event. While Level=0 this will not trigger any alert</description>
</rule>
<rule id="100323" level="3">
<if_sid>100322</if_sid>
<field name="TeleportEvent">^kube.request$</field>
<description>Teleport Event Type: $(TeleportEvent) from $(TeleportAddrRemote)</description>
</rule>
</group>
<description>Teleport Event Type: $(TeleportEvent) from $(TeleportAddrRemote)</description>
</rule>
</group>
In the above examples, the rule.id 100322 is defined to catch all events decoded by Teleport_OS_query decoder. No alert should be triggered.
The second rule with id 100323 defines if the message is a generic Teleport_OS_Query one and if the field name TeleportEvent = kube.request, will trigger a level 3 alert with a message like was defined in the description.
You could by now change and add more decoders and rules as required.
Hope this helps,
[Wazuh] PabloD
Viktor Sokhan
Mar 28, 2024, 2:34:53 PM3/28/24
to Wazuh | Mailing List
Thank you very much for your help, following your tips I managed to get an alert, but I still have one question. I slightly incorrectly described the message that I transfer to wazuh, the full log looks like a full-fledged json, this can be seen in the screenshot, hence the question, can I still parse it like a json (for example, through a json-decoder) or do I have an option only through regular expressions?
среда, 27 марта 2024 г. в 18:26:41 UTC+7, Pablo D:
Viktor Sokhan
Apr 6, 2024, 1:46:20 AM4/6/24
to Wazuh | Mailing List
Hello everyone, please clarify if you have any information on my question?
пятница, 29 марта 2024 г. в 01:34:53 UTC+7, Viktor Sokhan:
Reply all
Reply to author
Forward
0 new messages