"Decoding" Securepoint UTM Syslog

241 views
Skip to first unread message

Thomas Schössow

unread,
Jan 14, 2025, 11:45:45 PM1/14/25
to Wazuh | Mailing List
Hi there, I'm doing my first steps with Wazuh since quite a few weeks.  I'm using several windows agents, and I'm overwhelmed by the amount of "incidents" so far -). 

I'm a bit stuck now with the integration of the syslog from a Securepoint UTM. The log data appears on the archive.log, but "how can I ?": -)

I guess I need a decoder to "see" those syslog messages in Wazuh. I'm reading the documentation but I "got lost".   

The next step would then be to create some sort of rules to get notified.

As I think, Securepoint UTM's are quite "common" I think someone already did those steps already ?

Regards

Thomas

hasitha.u...@wazuh.com

unread,
Jan 14, 2025, 11:59:36 PM1/14/25
to Wazuh | Mailing List
Hi Thomas,

You are correct, You need to have decoders and rules to extract fields and create alerts on the dashboard.

You can also check if any existing decoder and rules are applying to the logs by using Wazuh logtest tool
/var/ossec/bin/wazuh-logtest
You can copy your log after executing above-mentioned command.
https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html#wazuh-logtest

If you don't mind, appreciate if you could share some sample logs so that I can create decoders and rules for your logs.
As you mentioned, you can see from the archive logs. You can share the sample logs under the full log in archive.log.
cat /var/ossec/logs/archives/archives.log | grep -i -E "part of your log"

Further, you can learn more about custom decoders and rules by following documents.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Let me know the update on this.

Regards,
Hasitha Upekshitha

Thomas Schössow

unread,
Jan 15, 2025, 11:32:17 PM1/15/25
to Wazuh | Mailing List
Hi Hasitha,

thanks for your kind response. Enclosed are a few lines from the syslog. I did some "obfuscation", but you should get an idea on that.

2025 Jan 14 19:41:05 TESTWAZUH->192.168.201.17 1 2025-01-14T19:41:04+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP)  IN=A0 OUT= MAC=01:00:5e:00:00:01:d4:1a:d1:3f:bc:70:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=00 PREC=0x80 TTL=1 ID=4825 PROTO=2 MARK=0

2025 Jan 14 19:41:05 TESTWAZUH->192.168.201.17 1 2025-01-14T19:41:04+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:233  IN=A1.200 OUT=A0 MAC=00:07:32:a6:6d:55:90:2e:16:14:da:f8:08:00 SRC=192.168.220.52 DST=20.86.89.202 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=721 DF PROTO=TCP SPT=62190 DPT=443 SEQ=3579442981 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0

2025 Jan 15 19:05:09 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:08+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:233  IN=A1.200 OUT=A0 MAC=00:07:32:a6:6d:55:94:c6:91:81:ba:a4:08:00 SRC=192.168.220.9 DST=20.86.89.202 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=32022 DF PROTO=TCP SPT=62408 DPT=443 SEQ=1223485791 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0

2025 Jan 15 19:05:49 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:48+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: id:204  IN=A1 OUT=A0 MAC=00:07:32:a6:6d:55:00:15:5d:02:5e:0c:08:00 SRC=192.168.212.48 DST=192.168.2.30 LEN=52 TOS=02 PREC=0x00 TTL=127 ID=20962 DF PROTO=TCP SPT=54092 DPT=9100 SEQ=1574055071 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0

2025 Jan 15 19:05:47 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:45+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:48  IN=A3 OUT=A0 MAC=00:07:32:a6:6d:57:80:5e:0c:c5:6d:94:08:00 SRC=192.168.210.147 DST=23.88.56.106 LEN=72 TOS=08 PREC=0x60 TTL=63 ID=9526 PROTO=UDP SPT=5060 DPT=3478 LEN=52 MARK=0

2025 Jan 15 19:05:47 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:45+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP)  IN=A1 OUT=A0 MAC=00:07:32:a6:6d:55:00:15:5d:02:5e:0c:08:00 SRC=192.168.212.48 DST=3.251.3.210 LEN=48 TOS=00 PREC=0x00 TTL=127 ID=27937 DF PROTO=TCP SPT=54026 DPT=8883 SEQ=2148149597 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0

