Trying to use remote syslog to analize HP procurve 2920 switch. I see the logs in archives.json, but I do not see them in Kibana Wazuh.

[juan.i...@gmail.com]

Hello Community,

I'm trying to analize for PCI DSS the logs from an HP procurve 2920 switch. I see the logs in /var/ossec/logs/archives/archives.json as:

{"timestamp":"2018-05-25T02:53:00-0400","rule":{},"agent":{"id":"000","name":"HW-OSSEC"},"manager":{"name":"HW-OSSEC"},"id":"1527231180.575895","full_log":" May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70","decoder":{},"predecoder":{"hostname":"HW-OSSEC"},"location":"10.1.128.16"}

In the /var/ossec/logs/archives/archives.log I see the log as :

2018 May 25 02:53:00 HW-OSSEC->10.1.128.16  May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70.

However I do not see the alerts in /var/ossec/logs/alerts/alerts.json or alerts.log files.

I tried creating decoders but I'm not sure if that's what is needed, or if I need to create a rule. If I need to create a decoder or rule, could I share what I've tried and someone could help?

Thanks for your help.

[Jose Luis Ruiz]

Hi Juan,

The log sample that you are sending is decoded by Wazuh

May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70


**Phase 1: Completed pre-decoding.
       full event: 'May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70'
       timestamp: 'May 25 00:52:59'
       hostname: '10.1.128.16'
       program_name: '(null)'
       log: '03362 auth:  User 'manager' login from 10.1.2.70'

**Phase 2: Completed decoding.
       decoder: 'squid-accesslog'

**Phase 3: Completed filtering (rules).
       Rule id: '35000'
       Level: '0'
       Description: 'Squid messages grouped.'

But in this specific case is decoded by Squid messages, really the Squid decoder is very “Open”:

<decoder name="squid-accesslog">
  <type>squid</type>
  <prematch>^\d+ \S+ </prematch>
  <regex>^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
  <order>srcip,action,id,url</order>
</decoder>

My recommendation is to create a custom decoder more explicit for your log, and not for the archives.log.

Something like the following:

<decoder name="hp">
  <prematch>^ \w\w\w \d\d \d\d:\d\d:\d\d</prematch>
</decoder>

And the outputs is something like:

 May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70


**Phase 1: Completed pre-decoding.
       full event: ' May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70'
       timestamp: '(null)'
       hostname: 'wazuh-manager'
       program_name: '(null)'
       log: ' May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70'

**Phase 2: Completed decoding.
       decoder: 'hp'

Please note that your log always has an space before the Month ’ May 25 00:52:59 10.1.128.16 03362 auth: User ‘manager’ login from 10.1.2.70’, this is why the decoder has also a space between ^ and \w\w\w.

Also if you want to export some fields we should have more information about the log format, for this specific log (User login) somthing like this:

<decoder name="hp">
  <prematch>^ \w\w\w \d\d \d\d:\d\d:\d\d</prematch>
  <regex offset="after_prematch">User '(\S+)' \.+ from (\d+.\d+.\d+.\d+)</regex>
  <order>user,srcip</order>
</decoder>

 May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70


**Phase 1: Completed pre-decoding.
       full event: ' May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70'
       timestamp: '(null)'
       hostname: 'wazuh-manager'
       program_name: '(null)'
       log: ' May 25 00:52:59 10.1.128.16 03362 auth:  User 'manager' login from 10.1.2.70'

**Phase 2: Completed decoding.
       decoder: 'hp'
       dstuser: 'manager'
       srcip: '10.1.2.70'

I hope it helps.

Regards

————————

José Luis Ruiz.

Wazuh Inc.

jo...@wazuh.com

[juan.i...@gmail.com]

Thank you for your help!

So, I followed the instructions you sent and it works. After the decoder is created, what else do I need to do in order for the event to show in Kibana Wazuh web interface?

I did research, read all the documentation for decoders and rules. I understand I will need to create a rule in order for this to appear in the web interface, correct me if wrong. Or do I just need to add the <group> tag in order for it to be classified as one of the PCI events?

[Jose Luis Ruiz]

Hi Juan

Yes, you need to create one or more than one rules to trigger alerts base in the conditions that you want, for example:

<group name=“hp,yourpersonalgroup,”>

  <rule id=“100001" level=“1">

    <decoded_as> hp </decoded_as>

    <description>Grouping for the hp rules.</description>

    <group>connection_attempt,pci_dss_10.6.1,</group>

  </rule>

 

</group>

This will log all your events from this device in your Kibana, you can create child rules with specific matches to increase the level, or set this one to level 0 in order to don’t log the full amount and only childs matching with specific words or sentences to trigger only specific alerts. 

Regards

————————

José Luis Ruiz.

Wazuh Inc.

jo...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e3f670f5-83b2-4985-bab6-7906e10553a1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[juan.i...@gmail.com]

THANK YOU THANK YOU THANK YOU! I can see the logs now in the dashboard.

It worked. For the decoders regex, there is no need to put the expressions \d\d\d in parenthesis for what it looks like. I'll try to create child rules, I guess theyre to filter more the events.

Thank you very much! I might bother in the future. haha Love Wazuh really good app!

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jose Luis Ruiz]

You are welcome!, happy to help.

Regards

————————

José Luis Ruiz.

Wazuh Inc.

jo...@wazuh.com

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f39de14e-f81f-4f3d-b14f-056fff8ccf71%40googlegroups.com.