Syslog fro Mikrotik not showing in Discover tab

80 views
Skip to first unread message

Sam Smith

unread,
Nov 13, 2024, 3:45:03 AM11/13/24
to Wazuh | Mailing List
Please need help for undestanding how to fix!
I have log's from mikrotik. I can see it in /var/ossec/logs/archives/archives.log

Example: 2024 Nov 13 08:10:39 MikroTik->192.168.39.1 Nov 13 10:10:37 MikroTik test: home_mikrotik deassigned 192.168.39.245 for 5C:00:06:07:06:0B DESKTOP-KDJDYS9

I have a decoder for it:
<decoder name="wzh-dhcp">
  <prematch type="pcre2">MikroTik test:</prematch>
</decoder>

<decoder name="wzh_dhcp_fields">
  <parent>wzh-dhcp</parent>
  <regex>home_mikrotik\s(\.+)\s</regex>
  <order>st</order>
</decoder>

<decoder name="wzh_dhcp_fields">
  <parent>wzh-dhcp</parent>
  <regex>(\d+.\d+.\d+.\d+)</regex>
  <order>ip</order>
</decoder>

<decoder name="wzh_dhcp_fields">
  <parent>wzh-dhcp</parent>
  <regex>for\s(\d+:\d+:\d+:\d+:\d+:\d+)</regex>
  <order>mac</order>
</decoder>

<decoder name="wzh_dhcp_fields">
  <parent>wzh-dhcp</parent>
  <regex>for\s\S+\s(\S+)</regex>
  <order>host</order>
</decoder>

It parsed all that i need, but in "Discover" tab i can't see my decoder's work. Even if i create a filter "decoder.name".

What i'm doing wrong? 

P.S. I have a syslog from pfSense and it work perfect

Md. Nazmur Sakib

unread,
Nov 13, 2024, 4:46:38 AM11/13/24
to Wazuh | Mailing List

Hi Sam,



Have you written rules for this to trigger an alert in the Dashabord?


If you have written a rule and it is triggering alerts in the ruleset test. Please share the output of your rule test.




You can write a simple rule like this


  <rule id="110000" level="3">

    <decoded_as>wzh-dhcp</decoded_as>

    <description>Mikrotik-Event</description>

  </rule>


Check this document to learn more about writing rules:
https://documentation.wazuh.com/current/user-manual/ruleset/index.html


Just to let you know in the Wazuh Dashabord you can only see rules that are above level 3 by default.

If you need further assistance. Also, share the custom rules you have written for your log.

Let me know the update on the issue.

Sam Smith

unread,
Nov 13, 2024, 5:51:03 AM11/13/24
to Wazuh | Mailing List
No problem
But the result is still the same ((( No event's in Discover

среда, 13 ноября 2024 г. в 11:46:38 UTC+2, Md. Nazmur Sakib:
ksnip_20241113-124848.png

Md. Nazmur Sakib

unread,
Nov 22, 2024, 12:53:50 AM11/22/24
to Wazuh | Mailing List

Can you enable archives.json and check if the logs are in the archives.json

For this, You can try the following steps:



For this, you can enable archive JSON format log from your manager's ossec.conf



<ossec_config>


  <global>


___________________


    <logall_json>yes</logall_json>


_______________



After making the changes make sure to restart the manager.



Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.


Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json


Look for any relevant logs inside the archive log. Use grep parameters related to the log.


cat /var/ossec/logs/archives/archives.json | grep "MikroTik test"

Please share the output of the above command

If you can find the logs in the archives.json and it shows that it is matching with rules and decoders. Please share logs from filebeat

cat /var/log/filebeat/filebeat | grep -i -E "error|warn"


Looking forward to your update on the issue.

Reply all
Reply to author
Forward
0 new messages