2025 Jan 15 19:05:49 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:48+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:233  IN=A1.200 OUT=A0 MAC=00:07:32:a6:6d:55:90:2e:16:14:da:f8:08:00 SRC=192.168.220.52 DST=20.86.89.202 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=23163 DF PROTO=TCP SPT=64276 DPT=443 SEQ=2124045528 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0

2025 Jan 15 19:05:49 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:48+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: id:204  IN=A1 OUT=A0 MAC=00:07:32:a6:6d:55:00:15:5d:02:5e:0c:08:00 SRC=192.168.212.48 DST=192.168.2.30 LEN=52 TOS=02 PREC=0x00 TTL=127 ID=20962 DF PROTO=TCP SPT=54092 DPT=9100 SEQ=1574055071 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0

Unfortunately, no decoder "fits" and of course no ruleset -)

I would appreciate any help.

Regards

Thomas

Thomas Schössow

unread,
Jan 15, 2025, 11:32:17 PM1/15/25
to Wazuh | Mailing List
Hi Hasitha,

thanks for your kind response. Enclosed are a few lines from the syslog. I did some "obfuscation", but you should get an idea on that.

2025 Jan 14 19:41:05 TESTWAZUH->192.168.201.17 1 2025-01-14T19:41:04+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP)  IN=A0 OUT= MAC=01:00:5e:00:00:01:d4:1a:d1:3f:bc:70:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=00 PREC=0x80 TTL=1 ID=4825 PROTO=2 MARK=0

2025 Jan 14 19:41:05 TESTWAZUH->192.168.201.17 1 2025-01-14T19:41:04+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:233  IN=A1.200 OUT=A0 MAC=00:07:32:a6:6d:55:90:2e:16:14:da:f8:08:00 SRC=192.168.220.52 DST=20.86.89.202 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=721 DF PROTO=TCP SPT=62190 DPT=443 SEQ=3579442981 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0

2025 Jan 15 19:05:09 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:08+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:233  IN=A1.200 OUT=A0 MAC=00:07:32:a6:6d:55:94:c6:91:81:ba:a4:08:00 SRC=192.168.220.9 DST=20.86.89.202 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=32022 DF PROTO=TCP SPT=62408 DPT=443 SEQ=1223485791 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0

2025 Jan 15 19:05:49 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:48+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: id:204  IN=A1 OUT=A0 MAC=00:07:32:a6:6d:55:00:15:5d:02:5e:0c:08:00 SRC=192.168.212.48 DST=192.168.2.30 LEN=52 TOS=02 PREC=0x00 TTL=127 ID=20962 DF PROTO=TCP SPT=54092 DPT=9100 SEQ=1574055071 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0

2025 Jan 15 19:05:47 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:45+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:48  IN=A3 OUT=A0 MAC=00:07:32:a6:6d:57:80:5e:0c:c5:6d:94:08:00 SRC=192.168.210.147 DST=23.88.56.106 LEN=72 TOS=08 PREC=0x60 TTL=63 ID=9526 PROTO=UDP SPT=5060 DPT=3478 LEN=52 MARK=0

2025 Jan 15 19:05:47 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:45+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP)  IN=A1 OUT=A0 MAC=00:07:32:a6:6d:55:00:15:5d:02:5e:0c:08:00 SRC=192.168.212.48 DST=3.251.3.210 LEN=48 TOS=00 PREC=0x00 TTL=127 ID=27937 DF PROTO=TCP SPT=54026 DPT=8883 SEQ=2148149597 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0

2025 Jan 15 19:05:49 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:48+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:233  IN=A1.200 OUT=A0 MAC=00:07:32:a6:6d:55:90:2e:16:14:da:f8:08:00 SRC=192.168.220.52 DST=20.86.89.202 LEN=52 TOS=00 PREC=0x00 TTL=127 ID=23163 DF PROTO=TCP SPT=64276 DPT=443 SEQ=2124045528 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0

2025 Jan 15 19:05:49 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:48+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: id:204  IN=A1 OUT=A0 MAC=00:07:32:a6:6d:55:00:15:5d:02:5e:0c:08:00 SRC=192.168.212.48 DST=192.168.2.30 LEN=52 TOS=02 PREC=0x00 TTL=127 ID=20962 DF PROTO=TCP SPT=54092 DPT=9100 SEQ=1574055071 ACK=0 WINDOW=8192 SYN URGP=0 MARK=0

Unfortunately, no decoder "fits" and of course no ruleset -)

I would appreciate any help.

