Decoder duplicate error
270 views
Skip to first unread message
Yossif Helmy
Mar 13, 2024, 4:25:11 AM3/13/24
to Wazuh | Mailing List
Hello,
I excluded both for the same purpose of changing the field names, so not much have changed. The parent decoders are the same, and most of the XML blocks have stayed the same as well. I noticed when making a custom decoder for both of them f5_bigip doesn't trigger an error however, paloalto trigger this duplicate error:
Good day. I have aquick question about these two decoders:
0525-f5_bigip_decoders.xml
0505-paloalto_decoders.xml
0525-f5_bigip_decoders.xml
0505-paloalto_decoders.xml
I excluded both for the same purpose of changing the field names, so not much have changed. The parent decoders are the same, and most of the XML blocks have stayed the same as well. I noticed when making a custom decoder for both of them f5_bigip doesn't trigger an error however, paloalto trigger this duplicate error:
Error file content is incorrect: Could not check validation (1908) - Error validating configuration: (2102): Duplicated decoder with prematch: 'paloalto-traffic-fields'., (2105): Error loading decoder options., (2106): Error adding decoder plugin., (1202): Configuration error at 'etc/decoders/custom-0505-paloalto_decoders.xml'.
I know the solution for this is to exclude the original ruleset files. My question is why does it trigger on paloalto, but does not on F5?
I know the solution for this is to exclude the original ruleset files. My question is why does it trigger on paloalto, but does not on F5?
Thank you for your attention.
Stuti Gupta
Mar 13, 2024, 4:47:00 AM3/13/24
to Wazuh | Mailing List
Hi Yossif Helmy.
Hope you are doing well.
Can you please share the custom decoders that you created for Palo Alto?
Please also share the steps that you followed to exclude the default decoders.
Looking forward to your response.
Reagrds
Yossif Helmy
Mar 13, 2024, 6:03:16 AM3/13/24
to Wazuh | Mailing List
Hello,
Here's the custom decoder for paloalto:
And the steps I take for excluding the decoders/rules is exculding them in ossec.conf fist then making the decoder/rule file. I understand why an error is made for paloalto decoder, but I don't understand why f5_bigip doesn't have the same error whilist having a similar structure as paloalto.
<!--
Copyright (C) 2015, Wazuh Inc.
-->
<!--
Palo Alto v8.X - v10.X decoders.
-->
<!--
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,SYSTEM,
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,TRAFFIC,
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,CONFIG,
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,THREAT,
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,OTHERS,
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,SYSTEM,general,0,2020/00/00 00:00:00,,general,,0,0,general,informational,"xxxxxxxxxxxxxxx",0000000,0x0,0,0,0,0,,XXX-XX-XX
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,SYSTEM,general,0,2020/00/00 00:00:00,,general,,0,0,general,low,"xxxxxxxxxxxxxxx",0000000,0x0,0,0,0,0,,XXX-XX-XX
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,SYSTEM,general,0,2020/00/00 00:00:00,,general,,0,0,general,medium,"xxxxxxxxxxxxxxx",0000000,0x0,0,0,0,0,,XXX-XX-XX
0,2021/07/12 09:46:23,321321321,THREAT,vulnerability,0,2021/07/12 09:46:00,199.195.252.165,172.30.250.61,199.195.252.165,10.20.0.19,GPS-UAT-MODULR-Web-443-OUT,,,web-browsing,vsys1,YYYYYYYYYYY,ZZZZZZZZZZZ,ethernet1/1,tunnel.2,UATH-LogForwarding,2021/07/12 09:46:00,51557,1,55094,443,55094,443,0x502000,tcp,reset-both,"getuser",DCS-2530L Unauthenticated Information Disclosure Vulnerability(90255),any,high,client-to-server,561,0xa000000000000000,United States,172.16.0.0-172.31.255.255,0,,0,,,1,,,,,,,,0,41,225,0,0,,UAT-INTERNET-FW-01,,,,,0,,0,,N/A,info-leak,AppThreat-8428-6809,0x2,0,4294967295,," ",dd3035a9-452f-4073-a1bc-169f4b453e6a,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2021-07-12T09:46:01.359+01:00,, ,
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,SYSTEM,general,0,2020/00/00 00:00:00,,general,,0,0,general,high,"xxxxxxxxxxxxxxx",0000000,0x0,0,0,0,0,,XXX-XX-XX
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,SYSTEM,general,0,2020/00/00 00:00:00,,general,,0,0,general,critical,"xxxxxxxxxxxxxxx",0000000,0x0,0,0,0,0,,XXX-XX-XX
0,2021/07/15 11:58:58,1321564321,TRAFFIC,N/A,0,2021/07/15 11:59:02,10.210.0.84,51.11.168.232,,,DENY-ALL,,,not-applicable,vsys1,INSPECTION,INSPECTION,ethernet1/1,,AWS-PANORAMA,2021/07/15 11:59:02,0,1,500,500,0,0,0x0,udp,deny,0,0,0,1,2021/07/15 11:59:02,0,any,0,91501273,0x8000000000000000,10.0.0.0-10.255.255.255,YYYYYYYYYYYY,0,1,0,policy-deny,150,42,25,260,,P1A-GWLB-CORE-FW01,from-policy,,,0,,0,,N/A,0,0,0,0,49543e97-7c8c-44a3-bbd9-031caeb1a65e,0,0,,,,,,,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-07-15T11:59:03.547+01:00,,
May 00 00:00:00 XXX-XX-00 1,2020/00/00 00:00:00,00000000,TRAFFIC,start,0000,2020/06/00 00:00:00,00.00.000.00,00.00.00.0,0.0.0.0,0.0.0.0,xxx-xxx_xxxx,,,xxx,xxxxx,xxxx,xxxx,xxxx.0,xxx.000,xxxxxxxx,2020/00/00 00:00:00,0000,1,0000,000,0,0,0x0,xxx,xxxx,000,000,00,0,2020/00/00 00:00:00,1,any,0,0000000,0x0,00.0.0.0-00.000.000.000,00.0.0.0-00.000.000.000,0,0,0,n/a,0,0,0,0,,xxx-xx-01,from-policy,,,0,,0,,N/A,0,0,0,0,00000-0000-00xx00-00xx-0x0x0x000xx,0
May 00 00:00:00 XXX-XX-00 1,2020/00/00 00:00:00,00000000,TRAFFIC,end,0000,2020/06/00 00:00:00,00.00.000.00,00.00.00.0,0.0.0.0,0.0.0.0,xxx-xxx_xxxx,,,xxx,xxxxx,xxxx,xxxx,xxxx.0,xxx.000,xxxxxxxx,2020/00/00 00:00:00,0000,1,0000,000,0,0,0x0,xxx,xxxx,000,000,00,0,2020/00/00 00:00:00,1,any,0,0000000,0x0,00.0.0.0-00.000.000.000,00.0.0.0-00.000.000.000,0,0,0,n/a,0,0,0,0,,xxx-xx-01,from-policy,,,0,,0,,N/A,0,0,0,0,00000-0000-00xx00-00xx-0x0x0x000xx,0
May 00 00:00:00 XXX-XX-00 1,2020/00/00 00:00:00,00000000,TRAFFIC,drop,0000,2020/06/00 00:00:00,00.00.000.00,00.00.00.0,0.0.0.0,0.0.0.0,xxx-xxx_xxxx,,,xxx,xxxxx,xxxx,xxxx,xxxx.0,xxx.000,xxxxxxxx,2020/00/00 00:00:00,0000,1,0000,000,0,0,0x0,xxx,xxxx,000,000,00,0,2020/00/00 00:00:00,1,any,0,0000000,0x0,00.0.0.0-00.000.000.000,00.0.0.0-00.000.000.000,0,0,0,n/a,0,0,0,0,,xxx-xx-01,from-policy,,,0,,0,,N/A,0,0,0,0,00000-0000-00xx00-00xx-0x0x0x000xx,0
May 00 00:00:00 XXX-XX-00 1,2020/00/00 00:00:00,00000000,TRAFFIC,deny,0000,2020/06/00 00:00:00,00.00.000.00,00.00.00.0,0.0.0.0,0.0.0.0,xxx-xxx_xxxx,,,xxx,xxxxx,xxxx,xxxx,xxxx.0,xxx.000,xxxxxxxx,2020/00/00 00:00:00,0000,1,0000,000,0,0,0x0,xxx,xxxx,000,000,00,0,2020/00/00 00:00:00,1,any,0,0000000,0x0,00.0.0.0-00.000.000.000,00.0.0.0-00.000.000.000,0,0,0,n/a,0,0,0,0,,xxx-xx-01,from-policy,,,0,,0,,N/A,0,0,0,0,00000-0000-00xx00-00xx-0x0x0x000xx,0
-->
<!-- Generic Palo Alto decoder -->
<decoder name="paloalto">
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,\w+,</prematch>
</decoder>
<!-- Palo Alto system decoders -->
<!-- Supported versions
8.X-9.X: FUTURE_USE, Receive Time, Serial Number, Type, Content/Threat Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name
10.X: FUTURE_USE, Receive Time, Serial Number, Type, Content/Threat Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, FUTURE_USE, High Resolution Timestamp
-->
<!-- <decoder name="paloalto-system-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,SYSTEM,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(SYSTEM)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="paloalto-system-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>content_threat_type, generated_time, virtual_system, event_id, object, module, severity, description, sequence_number, action_flags, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name</order>
</decoder>
<decoder name="paloalto-system-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,[^,]*,[^,]*,([^,]*)</regex>
<order>high_resolution_timestamp</order>
</decoder> -->
<!-- Palo Alto traffic decoders -->
<!-- Supported versions
8.0: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Country, Destination Country, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type
8.1: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Country, Destination Country, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received
9.0: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Country, Destination Country, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received, Rule UUID, HTTP/2 Connection
9.1: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Country, Destination Country, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received, Rule UUID, HTTP/2 Connection, App Flap Count, Policy ID, Link Switches, SD-WAN Cluster, SD-WAN Device Type, SD-WAN Cluster Type, SD-WAN Site, Dynamic User Group Name
