No alerts on Kibana
121 views
Skip to first unread message
Roberto
Dec 27, 2021, 2:07:30 PM12/27/21
to Wazuh mailing list
Hi to all,
I have set up wazuh to receive syslog messages on UDP port 514. I receive messages but no alerts are showed on Kibana. I can see messages in archives.log as the following, but not in alerts.log
2021 Dec 27 18:16:30 CLOUD->192.168.0.12 Dec 27 19:16:27 CLOUD qulogd[12859]: conn log: Users: OSP\roberto.lotttini, Source IP: 192.168.0.90, Computer name: 192.168.0.90, Connection type: Samba, Accessed resources: SIO/Net/NET.xlsm, Action: Read
and i tested successfully using /var/ossec/bin/wazuh-logtest
**Phase 1: Completed pre-decoding.
full event: '2021 Dec 27 18:16:30 CLOUD->192.168.0.12 Dec 27 19:16:27 CLOUD qulogd[12859]: conn log: Users: OSP\roberto.lotttini, Source IP: 192.168.0.90, Computer name: 192.168.0.90, Connection type: Samba, Accessed resources: SIO/Net/NET.xlsm, Action: Read'
timestamp: '2021 Dec 27 18:16:30'
**Phase 2: Completed decoding.
name: 'qnap'
loginname: 'OSP\roberto.lotttini'
sharename: 'SIO'
sourceip: '192.168.0.90'
**Phase 3: Completed filtering (rules).
id: '100051'
level: '15'
description: 'Evento su QNAP - CLOUD'
groups: '['syslog', 'qnap']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
full event: '2021 Dec 27 18:16:30 CLOUD->192.168.0.12 Dec 27 19:16:27 CLOUD qulogd[12859]: conn log: Users: OSP\roberto.lotttini, Source IP: 192.168.0.90, Computer name: 192.168.0.90, Connection type: Samba, Accessed resources: SIO/Net/NET.xlsm, Action: Read'
timestamp: '2021 Dec 27 18:16:30'
**Phase 2: Completed decoding.
name: 'qnap'
loginname: 'OSP\roberto.lotttini'
sharename: 'SIO'
sourceip: '192.168.0.90'
**Phase 3: Completed filtering (rules).
id: '100051'
level: '15'
description: 'Evento su QNAP - CLOUD'
groups: '['syslog', 'qnap']'
firedtimes: '1'
mail: 'True'
**Alert to be generated.
Following my decoders and rule
<decoder name="qnap">
<prematch>^CLOUD-></prematch>
<type>syslog</type>
</decoder>
<decoder name="qnap-syslog">
<parent>qnap</parent>
<program_name>qulogd</program_name>
<regex>^\.* Users: (\.*), Source IP: (\.*),\.* Accessed resources: (\.*)/\.*,\.*$</regex>
<order>loginname,sourceip,sharename</order>
</decoder>
<prematch>^CLOUD-></prematch>
<type>syslog</type>
</decoder>
<decoder name="qnap-syslog">
<parent>qnap</parent>
<program_name>qulogd</program_name>
<regex>^\.* Users: (\.*), Source IP: (\.*),\.* Accessed resources: (\.*)/\.*,\.*$</regex>
<order>loginname,sourceip,sharename</order>
</decoder>
<group name="syslog,qnap">
<rule id="100051" level="15">
<decoded_as>qnap</decoded_as>
<description>Evento su QNAP - CLOUD</description>
</rule>
</group>
<rule id="100051" level="15">
<decoded_as>qnap</decoded_as>
<description>Evento su QNAP - CLOUD</description>
</rule>
</group>
Can someone help me?
Thanks
Roberto
Mariano Koremblum
Dec 27, 2021, 2:33:24 PM12/27/21
to Wazuh mailing list
Hi Roberto!
What version of the Wazuh manager are you using? Did you restart your manager after adding your custom rules and decoders?
I will be waiting for your reply,
Mariano Koremblum
What version of the Wazuh manager are you using? Did you restart your manager after adding your custom rules and decoders?