Regards

Thomas

 



hasitha.u...@wazuh.com schrieb am Mittwoch, 15. Januar 2025 um 05:59:36 UTC+1:

Thomas Schössow

unread,
Jan 16, 2025, 11:39:13 PM1/16/25
to Wazuh | Mailing List
Hi Hasitha,

I did my VERY first steps in regexp and "created" this one here 

->(\d+.\d+.\d+.\d+) ([^\s]+) ([^\s]+) ([^\s]+) ([^\s]+) ([^\s]+) - - (\w+:) (.*)(?=  )  IN=(.*)(?= OUT) OUT=(.*)(?= MAC) MAC=(.*)(?= SRC) SRC=(\d+.\d+.\d+.\d+) DST=(\d+.\d+.\d+.\d+) LEN=(\d+) TOS=(\d+) PREC=(0[xX][0-9a-fA-F]+) TTL=(\d+) ID=(\d+) PROTO=(\w+) SPT=(\d+) DPT=(\d+) LEN=(\d+) MARK=(\d+)

It'll resolve this one here

2025 Jan 15 19:05:47 TESTWAZUH->192.168.201.17 1 2025-01-15T19:05:45+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - ACCEPT: id:48  IN=A3 OUT=A0 MAC=00:07:32:a6:6d:57:80:5e:0c:c5:6d:94:08:00 SRC=192.168.210.147 DST=23.88.56.106 LEN=72 TOS=08 PREC=0x60 TTL=63 ID=9526 PROTO=UDP SPT=5060 DPT=3478 LEN=52 MARK=0

The question is: Can I "create" different regexp to resolve all those different syslog outputs ? Are these different decoders then ?

Regards

Thomas 

hasitha.u...@wazuh.com

unread,
Jan 20, 2025, 5:54:48 AM1/20/25
to Wazuh | Mailing List
Hi Thomas,

I have created the custom decoders for your logs, you can apply these decoders to your custom decoder creation file or you can them into a new XML file.
For example: 
nano /var/ossec/etc/decoders/utm-syslog.xml

I have attached the decoder file.

To learn more about the custom decoders and rules you can follow this.

Further, you can learn more about custom decoders and rules by following documents.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Regards,
Hasitha Upekshitha
Screenshot 2025-01-20 162421.png
utm-syslog.xml

Thomas Schössow

unread,
Jan 20, 2025, 11:01:55 PM1/20/25
to Wazuh | Mailing List
Hi Hasitha,

 thanks for that excellent decoder, I really appreciate all the work you have done with that.

I started to create a custom rules file with

<group name="utm-syslog-parent,syslog">
  <rule id="110010" level="1">
    <decoded_as>utm-syslog-parent</decoded_as>
    <description>Securepoint UTM Message</description>
  </rule>
 
  <rule id="110011" level="13">
   <if_sid>110010</if_sid>
    <field name="FWaction">DROP</field>
    <description>Securepoint DROP</description>
  </rule>

</group>

The ruleset test is fine, but neither an alert nor a message appears somewhere in WAZUH. I guess I'm doing something wrong or missed some setting somewhere.
Do I have to tell WAZUH what rule file or decoder to use ?

Regards

Thomas

hasitha.u...@wazuh.com

unread,
Jan 23, 2025, 3:12:36 AM1/23/25
to Wazuh | Mailing List
Hi Thomas,

I have replicated this issue on my end and found that the log should be starting from  192.168.201.17 1 2025-01-15T19:05:45+01:00 firewall.xxx-yyyyyy.local ulogd
This part is from agent header seems to be.

2025 Jan 15 19:05:49 TESTWAZUH->
Kindly confirm that you have integrated these logs directly or through an agent.

If yes then remodify the first two decoders. You can replace your initial two decoders with this.

