My decoder isn't working
323 views
Skip to first unread message
Matskoow
May 17, 2024, 5:08:56 AM5/17/24
to Wazuh | Mailing List
made a few decoders + rules and all of them are working but 1 isn't
However, when I use the logtest, it show it should work, please help me see what the problem is, I can find the logs in archives/alerts, but they are not visible on the wazuh dashboard (neither the opensearch plugin dashboard or the security events dashboard)
This is the log from archives.log:
May 17 10:47:39 FW-111-DD-11 1/111IT/FW-111-DD-11/srv_FW-111-111_FW-111-DD-11VPNNN: Notice FW-111-DD-11 Session PGRP-AUTH-DDDDDD-5aff-4569-87ba-jfzfzoo222-MNMTGK: Accounting LOGIN - user=te...@test.com client=Vanilla IP=111.111.111.111 start="2024/05/17 10:47:39" VirtualIP="111.111.111.111"
This is my decoder:
<decoder name="BarracudaVPN">
<program_name type="pcre2">1/111IT/FW-111-DD-11/srv_FW-111-111_FW-111-DD-11VPNNN:</program_name>
<program_name type="pcre2">1/111IT/FW-111-DD-11/srv_FW-111-111_FW-111-DD-11VPNNN:</program_name>
</decoder>
<decoder name="Barracuda-child">
<parent>BarracudaVPN</parent>
<regex offset="after_parent"> (\w+)\s+(\S+)\s\w+ </regex>
<order>severityy,devicee</order>
</decoder>
<decoder name="Barracuda-child">
<parent>BarracudaVPN</parent>
<regex offset="after_parent">(\S+:\s\w+\s\w+)\s-\s\w+=(\S+)\s\w+=(\S+)\s</regex>
<order>descriptionn, userr, clientt</order>
</decoder>
<decoder name="Barracuda-child">
<parent>BarracudaVPN</parent>
<regex offset="after_parent">(\d+.\d+.\d+.\d+)\s\w+="(\S+\s\S+)"\s\w+="(\d+.\d+.\d+.\d+)"</regex>
<order>ip-addresss, timestampp, virtual-ipp</order>
</decoder>
<decoder name="Barracuda-child">
<parent>BarracudaVPN</parent>
<regex offset="after_parent"> (\w+)\s+(\S+)\s\w+ </regex>
<order>severityy,devicee</order>
</decoder>
<decoder name="Barracuda-child">
<parent>BarracudaVPN</parent>
<regex offset="after_parent">(\S+:\s\w+\s\w+)\s-\s\w+=(\S+)\s\w+=(\S+)\s</regex>
<order>descriptionn, userr, clientt</order>
</decoder>
<decoder name="Barracuda-child">
<parent>BarracudaVPN</parent>
<regex offset="after_parent">(\d+.\d+.\d+.\d+)\s\w+="(\S+\s\S+)"\s\w+="(\d+.\d+.\d+.\d+)"</regex>
<order>ip-addresss, timestampp, virtual-ipp</order>
</decoder>
This is the rule:
<group name="Barracudavpnlogin">
<rule id="911111" level="11">
<decoded_as>BarracudaVPN</decoded_as>
<match>Accounting LOGIN</match>
<description>VPN login</description>
</rule>
</group>
<rule id="911111" level="11">
<decoded_as>BarracudaVPN</decoded_as>
<match>Accounting LOGIN</match>
<description>VPN login</description>
</rule>
</group>
This is the logtest oucome
**Phase 2: Completed decoding.
name: 'BarracudaVPN'
clientt: 'Vanilla'
descriptionn: 'PGRP-AUTH-DDDDDD-5aff-4569-87ba-jfzfzoo222-MNMTGK: Accounting LOGIN'
devicee: 'FW-111-DD-11'
ip-addresss: '111.111.111.111'
severityy: 'Notice'
timestampp: '2024/05/17 10:47:39'
userr: 'te...@test.com'
virtual-ipp: '111.111.111.111'
**Phase 3: Completed filtering (rules).
id: '911111'
level: '11'
description: 'VPN login'
groups: '['Barracudavpnlogin']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
name: 'BarracudaVPN'
clientt: 'Vanilla'
descriptionn: 'PGRP-AUTH-DDDDDD-5aff-4569-87ba-jfzfzoo222-MNMTGK: Accounting LOGIN'
devicee: 'FW-111-DD-11'
ip-addresss: '111.111.111.111'
severityy: 'Notice'
timestampp: '2024/05/17 10:47:39'
userr: 'te...@test.com'
virtual-ipp: '111.111.111.111'
**Phase 3: Completed filtering (rules).
id: '911111'
level: '11'
description: 'VPN login'
groups: '['Barracudavpnlogin']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
I don't get the problem, because for other decoders everything works perfectly fine.