10.0: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Country, Destination Country, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received, Rule UUID, HTTP/2 Connection, App Flap Count, Policy ID, Link Switches, SD-WAN Cluster, SD-WAN Device Type, SD-WAN Cluster Type, SD-WAN Site, Dynamic User Group Name, XFF Address, Source Device Category, Source Device Profile, Source Device Model, Source Device Vendor, Source Device OS Family, Source Device OS Version, Source Hostname, Source Mac Address, Destination Device Category, Destination Device Profile, Destination Device Model, Destination Device Vendor, Destination Device OS Family, Destination Device OS Version, Destination Hostname, Destination Mac Address, Container ID, POD Namespace, POD Name, Source External Dynamic List, Destination External Dynamic List, Host ID, Serial Number, Source Dynamic Address Group, Destination Dynamic Address Group, Session Owner, High Resolution Timestamp, A Slice Service Type, A Slice Differentiator
10.1: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Country, Destination Country, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received, Rule UUID, HTTP/2 Connection, App Flap Count, Policy ID, Link Switches, SD-WAN Cluster, SD-WAN Device Type, SD-WAN Cluster Type, SD-WAN Site, Dynamic User Group Name, XFF Address, Source Device Category, Source Device Profile, Source Device Model, Source Device Vendor, Source Device OS Family, Source Device OS Version, Source Hostname, Source Mac Address, Destination Device Category, Destination Device Profile, Destination Device Model, Destination Device Vendor, Destination Device OS Family, Destination Device OS Version, Destination Hostname, Destination Mac Address, Container ID, POD Namespace, POD Name, Source External Dynamic List, Destination External Dynamic List, Host ID, Serial Number, Source Dynamic Address Group, Destination Dynamic Address Group, Session Owner, High Resolution Timestamp, A Slice Service Type, A Slice Differentiator, Application Subcategory, Application Category, Application Technology, Application Risk, Application Characteristic, Application Container, Application SaaS, Application Sanctioned State
-->
<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,TRAFFIC,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(TRAFFIC)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<!--
Custom logs for the production/STG/HQ environments
Reference for how regex are made https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax
-->
<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>content_type, generated_time, srcip, dstip, nat_source_ip, nat_destination_ip, rule_name, srcuser, dstuser, application, virtual_system, source_zone, destination_zone, inbound_interface, outbound_interface, log_action, session_id, repeat_count, srcport, dstport, nat_source_port, nat_destination_port, flags, protocol, action, bytes, bytes_sent, bytes_received, packets, start_time, elapsed_time, category, sequence_number, action_flags, source_country, destination_country, packets_sent, packets_received, session_end_reason, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, monitor_tag_imei, parent_session_id, parent_start_time, tunnel_type</order>
</decoder>
<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>sctp_association_id, sctp_chunks, sctp_chunks_sent, sctp_chunks_received</order>
</decoder>
<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*)</regex>
<order>rule_uuid, http_2_connection</order>
</decoder>
<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>app_flap_count, policy_id, link_switches, sd_wan_cluster, sd_wan_device_type, sd_wan_cluster_type, sd_wan_site, dynamic_user_group_name</order>
</decoder>
<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_hostname, source_mac_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_hostname, destination_mac_address, container_id, pod_namespace, pod_name, source_external_dynamic_list, destination_external_dynamic_list, host_id, serial_number, source_dynamic_address_group, destination_dynamic_address_group, session_owner, high_resolution_timestamp, a_slice_service_type, a_slice_differentiator</order>
</decoder>
<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state</order>
</decoder>
<!-- Palo Alto config decoders -->
<!-- Supported versions
8.X: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Before Change Detail, After Change Detail, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name
9->10.X: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Before Change Detail, After Change Detail, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Device Group, Audit Comment