  1. <decoder name="utm-syslog-parent">
  2.   <prematch>^\d+.\d+.\d+.\d+\s\d+\s\d+-\d+-\S+</prematch>
  3. </decoder>
  4.  
  5. <decoder name="utm-syslog-child">
  6.   <parent>utm-syslog-parent</parent>
  7.   <regex>\d+.\d+.\d+.\d+\s\d+\s(\d+-\d+-\S+)\s(\S+)\s(\S+)\s(\d+)\s-\s-\s(\S+):</regex>
  8.   <order>log_time,Host,service,logID,FWaction</order>
  9. </decoder>

Then restart the Wazuh manager
systemctl restart wazuh-manager

Screenshot 2025-01-23 133104.png

I have increased the rule level 3 for the first rule to test. It was worked. You can reduce to 0 after testing to avoid the parent rule.
You can check the the archives.json log if the logs reach the manager.
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
  1. <ossec_config>
  2.   <global>
  3.     ----  
  4.     <logall>no</logall>
  5.     <logall_json>yes</logall_json>
  6.    
  7.    -----
  8.   </global>
  9.  
  10.   -----
  11. </ossec_config>

Then restart the manager to apply changes.
systemctl restart wazuh-manager

Then check if you receive any logs from that file to archive log.
cat /var/ossec/logs/archives/archives.json | grep -i -E "<part_of_your_log>"

Remember to disable the archive log, after the testing.

You can check logs writing to the alerts.json file, if yes it should be receiving.
cat /var/ossec/logs/alerts/alerts.json | grep "firewall.xxx-yyyyyy.local"

Regards,
Hasitha Upekshitha

Thomas Schössow

unread,
Jan 26, 2025, 10:47:12 PM1/26/25
to Wazuh | Mailing List
Hi Hasitha,

thanks for your support. I do not know, where the problem is, but now even the ruleset Test fails now.

If you do not mind, I have added all the information in a separate file.

cat /var/ossec/logs/alerts/alerts.json | grep "DROP" ist empty.

Output from Ruleset Test

**Messages: WARNING: (7003): 'c0372985' token expires INFO: (7202): Session initialized with token '125ca258' **Phase 1: Completed pre-decoding. full event: '2025 Jan 25 10:09:48 TESTWAZUH->192.168.201.17 1 2025-01-25T10:09:46+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: IPGeoBlockingSrc IN=A0 OUT= MAC=00:07:32:a6:6d:54:d4:1a:d1:3f:bc:70:08:00 SRC=109.205.213.72 DST=192.168.1.230 LEN=44 TOS=00 PREC=0x00 TTL=242 ID=62812 PROTO=TCP SPT=46645 DPT=63052 SEQ=3927485061 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0' timestamp: '2025 Jan 25 10:09:48' **Phase 2: Completed decoding. No decoder matched.

I think, I'm beginning to understand how everything is working together, but

Regards

Thomas
utm_syslog.txt

hasitha.u...@wazuh.com

unread,
Jan 30, 2025, 5:18:46 AM1/30/25
to Wazuh | Mailing List
Hi Thomas,

As I can see in your archives.json file, logs written as this way.
1 2025-01-25T10:19:37+01:00 firewall.xxx-yyyyyy.local ulogd 7516 - - DROP: (DEFAULT DROP)  IN=A1 OUT= MAC=ff:ff:ff:ff:ff:ff:5c:aa:fd:44:62:04:08:00 SRC=192.168.215.207 DST=255.255.255.255 LEN=770 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=40144 DPT=1900 LEN=750 MARK=0 "4'

Therefore, we need to adjust the decoder accordingly.
Then It will work, I have tested that it's receiving to my Wazuh instance dashboard successfully.

Replace these two decoders with your first two decoders.

  1. <decoder name="utm-syslog-parent">
  2.   <prematch>^\d+\s\d+-\d+-\S+:\d+:\S+:\d+</prematch>
  1. </decoder>
  2.  
  3. <decoder name="utm-syslog-child">
  4.   <parent>utm-syslog-parent</parent>
  1.     <regex>\d+\s(\d+-\d+-\S+:\d+:\S+:\d+)\s(\S+)\s(\S+)\s(\d+)\s-\s-\s(\S+):</regex>
  2.   <order>log_time,Host,service,logID,FWaction</order>
  3. </decoder>

Once you applied, you need to restart the Wazuh server to apply changes.
systemctl restart wazuh-manager

Then check later, if it will receiving the logs to the dashboard.

Additionally make sure that if you test any decoder and rule capture the logs from archive.json file where the full_log include.


Further, you can learn more about custom decoders and rules by following documents.

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/


Screenshot 2025-01-30 154752.png

Screenshot 2025-01-30 154740.png
Let me know if you need further assistance on this.

Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages