wazuh-archives has mixed info from wazuh-alert index
118 views
Skip to first unread message
sahir khan
Aug 21, 2024, 3:39:15 AM8/21/24
to Wazuh | Mailing List
Hi Team,
I have integrated the Trend Micro logs into Wazuh. After the integration, all the logs are coming into the Wazuh archives index, but I need all the logs to appear in the Wazuh alerts. How can I set this up? I have checked the Filebeat configuration, and it looks like the following:
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
In this configuration, both Wazuh-alerts and Wazuh-archives are set to true. If we disable Wazuh-archives, what will be the result? Will it stop pushing logs to the Wazuh dashboard? Please suggest how to fix this.
Can you please explain how the alerts and archives indexes working.
Stuti Gupta
Aug 21, 2024, 4:35:51 AM8/21/24
to Wazuh | Mailing List
Hi Sahir khan
You need to create a custom decoder and rules for the alert to trigger in wazuh-alert indexes. We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log
":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder"{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Refer: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
For example:
Log
Jul 17 17:15:09 1.1.13.10 CEF: 0|Trend Micro|Apex Central|2019|AV:File quarantined|Eicar_test_1|3|deviceExternalId=4 rt=Jul 17 2024 14:13:48 GMT+00:00 cnt=1 dhost=ITCOMP TMCMLogDetectedHost=ITCOMP duser=mSI\\ohrio act=File quarantined cn1Label=Pattern cn1=1947100 cn2Label=Second_Action cn2=4 cs1Label=VLF_FunctionCode cs1=Real-time Scan cs2Label=Engine cs2=23.620.1013 cs3Label=Product_Version cs3=14.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=First_Action_Result cs5=Unable to clean file cs6Label=Second_Action_Result cs6=File quarantined cat=1703 dvchost=APEXONE cn3Label=Overall_Risk_Rating cn3=2 fname=11111.exe filePath=C:\\Users\\mmm\\Desktop\\ dst=1.16.10.3 TMCMLogDetectedIP=12.1.15.3 fileHash=D04238C9C6254CB5146DAF2E5F63FB957B9D1BEF deviceFacility=Apex One ApexCentralHost=TRENDAPEXCENTRA devicePayloadId=39005650B06C-A08911EF-4446-F2D3-0CD5 TMCMdevicePlatform=Windows 10 10.0 (Build 19045) deviceNtDomain=mSI dntdom=mmi.local\\
Custom decoder:
<decoder name="trend-micro">
<program_name>CEF</program_name>
<prematch>^0\|Trend Micro\|Apex Central\|2019\|</prematch>
</decoder>
<decoder name="trend-micro-child">
<parent>trend-micro</parent>
<regex>0\|CEF: 0\|\.+\\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|</regex>
<order>apex.signatureId, apex.Name, apex.appliance.product apex.appliance, apex.appliance.version, apex.AV:Action, apex.eventname1, apex.severity</order>
</decoder>
<decoder name="trend-micro-child">
<parent>trend-micro</parent>
<regex>act=(\.+) cn1Label=(\.+) </regex>
<order>ACt, cn1Label</order>
</decoder>
Custom rule:
<group name="Trend">
<rule id="100101" level="3">
<decoded_as>trend-micro</decoded_as>
<field name="ACt">File quarantined</field>
<description>trend-micro log</description>
</rule>
</group>
Results in the image, if the results are satisfied you need to restart the wazuh-manager to apply the changes
Hope this helps
You need to create a custom decoder and rules for the alert to trigger in wazuh-alert indexes. We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log
":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder"{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Refer: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
For example:
Log
Jul 17 17:15:09 1.1.13.10 CEF: 0|Trend Micro|Apex Central|2019|AV:File quarantined|Eicar_test_1|3|deviceExternalId=4 rt=Jul 17 2024 14:13:48 GMT+00:00 cnt=1 dhost=ITCOMP TMCMLogDetectedHost=ITCOMP duser=mSI\\ohrio act=File quarantined cn1Label=Pattern cn1=1947100 cn2Label=Second_Action cn2=4 cs1Label=VLF_FunctionCode cs1=Real-time Scan cs2Label=Engine cs2=23.620.1013 cs3Label=Product_Version cs3=14.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=First_Action_Result cs5=Unable to clean file cs6Label=Second_Action_Result cs6=File quarantined cat=1703 dvchost=APEXONE cn3Label=Overall_Risk_Rating cn3=2 fname=11111.exe filePath=C:\\Users\\mmm\\Desktop\\ dst=1.16.10.3 TMCMLogDetectedIP=12.1.15.3 fileHash=D04238C9C6254CB5146DAF2E5F63FB957B9D1BEF deviceFacility=Apex One ApexCentralHost=TRENDAPEXCENTRA devicePayloadId=39005650B06C-A08911EF-4446-F2D3-0CD5 TMCMdevicePlatform=Windows 10 10.0 (Build 19045) deviceNtDomain=mSI dntdom=mmi.local\\
Custom decoder:
<decoder name="trend-micro">
<program_name>CEF</program_name>
<prematch>^0\|Trend Micro\|Apex Central\|2019\|</prematch>
</decoder>
<decoder name="trend-micro-child">
<parent>trend-micro</parent>
<regex>0\|CEF: 0\|\.+\\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|(\.+)\|</regex>
<order>apex.signatureId, apex.Name, apex.appliance.product apex.appliance, apex.appliance.version, apex.AV:Action, apex.eventname1, apex.severity</order>
</decoder>
<decoder name="trend-micro-child">
<parent>trend-micro</parent>
<regex>act=(\.+) cn1Label=(\.+) </regex>
<order>ACt, cn1Label</order>
</decoder>
Custom rule:
<group name="Trend">
<rule id="100101" level="3">
<decoded_as>trend-micro</decoded_as>
<field name="ACt">File quarantined</field>
<description>trend-micro log</description>
</rule>
</group>
Results in the image, if the results are satisfied you need to restart the wazuh-manager to apply the changes
Hope this helps
sahir khan
Aug 21, 2024, 6:46:50 AM8/21/24
to Wazuh | Mailing List
Hi Stuti Gupta,
We have enabled the custom rule for Wazuh alerts, as mentioned below. In my understanding, Wazuh-alerts will trigger alerts when a match is found in the alert rule configuration, and Wazuh-archives will fetch all the events and send the data to the manager server using Filebeat, right? In my case, Wazuh-archives store a larger number of events, which occupies significant space on the Wazuh manager server. So, if I disable Wazuh-archives in the Filebeat configuration, will it affect anything? It won't stop pushing real event data to the Wazuh dashboard, right?
You are said to create a custom decoder and ruleset, kindly give me a short explanation for this.
alert trigger configuration in wazuh-manager configuration
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>15</email_alert_level>
</alerts>
Thank you,
A. Mohamed Sahir Khan.
We have enabled the custom rule for Wazuh alerts, as mentioned below. In my understanding, Wazuh-alerts will trigger alerts when a match is found in the alert rule configuration, and Wazuh-archives will fetch all the events and send the data to the manager server using Filebeat, right? In my case, Wazuh-archives store a larger number of events, which occupies significant space on the Wazuh manager server. So, if I disable Wazuh-archives in the Filebeat configuration, will it affect anything? It won't stop pushing real event data to the Wazuh dashboard, right?
You are said to create a custom decoder and ruleset, kindly give me a short explanation for this.
alert trigger configuration in wazuh-manager configuration
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>15</email_alert_level>
</alerts>
Thank you,
A. Mohamed Sahir Khan.
Stuti Gupta
Aug 23, 2024, 7:03:17 AM8/23/24
to Wazuh | Mailing List
If you disable archiving in Filebeat, the `wazuh-archives` index will be disabled from the Wazuh dashboard, and the `wazuh-archives` index won't be created. However, you can still access the `archives.log` and `archives.json` files in `/var/ossec/logs/archives/`. These logs won't be indexed.
The Analysisd module on the Wazuh server evaluates decoded logs against predefined rules and records any triggered alerts in `/var/ossec/logs/alerts/alerts.log` and `/var/ossec/logs/alerts/alerts.json`. In addition to alert logs, Wazuh stores all collected logs in dedicated archive log files, located at `/var/ossec/logs/archives/archives.log` and `/var/ossec/logs/archives/archives.json`. These archive logs capture all logs, including those that don't trigger alerts, ensuring a complete record of system activities for future analysis.
As a result, only logs that trigger a rule will be visible under the `wazuh-alerts-*` index in the Wazuh dashboard.
Refer to https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#the-wazuharchives-indices
Hope this helps
The Analysisd module on the Wazuh server evaluates decoded logs against predefined rules and records any triggered alerts in `/var/ossec/logs/alerts/alerts.log` and `/var/ossec/logs/alerts/alerts.json`. In addition to alert logs, Wazuh stores all collected logs in dedicated archive log files, located at `/var/ossec/logs/archives/archives.log` and `/var/ossec/logs/archives/archives.json`. These archive logs capture all logs, including those that don't trigger alerts, ensuring a complete record of system activities for future analysis.
As a result, only logs that trigger a rule will be visible under the `wazuh-alerts-*` index in the Wazuh dashboard.
Refer to https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#the-wazuharchives-indices
Hope this helps
Reply all
Reply to author
Forward
0 new messages