I will be waiting for your reply,
Mariano Koremblum
Roberto
Dec 27, 2021, 3:21:04 PM12/27/21
to Wazuh mailing list
Hi Mariano,
I am using v4.2.5 of manager. I restarted my manager and my server several times with no success!
Mariano Koremblum
Dec 27, 2021, 11:25:43 PM12/27/21
to Wazuh mailing list
Hi Roberto,
Does it happen only with this rule+decoder or with other kinds of alerts as well? Do you see any related Warning/Error message on your ossec.log file?
Roberto
Dec 28, 2021, 3:42:19 AM12/28/21
to Wazuh mailing list
Hi Mariano,
I have just installed Wazuh and I connected 5 agents with success and i can see alerts on Kibana. I have problem only with this syslog+rule+decoder where I can't see anithing on Kibana Discover with no errors on ossec.log! Can I enable or see other things to intercept errors?
Mariano Koremblum
Dec 28, 2021, 7:56:54 AM12/28/21
to Wazuh mailing list
Roberto,
Could you please share with us your ossec.conf file?
Message has been deleted
Mariano Koremblum
Dec 28, 2021, 9:16:19 AM12/28/21
to Wazuh mailing list
Could yo please set <logall_json>yes</logall_json> on your ossec.conf file, and then, if possible, send the previously mentioned log to the manager’s UDP syslog port?
You can achieve this by using the nc program on a Linux machine (which must come from an allowed IP) doing the following:
nc -w0 -u YOUR_MANAGER_IP 514 <<< "2021 Dec 27 18:16:30 CLOUD->192.168.0.12 Dec 27 19:16:27 CLOUD qulogd[12859]: conn log: Users: OSP\roberto.lotttini, Source IP: 192.168.0.90, Computer name: 192.168.0.90, Connection type: Samba, Accessed resources: SIO/Net/NET.xlsm, Action: Read"
When doing so, you should see on your archives.json file something like the following:
{"timestamp":"2021-12-28T14:12:10.795+0000","rule":{"level":15,"description":"Evento su QNAP - CLOUD","id":"100051","firedtimes":1,"mail":true,"groups":["syslog","qnap"]},"agent":{"id":"000","name":"200-100-c7-manager"},"manager":{"name":"200-100-c7-manager"},"id":"1640700730.11967","full_log":"2021 Dec 27 18:16:30 CLOUD->192.168.0.12 Dec 27 19:16:27 CLOUD qulogd[12859]: conn log: Users: OSP\\roberto.lotttini, Source IP: 192.168.0.90, Computer name: 192.168.0.90, Connection type: Samba, Accessed resources: SIO/Net/NET.xlsm, Action: Read","predecoder":{"timestamp":"2021 Dec 27 18:16:30"},"decoder":{"name":"qnap"},"data":{"loginname":"OSP\\roberto.lotttini","sourceip":"192.168.0.90","sharename":"SIO"},"location":"192.168.200.1"}
Then, in my case, I can see on the alerts.json file the same entry:
{"timestamp":"2021-12-28T14:12:10.795+0000","rule":{"level":15,"description":"Evento su QNAP - CLOUD","id":"100051","firedtimes":1,"mail":true,"groups":["syslog","qnap"]},"agent":{"id":"000","name":"200-100-c7-manager"},"manager":{"name":"200-100-c7-manager"},"id":"1640700730.11967","full_log":"2021 Dec 27 18:16:30 CLOUD->192.168.0.12 Dec 27 19:16:27 CLOUD qulogd[12859]: conn log: Users: OSP\\roberto.lotttini, Source IP: 192.168.0.90, Computer name: 192.168.0.90, Connection type: Samba, Accessed resources: SIO/Net/NET.xlsm, Action: Read","predecoder":{"timestamp":"2021 Dec 27 18:16:30"},"decoder":{"name":"qnap"},"data":{"loginname":"OSP\\roberto.lotttini","sourceip":"192.168.0.90","sharename":"SIO"},"location":"192.168.200.1"}
Roberto
Dec 28, 2021, 10:03:43 AM12/28/21
to Wazuh mailing list
A strange thing happens!
