Decoder / Rule for Aruba 2930F

182 views
Skip to first unread message

team kotila

unread,
Apr 25, 2024, 3:26:02 PM4/25/24
to Wazuh | Mailing List
Wazuh Gurus,

I've been trying to look through the group / docs / online resources but I can't seem to figure how to create a decoder and rule for this switch. I've never done this before and only begun understanding the concept. 

Here is what I'm seeing the archives.log to verify wazuh is receiving them,

Failed attempt:
2024 Apr 25 13:49:22  10.10.100.12  -> 10.10.100.12   Apr 25 08:49:23  10.10.100.12   00419 auth:  Invalid user name/password on SSH session User 'pds' is trying to login from  10.10.100.240
2024 Apr 25 13:49:22  10.10.100.12  -> 10.10.100.12   Apr 25 08:49:23  10.10.100.12   00419 auth:  Invalid user name/password on SSH session User 'pds' is trying to login from 10.10.100.240

Successful:
2024 Apr 25 13:48:40  10.10.100.12  -> 10.10.100.12   Apr 25 08:48:41  10.10.100.12   03362 auth:  User 'admin' logged in from  10.10.100.240   to SSH session
2024 Apr 25 13:48:42 10.10.100.12-> 10.10.100.12   Apr 25 08:48:42  10.10.100.12   00179 mgr:  SME SSH from 10.10.100.240 - MANAGER Mode

I've found some documentation on the following events 


  Event ID: 419 (Severity: Warning) Message Invalid user name/password on Telnet/WebUI/SSH/Console session User is trying to login from 

  Event ID: 3362 Message User logged in from to Telnet/WebUI/SSH/ Console session  

  Event ID: 179 Message SME <CONSOLE SESSION> - <OPERATOR|MANAGER> Mode

Stuti Gupta

unread,
Apr 25, 2024, 10:56:30 PM4/25/24
to Wazuh | Mailing List
Hi kotila,
Hope you are doing well.

You have shared the archives.log instead of archives.json. We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis. Probably, your events do not match the decoders because the log for which your decoders are written differs from the full_log field log.

Here is an example of one of the archives.json events (you can find the field we are interested in in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log
":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder":{"program_name":"dbus-daemon","tim
estamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}

Enabling the archives.json file is much more useful, as it shows exactly the information that is being parsed (all the data in the full_log field), meanwhile, the archives.log can be confusing, as it does not show only the log. It would be helpful if you could send the archives.json logs instead of archives.log. Hide the confidential data. 

Example of decoder:
log: Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'

Add a new decoder to /var/ossec/etc/decoders/local_decoder.xml to decode the log information:

<decoder name="example">
  <program_name>^example</program_name>
</decoder>

<decoder name="example">
  <parent>example</parent>
  <regex>User '(\w+)' logged from '(\d+.\d+.\d+.\d+)'</regex>
  <order>user, srcip</order>
</decoder>

Stuti Gupta

unread,
Apr 26, 2024, 5:42:43 AM4/26/24
to Wazuh | Mailing List
Hi please let me know if you need any help with decoder

Paul Kotila

unread,
Apr 26, 2024, 8:53:31 AM4/26/24
to Wazuh | Mailing List
Hi Stuti,

Here are the json events I pulled out the two fields I'd like to decode and create rules for, so I can receive alerts when they happen.

Failed:

{"timestamp":"2024-04-26T12:21:00.925+0000","agent":{"id":"000","name":"wazuh_server"},"manager":{"name":"wazuh_server"},"id":"1714134060.509667690","full_log":"Apr 26 07:21:01 192.168.0.12 00419 auth:  Invalid user name/password on SSH session User 'test' is trying to login from 192.168.0.1","predecoder":{"timestamp":"Apr 26 07:21:01","hostname":"192.168.0.12"},"decoder":{},"location":"192.168.0.12"}

Successful:

{"timestamp":"2024-04-26T12:21:22.992+0000","agent":{"id":"000","name":"wazuh_server"},"manager":{"name":"wazuh_server"},"id":"1714134082.510064268","full_log":"Apr 26 07:21:23 192.168.0.12 03362 auth:  User 'admin' logged in from 192.168.0.1 to SSH session","predecoder":{"timestamp":"Apr 26 07:21:23","hostname":"192.168.0.12"},"decoder":{},"location":"192.168.0.12"}

{"timestamp":"2024-04-26T12:21:23.363+0000","agent":{"id":"000","name":"wazuh_server"},"manager":{"name":"wazuh_server"},"id":"1714134083.510066775","full_log":"Apr 26 07:21:23 192.168.0.1200179 mgr:  SME SSH from 192.168.0.1- MANAGER Mode","predecoder":{"timestamp":"Apr 26 07:21:23","hostname":"192.168.0.12"},"decoder":{},"location":"192.168.0.12"}


Paul Kotila

unread,
Apr 26, 2024, 3:06:57 PM4/26/24
to Wazuh | Mailing List
I'm trying to understand this... I'm working with the following json log:
Failed:

{"timestamp":"2024-04-26T12:21:00.925+0000","agent":{"id":"000","name":"wazuh_server"},"manager":{"name":"wazuh_server"},"id":"1714134060.509667690","full_log":"Apr 26 07:21:01 192.168.0.12 00419 auth:  Invalid user name/password on SSH session User 'test' is trying to login from 192.168.0.1","predecoder":{"timestamp":"Apr 26 07:21:01","hostname":"192.168.0.12"},"decoder":{},"location":"192.168.0.12"}

This is the log I'm building my decoder from correct? Apr 26 07:21:01 192.168.0.12 00419 auth:  Invalid user name/password on SSH session User 'test' is trying to login from 192.168.0.1 ... That's how I'm understanding it.

I've built my parent decoder and testing the log to make sure it's matched. Here is what I have.

<decoder name="aruba">
  <prematch>^192.168.0</prematch>
</decoder>

Paul Kotila

unread,
Apr 26, 2024, 4:14:38 PM4/26/24
to Wazuh | Mailing List
I got the decoder to work. By matching the 00419. I guess the next step is to build the next decoder to pull out some fields. 

Apr 26 07:21:01 192.168.0.12 00419 auth:  Invalid user name/password on SSH session User 'test' is trying to login from 192.168.0.1

<decoder name="aruba">
  <prematch>^00419</prematch>
</decoder>

date, time, user, and srcip is what I'm thinking?


Stuti Gupta

unread,
Apr 29, 2024, 1:54:01 AM4/29/24
to Wazuh | Mailing List
Hi Paul

You can create custom decoders like:

Apr 26 07:21:01 192.168.0.12 00419 auth:  Invalid user name/password on SSH session User 'test' is trying to login from 192.168.0.1

<decoder name="auth">
        <prematch>\d+ auth:</prematch>
</decoder>

<decoder name="auth_test">
        <parent>auth</parent>
        <regex offset="after_parent">  (\.+) user name/password on SSH session User '(\.+)' is trying to login from (\.+)</regex>
        <order>status, user, ip address</order>
</decoder>

<decoder name="auth_test">
        <parent>auth</parent>
        <regex offset="after_parent">  User '(\.+)' logged in from (\.+) to SSH session</regex>
        <order>user, ip address</order>
</decoder>

Then you can test them in /var/ossec/bin/wazuh-logtest or vai wazuh-dashboard (Management > Decoders > Custom decoders > local_decoder.xml > Test decoder). If you are satisfied by the result then you can restart the wazuh-maanger using the command: systemctl restart wazuh-manager.

Screenshot_18.png
You can refre to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Hope this helps

Paul Kotila

unread,
Apr 30, 2024, 12:15:04 PM4/30/24
to Wazuh | Mailing List
Thank you for the assistance. This helps solves my issue.
Reply all
Reply to author
Forward
0 new messages