-->
<decoder name="paloalto-config-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,CONFIG,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(CONFIG)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="paloalto-config-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>subtype, generated_time, host, virtual_system, command, admin, client, result, configuration_path, before_change_detail, after_change_detail, sequence_number, action_flags, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name</order>
</decoder>
<decoder name="paloalto-config-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*)</regex>
<order>device_group, audit_comment</order>
</decoder>
<!-- Palo Alto threat decoders -->
<!-- Supported versions
8.0: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, IP Protocol, Action, URL/Filename, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE
8.1: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, IP Protocol, Action, URL/Filename, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE, SCTP Association ID, Payload Protocol ID, HTTP Headers
9.0: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, IP Protocol, Action, URL/Filename, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE, SCTP Association ID, Payload Protocol ID, HTTP Headers, URL Category List, Rule UUID, HTTP/2 Connection
9.1: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, IP Protocol, Action, URL/Filename, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE, SCTP Association ID, Payload Protocol ID, HTTP Headers, URL Category List, Rule UUID, HTTP/2 Connection, Dynamic User Group Name
10.0: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, IP Protocol, Action, URL/Filename, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE, SCTP Association ID, Payload Protocol ID, HTTP Headers, URL Category List, Rule UUID, HTTP/2 Connection, Dynamic User Group Name, XFF Address, Source Device Category, Source Device Profile, Source Device Model, Source Device Vendor, Source Device OS Family, Source Device OS Version, Source Hostname, Source MAC Address, Destination Device Category, Destination Device Profile, Destination Device Model, Destination Device Vendor, Destination Device OS Family, Destination Device OS Version, Destination Hostname, Destination MAC Address, Container ID, POD Namespace, POD Name, Source External Dynamic List, Destination External Dynamic List, Host ID, Serial Number, Domain EDL, Source Dynamic Address Group, Destination Dynamic Address Group, Session Owner, Partial Hash, High Resolution Timestamp, Reason, Justification, A Slice Service Type
10.1: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, IP Protocol, Action, URL/Filename, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE, SCTP Association ID, Payload Protocol ID, HTTP Headers, URL Category List, Rule UUID, HTTP/2 Connection, Dynamic User Group Name, XFF Address, Source Device Category, Source Device Profile, Source Device Model, Source Device Vendor, Source Device OS Family, Source Device OS Version, Source Hostname, Source MAC Address, Destination Device Category, Destination Device Profile, Destination Device Model, Destination Device Vendor, Destination Device OS Family, Destination Device OS Version, Destination Hostname, Destination MAC Address, Container ID, POD Namespace, POD Name, Source External Dynamic List, Destination External Dynamic List, Host ID, Serial Number, Domain EDL, Source Dynamic Address Group, Destination Dynamic Address Group, Session Owner, Partial Hash, High Resolution Timestamp, Reason, Justification, A Slice Service Type, Application Subcategory, Application Category, Application Technology, Application Risk, Application Characteristic, Application Container, Application SaaS, Application Sanctioned State
-->
<decoder name="paloalto-threat-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,THREAT,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(THREAT)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="paloalto-threat-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*</regex>