Best regards
Manuel Pedro Gomez Castro
May 20, 2024, 5:24:40 AM5/20/24
to Wazuh | Mailing List
Hello! Thank you for reaching out to us!
There are several possible causes as to why your custom rule might not be triggering, so in order to troubleshoot your issue we would need to figure out what is causing it exactly.
First of all, I would recommend taking a look at our documentation on custom rules and decoders if you haven't already. Particularly the last step of restarting the wazuh-manager service https://documentation.wazuh.com/4.6/user-manual/ruleset/custom.html
If restarting your wazuh-manager service does not address your issue, next the best option would be to enable the Wazuh Archives and review the archived logs for events to verify that Wazuh is monitoring changes to your log file correctly.
https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#enabling-the-wazuh-archives
If your log is reflected in the archives.log file, it means Wazuh is aware of the change but it failed to decode/trigger the alert. But if it's missing it may indicate that you need to configure wazuh's log collector.
There are several possible causes as to why your custom rule might not be triggering, so in order to troubleshoot your issue we would need to figure out what is causing it exactly.
First of all, I would recommend taking a look at our documentation on custom rules and decoders if you haven't already. Particularly the last step of restarting the wazuh-manager service https://documentation.wazuh.com/4.6/user-manual/ruleset/custom.html
If restarting your wazuh-manager service does not address your issue, next the best option would be to enable the Wazuh Archives and review the archived logs for events to verify that Wazuh is monitoring changes to your log file correctly.
https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#enabling-the-wazuh-archives
If your log is reflected in the archives.log file, it means Wazuh is aware of the change but it failed to decode/trigger the alert. But if it's missing it may indicate that you need to configure wazuh's log collector.
Provided the event is present in the archives, next you should check the alerts.log file in the same directory mentioned above. The log being present in the events but not the alerts would mean that the alert did not fire as expected, while having it be present in alerts but not in the dashboard may indicate an issue with your wazuh indexer integration.
Please, let us know how your trobleshooting goes and whether there is anything else we can do to help on this matter!
Please, let us know how your trobleshooting goes and whether there is anything else we can do to help on this matter!
Matskoow
May 21, 2024, 2:27:36 AM5/21/24
to Wazuh | Mailing List
Hi,
My log is also in alerts.log, but it's not in the dashboard.
Op maandag 20 mei 2024 om 11:24:40 UTC+2 schreef Manuel Pedro Gomez Castro:
Matskoow
May 21, 2024, 3:44:58 AM5/21/24
to Wazuh | Mailing List
I'm pretty sure it's a mapping issue?
Kind regards
Op dinsdag 21 mei 2024 om 08:27:36 UTC+2 schreef Matskoow:
Manuel Pedro Gomez Castro
May 27, 2024, 5:35:49 AM5/27/24
to Wazuh | Mailing List
Hi! Apologies for the late response!
While I'm looking into what might be causing your issue, it seems to be clear that the event is being decoded and processed as an alert and just not being sent to the wazuh dashboard.
While this is unlikely since the alert you shared is of level 11, I would verify that your alert threshold allows you to see those alerts in your wazuh dashboard https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html
Then, it would be a good idea to verify that your filebeat connection is active. It would seem to be if other alerts are being processed into the indexer, but as a sanity check https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html#i-do-not-see-alerts-in-the-wazuh-dashboard
Lastly, in order to find out more, we should take a look at your logs. Particularly Filebeat may be suspect since it's the process tasked with retrieving the alerts from your manager and sending them to your indexer, so any mapping issues may arise there.
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
While I'm looking into what might be causing your issue, it seems to be clear that the event is being decoded and processed as an alert and just not being sent to the wazuh dashboard.
While this is unlikely since the alert you shared is of level 11, I would verify that your alert threshold allows you to see those alerts in your wazuh dashboard https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html
Then, it would be a good idea to verify that your filebeat connection is active. It would seem to be if other alerts are being processed into the indexer, but as a sanity check https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html#i-do-not-see-alerts-in-the-wazuh-dashboard
Lastly, in order to find out more, we should take a look at your logs. Particularly Filebeat may be suspect since it's the process tasked with retrieving the alerts from your manager and sending them to your indexer, so any mapping issues may arise there.
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Reply all
Reply to author
Forward
0 new messages