Extract fields with a decoder for iis 8 logs

[Defender]

Hi Team! Thank you for your work and for the wonderful Wazooh product.
Please help with the rule and the decoder for the log iis 8.
I want to extract these fields site_name, srcip, action, url, srcport, dstip, user_agent, id from the log and they are not extracted.
Please help me, what am I doing wrong? Please correct decoder or rule.
IIS version 8.I edited the decoder.
Regards!

[Luis González Romero]

Hello @gamerpox, hope you’re doing great.

After doing some research, here you have a simpler regex for your decoder. Change the idX fields to the ones you need(or remove/ignore the ones you don’t want)

<decoder name="web-accesslog-iis6">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^(W3SVC\d+)</prematch>
  <regex offset="after_parent">(\S+) (\S+) (\S+) (\S+) - (\S+) - (\S+) \S+ - (\d+) (\d+) (\d+) (\d+)</regex>
  <order>site_name, srcip, action, url, srcport, dstip, id1, id2, id3, id4</order>
</decoder>

root@afo:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line

2022-08-22 07:45:08 W3SVC17 21.81.258.11 GET /example/example-5-25-example-help/1-for-f-blabla-teams/ - 443 - 42.172.13.557 Amazon+CloudFront - 301 0 0 161

**Phase 1: Completed pre-decoding.
    full event: '2022-08-22 07:45:08 W3SVC17 21.81.258.11 GET /example/example-5-25-example-help/1-for-f-blabla-teams/ - 443 - 42.172.13.557 Amazon+CloudFront - 301 0 0 161'

**Phase 2: Completed decoding.
    name: 'web-accesslog-iis6'
    parent: 'windows-date-format'
    action: 'GET'
    dstip: '42.172.13.557'
    id1: '301'
    id2: '0'
    id3: '0'
    id4: '161'
    site_name: 'W3SVC17'
    srcip: '21.81.258.11'
    srcport: '443'
    url: '/example/example-5-25-example-help/1-for-f-blabla-teams/'

**Phase 3: Completed filtering (rules).
    id: '31100'
    level: '0'
    description: 'Access log messages grouped.'
    groups: '['web', 'accesslog']'
    firedtimes: '1'
    mail: 'False'

In case you want to extract the date with windows format(^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d) you have to remove the offset from the regex and add the new date fields to your regex((\S+ \S+)).

<decoder name="web-accesslog-iis6">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^(W3SVC\d+)</prematch>
  <regex>(\S+ \S+) (\S+) (\S+) (\S+) (\S+) - (\S+) - (\S+) \S+ - (\d+) (\d+) (\d+) (\d+)</regex>
  <order>date, site_name, srcip, action, url, srcport, dstip, id1, id2, id3, id4</order>
</decoder>

root@afo:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line

2022-08-22 07:45:08 W3SVC17 21.81.258.11 GET /example/example-5-25-example-help/1-for-f-blabla-teams/ - 443 - 42.172.13.557 Amazon+CloudFront - 301 0 0 161

**Phase 1: Completed pre-decoding.
    full event: '2022-08-22 07:45:08 W3SVC17 21.81.258.11 GET /example/example-5-25-example-help/1-for-f-blabla-teams/ - 443 - 42.172.13.557 Amazon+CloudFront - 301 0 0 161'

**Phase 2: Completed decoding.
    name: 'web-accesslog-iis6'
    parent: 'windows-date-format'
    action: 'GET'
    date: '2022-08-22'
    dstip: '42.172.13.557'
    hour: '07:45:08'
    id1: '301'
    id2: '0'
    id3: '0'
    id4: '161'
    site_name: 'W3SVC17'
    srcip: '21.81.258.11'
    srcport: '443'
    url: '/example/example-5-25-example-help/1-for-f-blabla-teams/'

**Phase 3: Completed filtering (rules).
    id: '31100'
    level: '0'
    description: 'Access log messages grouped.'
    groups: '['web', 'accesslog']'
    firedtimes: '1'
    mail: 'False'

Finally, if you are overwriting the Wazuh decoders, you should read this about changing existing rules and decoders.

Do not hesitate to ask us if you have any doubt or something else!

Hope this helps you,
Luis.

​

[Defender]

Hi Luis!
This is just what I need, thank you so much!

понедельник, 22 августа 2022 г. в 15:43:28 UTC+3, luis.g...@wazuh.com: