Supporting Rules for Consul and Nomad

61 views
Skip to first unread message

Son Tran

unread,
Dec 2, 2022, 3:35:09 AM12/2/22
to Wazuh mailing list
Hi Wazuh supporting team,

I have some log generated while using Consul and Nomad. Did Wazuh have sample rule for Consul + Nomad or support writting rule for this type of log?
This is the sample log: 

{"@level":"warn","@message":"[core]grpc: addrConn.createTransport failed to connect to {dc2-10.17.23.204:8300 dc3n-karao-consul-server-03.karana.io.dc3 \u003cnil\u003e 0 \u003cnil\u003e}. Err: connection error: desc = \"transport: Error while dialing dial tcp \u003cnil\u003e-\u003e10.17.23.204:8300: operation was canceled\". Reconnecting...","@module":"agent","@timestamp":"2022-11-30T15:27:15.683767+07:00"}
{"@level":"warn","@message":"[core]grpc: addrConn.createTransport failed to connect to {dc2-10.17.23.219:8300 dc3n-karao-consul-server-02.karana.io.dc3 \u003cnil\u003e 0 \u003cnil\u003e}. Err: connection error: desc = \"transport: Error while dialing dial tcp \u003cnil\u003e-\u003e10.17.23.219:8300: operation was canceled\". Reconnecting...","@module":"agent","@timestamp":"2022-11-30T15:28:04.073130+07:00"}

I'm really hope your reply
Thanks 

Nicolas Alejandro Bertoldo

unread,
Dec 3, 2022, 1:05:36 PM12/3/22
to Wazuh mailing list
Hi,

Sorry for my late response.

We don't currently have those decoders, but we can help you create a custom decoder.
Since the logs you shared with us do not have information about the program, they can be formatted when they are collected by the agent, before being sent to the manager. That is, you can use the <out_format> option in the <localfile> section of your ossec.conf to set text that will be decoded as program_name, and will make it easier to match with the decoder.

1. For example:

<localfile>
    <log_format>syslog</log_format>
    <location>[log path]</location>
    <out_format>$(timestamp) $(hostname) consulAndNomad: $(log)</out_format>
</localfile>

2. Restart the wazuh-agent to apply the configuration:

systemctl restart wazuh-agent

3. Now, let’s add the following custom JSON decoder that will allow us to decode the log format you have shared. Add the following decoder in /var/ossec/etc/decoders/local_decoder.xml of wazuh-manager.

<decoder name="consul_nomad">
    <program_name>consulAndNomad</program_name>
    <prematch>consulAndNomad: </prematch>
    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

Note that the <program_name> is the same text that we added in the <out_format> configuration.
The JSON decoder will extract the fields contained in the JSON event as dynamic fields, taking into account from the end of the prematch text (the original log).

4. In addition, we could define a rule for these events decoded:

<group name="local,">

  <rule id="100002" level="5">
    <decoded_as>consul_nomad</decoded_as>
    <description>Consul and Nomad event</description>
  </rule>

</group>

I hope this helps. Please let me know if you have any questions!
Regards.
Reply all
Reply to author
Forward
0 new messages