Sangfor Decoders always get json decoder
88 views
Skip to first unread message
Hadi Utomo
Mar 8, 2023, 2:54:52 AM3/8/23
to Wazuh mailing list
all,
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2023-03-08T01:42:40.586+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1678239760.1055838839","full_log":"Mar 8 08:42:40 localhost fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.31, Src port:52574, Dst IP:192.168.98.15, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.11"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'wazuh-server'
full_log: 'Mar 8 08:42:40 localhost fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.1, Src port:52574, Dst IP:192.168.1.1, Dst port: 443, App category:Other, application:any, action:Allow'
id: '1678239760.1055838839'
location: '192.168.3.1'
manager.name: 'wazuh-server'
predecoder.hostname: 'localhost'
predecoder.program_name: 'fwlog'
predecoder.timestamp: 'Mar 8 08:42:40'
timestamp: '2023-03-08T01:42:40.586+0000'
i having some issue with my wazuh lab which is i'm testing with sangfor firewall.
here is my sample log :
{"timestamp":"2023-03-08T01:42:40.586+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1678239760.1055838839","full_log":"Mar 8 08:42:40 localhost fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.31, Src port:52574, Dst IP:192.168.98.15, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.11"}
decoders :
<decoder name="sangfor-ngfw-generic">
<prematch>^fwlog:</prematch>
</decoder>
<decoder name="sangfor-ngfw-generic_child01">
<parent>sangfor-ngfw-generic</parent>
<regex offset="after_parent">^\s Log type:service/application control, policy name:^\s*(\.*),user:^\s*(\.*), Src IP:^\s*(\.*), Src port:^\s*(\.*),Dst IP:^\s*(\.*), Dst port:^\s*(\.*) App category:^\s*(\.*), action::^\s*(\.*)</regex>
<order>log_type, policy_name, user, src_ip, src_port, dst_ip, dst_port,app_category, action</order>
</decoder>
<prematch>^fwlog:</prematch>
</decoder>
<decoder name="sangfor-ngfw-generic_child01">
<parent>sangfor-ngfw-generic</parent>
<regex offset="after_parent">^\s Log type:service/application control, policy name:^\s*(\.*),user:^\s*(\.*), Src IP:^\s*(\.*), Src port:^\s*(\.*),Dst IP:^\s*(\.*), Dst port:^\s*(\.*) App category:^\s*(\.*), action::^\s*(\.*)</regex>
<order>log_type, policy_name, user, src_ip, src_port, dst_ip, dst_port,app_category, action</order>
</decoder>
Rules :
<group name="sfwlog,sangforngfw">
<rule id="100021" level="5">
<decoded_as>json</decoded_as>
<field name="policy name">NEW-REVERSEPROXY LAN</field>
<description>Go check out $(src_ip) $(src_port) $(dst_ip) $(dst_port) $(dst_ip) $(dst_port) $(App_category) $(action) </description>
</rule>
</group>
<rule id="100021" level="5">
<decoded_as>json</decoded_as>
<field name="policy name">NEW-REVERSEPROXY LAN</field>
<description>Go check out $(src_ip) $(src_port) $(dst_ip) $(dst_port) $(dst_ip) $(dst_port) $(App_category) $(action) </description>
</rule>
</group>
When i try to run /var/ossec/bin/wazuh-logtest with log sample :
fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.31, Src port:52574, Dst IP:192.168.98.15, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.11"}
the result is :
Starting wazuh-logtest v4.3.10
Type one log per line
fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.1, Src port:52574, Dst IP:192.168.1.1, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.11"}
**Phase 1: Completed pre-decoding.
full event: 'fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.1, Src port:52574, Dst IP:192.168.1.1, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.1"}'
**Phase 2: Completed decoding.
name: 'sangfor-ngfw-generic'
Type one log per line
fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.1, Src port:52574, Dst IP:192.168.1.1, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.11"}
**Phase 1: Completed pre-decoding.
full event: 'fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.1, Src port:52574, Dst IP:192.168.1.1, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.1"}'
**Phase 2: Completed decoding.
name: 'sangfor-ngfw-generic'
but when i try to test whit complete log :
{"timestamp":"2023-03-08T01:42:40.586+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1678239760.1055838839","full_log":"Mar 8 08:42:40 localhost fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.1, Src port:52574, Dst IP:192.168.1.1, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.1"}
the result is :
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2023-03-08T01:42:40.586+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1678239760.1055838839","full_log":"Mar 8 08:42:40 localhost fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.31, Src port:52574, Dst IP:192.168.98.15, Dst port: 443, App category:Other, application:any, action:Allow","predecoder":{"program_name":"fwlog","timestamp":"Mar 8 08:42:40","hostname":"localhost"},"decoder":{},"location":"192.168.3.11"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'wazuh-server'
full_log: 'Mar 8 08:42:40 localhost fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.1, Src port:52574, Dst IP:192.168.1.1, Dst port: 443, App category:Other, application:any, action:Allow'
id: '1678239760.1055838839'
location: '192.168.3.1'
manager.name: 'wazuh-server'
predecoder.hostname: 'localhost'
predecoder.program_name: 'fwlog'
predecoder.timestamp: 'Mar 8 08:42:40'
timestamp: '2023-03-08T01:42:40.586+0000'
where am i missing , please help me to resolve this, since i'm new wazuh user.
Regards,
Hadi
Message has been deleted
Cedrick Foko
Mar 8, 2023, 3:38:34 AM3/8/23
to Wazuh mailing list
Hi Hadi Utomo,
Thank you for using Wazuh!
When you provide a log in JSON format to wazuh-logtest, it is automatically decoded as json and Wazuh reads information from it in key:value mode. That is why you get that output with the second test.
In fact, that log in JSON format is not your sample log, it is inferred by Wazuh after receiving your full log.
Your sample log is instead: "Mar 8 08:42:40 localhost fwlog: Log type: service/application control, policy name:NEW-REVERSEPROXY LAN, user:(null), Src IP:192.168.2.31, Src port:52574, Dst IP:192.168.98.15, Dst port: 443, App category:Other, application:any, action:Allow"
Based on this you may use the following decoders instead:
<decoder name="'sangfor-ngfw-generic">
<program_name>fwlog</program_name>
</decoder>
<decoder name=" sangfor-ngfw-generic _fields">
<parent>
sangfor-ngfw-generic</parent>
<regex>\.*Log type:(\.*),\s*policy name:(\.*),\s*user:(\.*),\s*Src IP:(\.*),\s*Src port:(\.*),\s*Dst IP:(\.*),\s*Dst port:(\.*),\s*App category(\.*),\s*application:(\.*),\s*action:(\.*)</regex>
<order>log_type, policy_name, user, srcip, srcport, dstip, dstport, app_category, application, action</order>
</decoder>I hope you find this helpful. Let me know if you have any other question.
Reply all
Reply to author
Forward
0 new messages