<order>threat_content_type, generated_time, srcip, dstip, nat_source_ip, nat_destination_ip, rule_name, srcuser, dstuser, application, virtual_system, source_zone, destination_zone, inbound_interface, outbound_interface, log_action, session_id, repeat_count, srcport, dstport, nat_source_port, nat_destination_port, flags, ip_protocol, action, url_filename, threat_id, category, severity, direction, sequence_number, action_flags, source_location, destination_location, content_type, pcap_id, file_digest, cloud, url_index, user.agent, file_type, x_forwarded_for, referer, sender, subject, recipient, report_id, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name, source_vm_uuid, destination_vm_uuid, http.method, tunnel_id_imsi, monitor_tag_imei, parent_session_id, parent_start_time, tunnel_type, threat_category, content_version</order>
</decoder>
<decoder name="paloalto-threat-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*)</regex>
<order>sctp_association_id, payload_protocol_id, http_headers</order>
</decoder>
<decoder name="paloalto-threat-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*)</regex>
<order>url_category_list, rule_uuid, http_2_connection</order>
</decoder>
<decoder name="paloalto-threat-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*)</regex>
<order>dynamic_user_group_name</order>
</decoder>
<decoder name="paloalto-threat-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_hostname, source_mac_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_hostname, destination_mac_address, container_id, pod_namespace, pod_name, source_external_dynamic_list, destination_external_dynamic_list, host_id, serial_number, domain_edl, source_dynamic_address_group, destination_dynamic_address_group, session_owner, partial_hash, high_resolution_timestamp, reason, justification, a_slice_service_type</order>
</decoder>
<decoder name="paloalto-threat-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state</order>
</decoder>
<!-- Generic decoder for others modules not decoded further-->
<decoder name="paloalto-others">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,\w+,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(\w+)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
Thank you for your attention.
Stuti Gupta
Mar 13, 2024, 7:12:33 AM3/13/24
to Wazuh | Mailing List
In that case shatre the change that you made in f5_bigip also
Yossif Helmy
Mar 13, 2024, 9:06:35 AM3/13/24
to Wazuh | Mailing List
<!--
- Copyright (C) 2015, Wazuh Inc.
-->
<!--
Log references:
Log fields:
<time stamp> <host name> <level> <service[pid]> <message code> <message text>
Log samples:
May 24 11:15:01 HOSTNAME notice logrotate[3582]: ALERT exited abnormally with [1]
May 24 11:15:25 HOSTNAME warning tmm1[18463]: 01260013:4: SSL Handshake failed for TCP 192.168.1.15:50932 -> 11.22.33.44:443
May 17 11:28:20 HOSTNAME alert gtmd[13220]: 011ae0f2:1: Monitor instance /Common/Monitor_1.1.1.1 192.168.1.1:1526 UP -> DOWN from /Common/F5-LAN-SF (no reply from big3d: timed out)
May 17 11:28:21 HOSTNAME alert gtmd[13202]: 011a4003:1: SNMP_TRAP: Pool /Common/hostname member pmtdbaf5-SF (ip:port=10.1.1.1:5443) state change green -> red ( Monitor /Common/Monitor_1.1.1.1 from /Common/F5-LAN-SF : no reply from big3d: timed out)
May 17 11:28:22 HOSTNAME alert gtmd[13202]: 011a6006:1: SNMP_TRAP: VS virtual_server_name (ip:port=192.168.1.2:1526) (Server /Common/virtual_server_name) state change green -> red ( Monitor /Common/Monitor_1.1.1.1 from /Common/F5-LAN-SF : no reply from big3d: timed out)
-->
<!-- Group BigIP F5 decoders-->
<decoder name="f5-bigip">
<type>syslog</type>
<prematch type="pcre2">^\S+\s[^\[]+\[\d+\]:\s[0-9a-fA-F]+:\d+:\s</prematch>
</decoder>
<!-- General decoder catch all-->
<decoder name="f5-bigip-general-fields">
<parent>f5-bigip</parent>
<regex type="pcre2">^(\S+)\s([^\[]+)\[(\d+)\]:\s([0-9a-fA-F]+):(\d+):\s(.*)$</regex>
</decoder>
<!-- 01010251 : Virtual %s exceeded configured rate limit. -->
<decoder name="f5-bigip-general-fields">
<parent>f5-bigip</parent>
<regex type="pcre2">.*01010251:.*\s(Virtual\s(\S+)\s.*)</regex>
<order>server_name</order>
</decoder>
<!-- 01010343 : Syncookie SW mode activated, server = %A:%d -->
<!-- 01010240 : Syncookie HW mode activated, server = %A:%d, HSB modId = %d -->
<!-- 01010241 : Syncookie HW mode exited, server = %A:%d, HSB modId = %d from %s. -->
<!-- 01010344 : Syncookie SW mode exited, server = %A:%d -->
<decoder name="f5-bigip-general-fields">
<parent>f5-bigip</parent>
<regex type="pcre2">.*server = ([^:]+):(\d+)</regex>
<order>srcip, srcport</order>
</decoder>
<!-- 01310027 : ASM subsystem error (%s,%s): %s -->