When my QNAP server sends syslog to WAZUH I found the following line in archives.log
2021 Dec 28 14:53:21 CLOUD->172.16.250.12 Dec 28 15:53:17 CLOUD qulogd[12859]: conn log: Users: ASP\giu.cardone, Source IP: 172.16.235.100, Computer name: 172.16.235.100, Connection type: Samba, Accessed resources: USCOVDA/CARD/TAMP.xls, Action: Read
...and the following line in archives.json
{"timestamp":"2021-12-28T14:53:21.812+0000","agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1640703201.2029527882","full_log":"Dec 28 15:53:17 CLOUD qulogd[12859]: conn log: Users: ASP\\giu.cardone, Source IP: 172.16.235.100, Computer name: 172.16.235.100, Connection type: Samba, Accessed resources: USCOVDA/CARD/TAMP.xls, Action: Read","predecoder":{"program_name":"qulogd","timestamp":"Dec 28 15:53:17","hostname":"CLOUD"},"decoder":{},"location":"172.16.250.12"}
but NO ALERTS are generated. NOW, if I send the first line using nc command...
nc -w0 -u 172.16.252.70 514 <<< "2021 Dec 28 14:53:21 CLOUD->172.16.250.12 Dec 28 15:53:17 CLOUD qulogd[12859]: conn log: Users: ASP\giu.cardone, Source IP: 172.16.235.100, Computer name: 172.16.235.100, Connection type: Samba, Accessed resources: USCOVDA/CARD/TAMP.xls, Action: Read"
an ALERT is generated correctly!!!! Why does this happen?
Mariano Koremblum
Dec 28, 2021, 10:27:13 AM12/28/21
to Wazuh mailing list
Hi Roberto!
I was able to verify that the decoder is not well constructed. Given the following log, what fields do you want to extract and what do you expect the final value of each to be?:
Dec 28 15:53:17 CLOUD qulogd[12859]: conn log: Users: ASP\giu.cardone, Source IP: 172.16.235.100, Computer name: 172.16.235.100, Connection type: Samba, Accessed resources: USCOVDA/CARD/TAMP.xls, Action: Read
Are there any other cases?
Roberto
Dec 28, 2021, 10:39:55 AM12/28/21
to Wazuh mailing list
I would like to extract
loginname: ASP\giu.cardone
sourceip:
172.16.235.100
sharename: USCOVDA/CARD/TAMP.xls
and eventually action: Read
Mariano Koremblum
Dec 28, 2021, 11:45:49 AM12/28/21
to Wazuh mailing list
Hi Roberto,
You can just simply decode the log by using as a starting point the log’s program_name parameter. As the log is pre-decoded, given its well-known format, and such field is automatically extracted (with no need for custom decoding).
So, instead of the decoders you have created, please try the following one:
<decoder name="qnap">
<program_name>qulogd</program_name>
<regex type="pcre2">Users: (.*), Source IP: ([^,]+),.* Accessed resources: (.*),.* Action: (.*)</regex>
<order>loginname,sourceip,sharename,action</order>
</decoder>
Here you have some documentation on how to create custom rules and decoders that may help you in the future:
I hope my answer helps you!
Best Regards,
Mariano Koremblum
Roberto
Dec 28, 2021, 1:56:19 PM12/28/21
to Wazuh mailing list
Hi Mariano,
now the decoder works well. The problem was my incorrect decoder regex.
Thanks so much.
You are the best!!!
Roberto
Mariano Koremblum
Dec 28, 2021, 2:14:14 PM12/28/21
to Wazuh mailing list
Roberto, we are always glad to help! :D
Do not hesitate to reach out again whenever you need us!
Best Regards,
Mariano Koremblum
Do not hesitate to reach out again whenever you need us!
Best Regards,
Mariano Koremblum
Reply all
Reply to author
Forward
0 new messages