Original decoder exclude
338 views
Skip to first unread message
Yossif Helmy
Feb 28, 2024, 7:15:44 AM2/28/24
to Wazuh | Mailing List
Hello all,
Good day. I have a problem with the Wazuh decoder for 0375-web-accesslog_decoders.xml
I supposedly excluded it in the ossec.conf file, but it still working normally in the logs:
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<decoder_exclude>ruleset/decoders/0375-webaccesslog_decoders.xml</decoder_exclude>
I supposedly excluded it in the ossec.conf file, but it still working normally in the logs:
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<decoder_exclude>ruleset/decoders/0375-webaccesslog_decoders.xml</decoder_exclude>
and made a custom decoder file for /etc/decoders and it passed the tests.
Here's the file:
</decoder>
And here's the wazuh-logtest:
1.2.3.4 - - [26/Feb/2024:18:13:00 +0200] "GET / HTTP/1.1" 405 150 "-" "user agent placeholder" "5.6.7.8"
**Phase 1: Completed pre-decoding.
full event: '1.2.3.4 - - [26/Feb/2024:18:13:00 +0200] "GET / HTTP/1.1" 405 150 "-" "user agent placeholder" "5.6.7.8"'
**Phase 2: Completed decoding.
name: 'web-accesslog-custom'
client.ip: '5.6.7.8'
http.method: 'GET'
http.status: '405'
http.version: 'HTTP/1.1'
referrer: '-'
rsize: '150'
srcip: '1.2.3.4'
url: '/'
user.agent: 'user agent placeholder'
For the rules, I made another configuration on a test machine that worked, but I haven't added it on the production machine, which has the problem I mentioned. The problem here is that the old decoder doesn't seem to be excluded and the new custom decoder isn't shown even though it can overwrite the default decoder even without the exclude part. I have tried:
Here's the file:
<decoder name="web-accesslog-custom">
<type>web-log</type>
<program_name>nginx|apache</program_name>
</decoder>
<decoder name="web-accesslog-custom">
<type>web-log</type>
<prematch>^\S+ \S+ \S+ \.*[\S+ \S\d+] "\w+ \S+ HTTP\S+" </prematch>
</decoder>
<decoder name="web-accesslog-custom-ip">
<type>web-log</type>
<parent>web-accesslog-custom</parent>
<regex>^(\S+) \S+ \S+ \.*[\S+ \S\d+] "(\w+) (\S+) (HTTP\S+)" (\d+) (\d+) "(\.+)" "(\.+)"</regex>
<order>srcip, http.method, url, http.version, http.status, rsize, referrer, user.agent</order>
</decoder>
<decoder name="web-accesslog-custom-ip">
<type>web-log</type>
<parent>web-accesslog-custom</parent>
<regex>^(\S+) \S+ \S+ \.*[\S+ \S\d+] "(\w+) (\S+) (HTTP\S+)" (\d+) (\d+) "(\.+)" "(\.+)" "(\.+)"</regex>
<order>srcip, http.method, url, http.version, http.status, rsize, referrer, user.agent, client.ip</order>
</decoder>
<decoder name="web-accesslog-domain">
<type>web-log</type>
<parent>web-accesslog-custom</parent>
<prematch>^\S+.\D+</prematch>
<regex>^\S+ (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-ip-ip">
<type>web-log</type>
<parent>web-accesslog-custom</parent>
<prematch>^\S+ \S+.\S+ |^\S+ \S+:\S+ </prematch>
<regex>^(\S+) (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip2, srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-glpi">
<type>web-log</type>
<parent>web-accesslog-custom</parent>
<prematch>^\S+ - - [\d+/\w+/\d+:\d+:\d+:\d+ +\d+] "\S+ \S+ HTTP/\.+"</prematch>
<regex>^(\S+) - - [(\d+/\w+/\d+:\d+:\d+:\d+) +\d+] "(\S+) (\S+) HTTP/(\.+)" (\d+) (\S+) "(\.+)" "(\.+)"</regex>
<order>srcip,timestamp,operation, route, http_version, rcode, rsize, url, browser</order>
And here's the wazuh-logtest:
1.2.3.4 - - [26/Feb/2024:18:13:00 +0200] "GET / HTTP/1.1" 405 150 "-" "user agent placeholder" "5.6.7.8"
**Phase 1: Completed pre-decoding.
full event: '1.2.3.4 - - [26/Feb/2024:18:13:00 +0200] "GET / HTTP/1.1" 405 150 "-" "user agent placeholder" "5.6.7.8"'
**Phase 2: Completed decoding.
name: 'web-accesslog-custom'
client.ip: '5.6.7.8'
http.method: 'GET'
http.status: '405'
http.version: 'HTTP/1.1'
referrer: '-'
rsize: '150'
srcip: '1.2.3.4'
url: '/'
user.agent: 'user agent placeholder'
For the rules, I made another configuration on a test machine that worked, but I haven't added it on the production machine, which has the problem I mentioned. The problem here is that the old decoder doesn't seem to be excluded and the new custom decoder isn't shown even though it can overwrite the default decoder even without the exclude part. I have tried:
- Editing the default decoder at /ruleset/decoders with the new custom
- Removing today's archive indices.
- Checking the permissions of the files and folders for the decoders and such. (Some have permissions are root:wazuh 540) I might need to confirm what permissions does Wazuh needs for these directories/files.
- Making these changes both in terminal and GUI Wazuh.
What other troubleshooting methods can I do?
Thank you for your attention.
Thank you for your attention.
Jorge Eduardo Molas
Mar 1, 2024, 2:12:44 PM3/1/24
to Wazuh | Mailing List
Thank you for using Wazuh, Yossif. I am analyzing your case and will get back to you shortly.
Regards!
Jorge Eduardo Molas
Mar 1, 2024, 2:27:51 PM3/1/24
to Wazuh | Mailing List
Following the documentation you should indicate the following:
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude>
</ruleset>
1. The first block is indicated, a rule to exclude.
2. In the second block the path of the directory of the custom decoders <decoder_dir> is defined and with the tag <decoder_exclude> the XML path of the decoder to be excluded.
3. Finally you have to restart the Wazuh manager for the changes to take effect.
2. In the second block the path of the directory of the custom decoders <decoder_dir> is defined and with the tag <decoder_exclude> the XML path of the decoder to be excluded.
3. Finally you have to restart the Wazuh manager for the changes to take effect.
Reply all
Reply to author
Forward
0 new messages