<decoder name="f5-bigip-general-fields">
<parent>f5-bigip</parent>
<regex type="pcre2">.*01310027:.*\sASM\ssubsystem\serror\s([^:\s]+)[:\s]+(.*)</regex>
<order>bigip.asm.subsystem, error.message</order>
</decoder>
<!-- Group BigIP F5 cef decoders-->
<decoder name="f5-bigip-cef">
<type>syslog</type>
<program_name>ASM</program_name>
</decoder>
<decoder name="f5-bigip-cef">
<type>syslog</type>
<prematch type="pcre2">CEF:0\|F5\|ASM\|[^\|]+\|(.+)|CEF:0\|F5\|[^\|]+\|[^\|]+\|.+</prematch>
</decoder>
<!-- General decoder message-->
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">CEF:0\|F5\|ASM\|[^\|]+\|(.+)|CEF:0\|F5\|[^\|]+\|[^\|]+\|(.+)</regex>
<order>message</order>
</decoder>
<!-- Structured fields -->
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">dvchost=(\S+)?\s</regex>
<order>dvchost</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">dvc=(\S+)?\s</regex>
<order>srcip</order>
</decoder>
<!-- <decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs1=(\S+)?\scs1Label=(\S+)?\s</regex>
<order>cs1, cs1Label</order>
</decoder> -->
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs2=(\S+)?\s</regex>
<order>cs2</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs2Label=(\S+)?\s</regex>
<order>cs2Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">deviceCustomDate1=(\w+\s\d{1,2}\s\d{4}\s\d{2}:\d{2}:\d{2})\s</regex>
<order>deviceCustomDate1</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">deviceCustomDate1Label=(\S+)?\s</regex>
<order>deviceCustomDate1Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">externalId=(\S+)?\s</regex>
<order>externalId</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">act=(\S+)?\s</regex>
<order>act</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">src=(\S+)?\s</regex>
<order>srcip</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">spt=(\S+)?\s</regex>
<order>srcport</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">dst=(\S+)?\s</regex>
<order>dstip</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">dpt=(\S+)?\s</regex>
<order>dstport</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">app=(\S+)?\s</regex>
<order>app</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs5=(\S+)?\s</regex>
<order>cs5</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs5Label=(\S+)?\s</regex>
<order>cs5Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">rt=(\w+\s\d{1,2}\s\d{4}\s\d{2}:\d{2}:\d{2})\s</regex>
<order>rt</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">deviceExternalId=(\S+)?\s</regex>
<order>deviceExternalId</order>
</decoder>
<!-- <decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs4=(.*)\scs4Label=(\S+)?\s</regex>
<order>cs4, cs4Label</order>
</decoder> -->
<!-- <decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs6=(\S+)?\scs6Label=(\S+)?\s</regex>
<order>cs6, cs6Label</order>
</decoder> -->
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a1=(\S+)?\s</regex>
<order>c6a1</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a1Label=(\S+)?\s</regex>
<order>c6a1Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a2=(\S+)?\s</regex>
<order>c6a2</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a2Label=(\S+)?\s</regex>
<order>c6a2Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a3=(\S+)?\s</regex>
<order>c6a3</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a3Label=(\S+)?\s</regex>
<order>c6a3Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a4=(\S+)?\s</regex>
<order>c6a4</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">c6a4Label=(\S+)?\s</regex>
<order>c6a4Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">msg=(\S+)?\s</regex>
<order>msg</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">suid=(\S+)?\s</regex>
<order>suid</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">suser=(\S+)?\s</regex>
<order>user</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cn2=(\S+)?\s</regex>
<order>cn2</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cn2Label=(\S+)?\s</regex>
<order>cn2Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cn3=(\S+)?\s</regex>
<order>cn3</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cn3Label=(\S+)?\s</regex>
<order>cn3Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">microservice=(\S+)?\s</regex>
<order>microservice</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs3Label=(\S+)?\s</regex>
<order>cs3Label</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs3=(.*)</regex>
<order>cs3</order>
</decoder>
<!-- Illegal action-->
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">(?:(Illegal)\s([^\|]+)\|){2}</regex>
<order>type, action</order>
</decoder>
<!--
Custom logs for the production/STG/HQ environments
Reference for how regex are made https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax
-->
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">CEF:0\|F5\|ASM\|[^\|]+\|.*?\|(.*?)\|</regex>
<order>event.desc</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">User-Agent: (.*?)\\r</regex>
<order>user.agent</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">Referer: (.*?)\\r</regex>
<order>referer</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">Host: (.*?)\\r</regex>
<order>host</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs3Label=full_request\scs3=\S+\s\S+\s(HTTP\S+)\\r</regex>
<order>http.version</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">request=(\S+)?\s</regex>
<order>url</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs6=(.*)\scs6Label=geo_location</regex>
<order>dstcountry</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs4=(.*)\scs4Label=attack_type</regex>
<order>attack</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cs1=(.*)\scs1Label=policy_name</regex>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">cn1=(\d+)\scn1Label=response_code</regex>
<order>http.status</order>
</decoder>
<decoder name="f5-bigip-cef-general-fields">
<parent>f5-bigip-cef</parent>
<regex type="pcre2">requestMethod=(\S+)?\s</regex>
<order>http.method</order>
</decoder>
Stuti Gupta
Mar 14, 2024, 2:53:49 AM3/14/24
to Wazuh | Mailing List
Hi, please ensure that you've followed the steps outlined below:
I have tested this, and it's functioning correctly:
1. Exclude the decoders and rules from the Wazuh manager ossec.conf:
<decoder_exclude>ruleset/decoders/0505-paloalto_decoders.xml</decoder_exclude>
<rule_exclude>0700-paloalto_rules.xml</rule_exclude>
2. Restart the Wazuh manager using the command:
systemctl restart wazuh-manager
3. Copy the 0505-paloalto_decoders.xml file to the /var/ossec/etc/decoders/ folder and set the appropriate permissions and ownership:
cp /var/ossec/ruleset/decoders/0505-paloalto_decoders.xml /var/ossec/etc/decoders
sudo chown wazuh:wazuh /var/ossec/etc/decoders/0505-paloalto_decoders.xml
sudo chmod 660 /var/ossec/etc/decoders/0505-paloalto_decoders.xml
4. Restart the Wazuh manager.
5. Finally, test the log:
I have tested this, and it's functioning correctly:
1. Exclude the decoders and rules from the Wazuh manager ossec.conf:
<decoder_exclude>ruleset/decoders/0505-paloalto_decoders.xml</decoder_exclude>
<rule_exclude>0700-paloalto_rules.xml</rule_exclude>
2. Restart the Wazuh manager using the command:
systemctl restart wazuh-manager
3. Copy the 0505-paloalto_decoders.xml file to the /var/ossec/etc/decoders/ folder and set the appropriate permissions and ownership:
cp /var/ossec/ruleset/decoders/0505-paloalto_decoders.xml /var/ossec/etc/decoders
sudo chown wazuh:wazuh /var/ossec/etc/decoders/0505-paloalto_decoders.xml
sudo chmod 660 /var/ossec/etc/decoders/0505-paloalto_decoders.xml
4. Restart the Wazuh manager.
5. Finally, test the log:
Apr 30 06:00:00 xx-xx-xx.xx 1,2020/02/09 00:00:00,00000000,SYSTEM,
Make sure to follow each step precisely to ensure the correct functioning of the process. Let me know if you encounter any issues.
Regards
Regards
Yossif Helmy
Mar 14, 2024, 3:01:54 AM3/14/24
to Wazuh | Mailing List
Hello Stuti,
I appreciate your work, however, my request was to understand why does the paloalto decoder gives the error I provided, but the f5-bigip does not. Thank you for your attention to this matter.
Stuti Gupta
Mar 14, 2024, 5:01:02 AM3/14/24
to Wazuh | Mailing List
Hello Yossif,
I wanted to update you regarding the error we encountered. It seems that the PaloAlto decoder or rule has not been properly excluded. Could you please double-check the steps outlined earlier? Additionally, I've included your custom decoders, and they appear to be functioning correctly.
Hope this helps.
I wanted to update you regarding the error we encountered. It seems that the PaloAlto decoder or rule has not been properly excluded. Could you please double-check the steps outlined earlier? Additionally, I've included your custom decoders, and they appear to be functioning correctly.
Hope this helps.
