Custom Decoder for switch

[gustavo rodriguez]

I am trying to create a custom decoder for a dell switch, the same I receive from my syslog, create the following decoder:

<decoder name="Switch-dell">
   <regex>%([^:]+)</regex>
   <field name="message" />
</decoder>

log example:
1 2023-06-18T07:48:52.920848+00:00 SWS4128F-IT1 dn_alm 695 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) %LACP_PORT_UNGROUPED: Interface exited port-channel port-channel4 : ethernet1/1/4

after the % sign is what I want to extract.

[Leandro David Sayanes]

Hi Gustavo!

I will try to help you to create a custom decoder on Wazuh for a Dell switch!
First, create a new decoder in the local_decoder.xml file located in /var/ossec/etc/decoders/
The decoder should use a regular expression to extract the desired information from the log message.
In this case, the regular expression should match the string after the % sign. 

Here's an example of what the decoder could look like:

<decoder name="dell_switch"> <parent>syslog</parent> <regex>%([^:]+)</regex> <order>custom_field</order> <rename> <from>custom_field</from> <to>dell_switch_message</to> </rename> </decoder>

This decoder extracts the string after the % sign using the regular expression %([^:]+) 

The extracted string is stored in a new field called custom_field. 

The <rename> tag is used to rename the custom_field to dell_switch_message.

Once the decoder is created, you can create a new rule to use the decoder. 

The rule should use the dell_switch decoder and look for the extracted message in the log message. 

Here's an example of what the rule could look like:

<rule id="100001" level="5"> <decoder>dell_switch</decoder> <if_sid>695</if_sid> <match>Node\.1-Unit\.1:PRI \[event\], Dell EMC \(OS10\) %dell_switch_message</match> <description>Dell switch message received</description> </rule>

This rule uses the dell_switch decoder and looks for log messages with a sid of 695. It then looks for the extracted message in the log message using the %dell_switch_message syntax. 

If the message is found, the rule generates an alert with a description of "Dell switch message received".

After creating the decoder and rule, you can test them using the wazuh-logtest utility located in /var/ossec/bin/ 

Input the example log message into wazuh-logtest to test the decoder and rule:

1 2023-06-18T07:48:52.920848+00:00 SWS4128F-IT1 dn_alm 695 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) %LACP_PORT_UNGROUPED: Interface exited port-channel port-channel4 : ethernet1/1/4

You can find more information about decoders:

• https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
  
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
  

[gustavo rodriguez]

Hello @leandro...@wazuh.com   , thanks for your answer. I tried to implement your solution, but it gives me the following error:

wazuh-analysisd: ERROR: Invalid element 'rename' for decoder 'decoder'

[Leandro David Sayanes]

Hi Gustavo!

I realized that I did not understand what you wanted, I will write an example that I think will help you:

• First you need to define a pre-decoder with prematch in /var/ossec/etc/decoders/local_decoder.xml
  

<decoder name="dell_switch_decoder">
  <prematch>\d+ \w+\s</prematch>
</decoder>

• below that (in the same file) the decoder can be written:
  

<decoder name="dell_switch_decoder">
  <parent>dell_switch_decoder</parent>

  <regex>%([^:]+)</regex>

  <order>data</order>
</decoder>

• Now you need to create a rule in /var/ossec/etc/rules/local_rules.xml
  

<group name="custom_rules_example">
 <rule id="100002" level="14">
   <decoded_as>dell_switch_decoder</decoded_as>
   <description>extract afert the %</description>
 </rule>
</group>

To test it and play with the options and achieve the result you want I recommend using wazuh-logtest:

1. Execute wazuh-logtest:

$ sudo /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest

Type one log per line

2. Copy your line example:

023-06-18T07:48:52.920848+00:00 SWS4128F-IT1 dn_alm 695 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) %LACP_PORT_UNGROUPED: Interface exited port-channel port-channel4 : ethernet1/1/4

**Phase 1: Completed pre-decoding.

full event: '023-06-18T07:48:52.920848+00:00 SWS4128F-IT1 dn_alm 695 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) %LACP_PORT_UNGROUPED: Interface exited port-channel port-channel4 : ethernet1/1/4'

**Phase 2: Completed decoding.

name: 'dell_switch_decoder'

**Phase 3: Completed filtering (rules).

id: '100002'

level: '14'

description: 'extract afert the %'

groups: '['custom_rules_example']'

firedtimes: '1'

mail: 'True'

**Alert to be generated.

This way you can check that it has reached stage 3 which means it has been successful.

You can find more about decoder/rules here:

Decoders Syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

Adding new decoders and rules: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#adding-new-decoders-and-rules

Dynamic fields: https://documentation.wazuh.com/current/user-manual/ruleset/dynamic-fields.html#traditional-decoders

Custom rules and decoders: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ee6c84e4-a192-4495-b499-f66d5e7e98a6n%40googlegroups.com.