Yossif Helmy
Mar 14, 2024, 7:28:30 AM3/14/24
to Wazuh | Mailing List
Hello Stui,
Yes. I haven't exculded them on purpose just to illustrate that there is an error when adding a decoder for paloalto but not for f5_bigip. I only have the request of knowing why isn't an error triggering for F5 as for Palo Alto?
Thank you.
Yossif Helmy
Mar 14, 2024, 7:28:45 AM3/14/24
to Wazuh | Mailing List
Hello Stui,
Yes. I haven't exculded them on purpose just to illustrate that there is an error when adding a decoder for paloalto but not for f5_bigip. I only have the request of knowing why isn't an error triggering for F5 as for Palo Alto?
Thank you.
Stuti Gupta
Mar 15, 2024, 6:15:11 AM3/15/24
to Wazuh | Mailing List
Hi again,
Regarding the statements "I excluded both for the same purpose of changing the field names" and "I haven't excluded them on purpose just to illustrate," could you please provide clarification on the steps you followed? And also share the changes that you made.
Hope to hear from you soon.
Regarding the statements "I excluded both for the same purpose of changing the field names" and "I haven't excluded them on purpose just to illustrate," could you please provide clarification on the steps you followed? And also share the changes that you made.
Hope to hear from you soon.
Yossif Helmy
Mar 15, 2024, 7:34:05 AM3/15/24
to Wazuh | Mailing List
Sure. Please don't include anything at first then add the F5 decoder on the dashboard it won't trigger any error. Now do the same for Palo Alto and an error will be triggered like the one I provided at first. My question here is, why didn't it trigger for F5 like it did with Palo Alto?
BR,
BR,
Stuti Gupta
Mar 18, 2024, 7:04:32 AM3/18/24
to Wazuh | Mailing List
Hi Yossif,
The discrepancy in error occurrence between the Palo Alto and F5 decoders is attributed to the presence of prematch settings, as evident from their configurations.
Consider the Palo Alto decoder configuration:<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,TRAFFIC,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(TRAFFIC)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
And the F5 decoder configuration:
<decoder name="f5-bigip-general-fields">
<parent>f5-bigip</parent>
<regex type="pcre2">^(\S+)\s([^\[]+)\[(\d+)\]:\s([0-9a-fA-F]+):(\d+):\s(.*)$</regex>
<order>event.type, process.name, process.pid, event.code, log.level, message</order>
</decoder>
The Palo Alto decoder employs a prematch setting (`<prematch type="pcre2">`), which specifies a particular pattern to identify relevant log entries before further processing. However, the F5 decoder doesn't utilize such prematch settings; it directly applies regex for parsing.
The absence of a prematch regex in the F5 decoder compared to the presence of one in the Palo Alto decoder is the reason behind the encountered error. When the configurations are copied into another directory without adjusting for these differences, a conflict arises due to the duplication of prematch settings, resulting in validation errors.
In essence, the error arises because the F5 decoder lacks a prematch regex, while the Palo Alto decoder includes one. This discrepancy causes the validation system to encounter conflicts, leading to the reported errors.
Hope this helps.
The discrepancy in error occurrence between the Palo Alto and F5 decoders is attributed to the presence of prematch settings, as evident from their configurations.
Consider the Palo Alto decoder configuration:<decoder name="paloalto-traffic-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,TRAFFIC,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(TRAFFIC)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="f5-bigip-general-fields">
<parent>f5-bigip</parent>
<regex type="pcre2">^(\S+)\s([^\[]+)\[(\d+)\]:\s([0-9a-fA-F]+):(\d+):\s(.*)$</regex>
<order>event.type, process.name, process.pid, event.code, log.level, message</order>
</decoder>
The absence of a prematch regex in the F5 decoder compared to the presence of one in the Palo Alto decoder is the reason behind the encountered error. When the configurations are copied into another directory without adjusting for these differences, a conflict arises due to the duplication of prematch settings, resulting in validation errors.
In essence, the error arises because the F5 decoder lacks a prematch regex, while the Palo Alto decoder includes one. This discrepancy causes the validation system to encounter conflicts, leading to the reported errors.
Hope this helps.
Stuti Gupta
Mar 19, 2024, 6:05:04 AM3/19/24
to Wazuh | Mailing List
Hi,
Please let me know this solves the issue
Please let me know this solves the issue
Reply all
Reply to author
Forward
0 new messages