Same agent/same hostname for a frequency alerts
156 views
Skip to first unread message
Daniil Sobolev
Feb 2, 2021, 4:27:18 AM2/2/21
to Wazuh mailing list
Hi wazuh team,
I'm trying to create a rule for an alert that triggers several time on one host.
In the raw logs I only have a hostname.
I found <same location> tag, but it seems to be related to log file location.
Is it possible to do such thing with what I have?
Thanks!
Julián Morales
Feb 2, 2021, 9:07:42 AM2/2/21
to Wazuh mailing list
Hi cry2rain,
The location identifies the origin of the input. If the event comes from an agent, its name and registered IP (as it was added) is appended to the location.
In other words, same_location is used to identify that the log source is the same, same agent and same file.
If the log format is syslog type, you could use the <same_system_name> tag. This option specifies that the name of the decoded system must be the same, comparing the hostname field extracted in the pre-decoding stage.
If the format is not syslog, you could extract the host name with your custom decoder and then use the same_field tag in the rule.
If you need help, feel free to share the logs along with your decoders and rules custom.
Please let me know if this is helpful to you.
Regards,
Julian
Daniil Sobolev
Feb 2, 2021, 10:51:43 AM2/2/21
to Wazuh mailing list
Exactly what I needed!
Thanks a lot!
вторник, 2 февраля 2021 г. в 17:07:42 UTC+3, julian....@wazuh.com:
Fontoura
Mar 6, 2026, 9:11:16 AM (10 days ago) Mar 6
to Wazuh | Mailing List
I've stumble upon the same needs but the <same_system_name/> tag doesn't seem to be working:
Here is the decoder:
Here is the rule:
I believe its worth mentioning that the device generating these logs is not a Wazuh Agent, but a network device (Huawei). I'm sending the device's logs to wazuh directly.
I already have other rules that work with these logs, but now I need to aggregate them based on individual hosts.
Can you help me?
Here is the decoder:
<decoder name="huawei-ssh">
<prematch>%%\d+SSH</prematch>
</decoder>
<!-- Feb 01 14:55:37 <device_name> %%01SSH/4/SSH_FAIL(s)[0]:Failed to login through SSH. (IP=<IP>, VpnInstanceName= , UserName=<user>, Times=1, FailedReason=User public key authentication failed) -->
<decoder name="huawei-ssh-fail">
<parent>huawei-ssh</parent>
<use_own_name>true</use_own_name>
<prematch type="pcre2">SSH_FAIL</prematch>
<regex type="pcre2" offset="after_prematch">Failed to login through SSH\. \(IP=(\S+), VpnInstanceName=\s*(\S*), UserName=(\S+), Times=(\d+), FailedReason=(.+)\)</regex>
<order>srcip,vpninstance,username,times,failedreason,system_name</order>
</decoder>
Here is the rule:
<rule id="100301" level="5">
<decoded_as>huawei-ssh-fail</decoded_as>
<match>Failed to login</match>
<description>$(hostname): User '$(username)' failed to login through SSH from $(srcip). The reason was: '$(failedreason)'. This is the $(times) time this user has failed to login.</description>
<group>authentication,ssh</group>
</rule>
<rule id="100302" frequency="5" level="13" ignore="300" timeframe="300">
<if_matched_sid>100301</if_matched_sid>
<same_system_name/>
<!-- <same_field>username</same_field> -->
<description>$(hostname): User '$(username)' failed to login through SSH from $(srcip) 5 times. This alert will be suppressed for 5 minutes.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication,ssh</group>
</rule>
I believe its worth mentioning that the device generating these logs is not a Wazuh Agent, but a network device (Huawei). I'm sending the device's logs to wazuh directly.
I already have other rules that work with these logs, but now I need to aggregate them based on individual hosts.
Can you help me?
Brenno Garcia
Mar 14, 2026, 4:24:11 PM (2 days ago) Mar 14
to Wazuh | Mailing List
Hello,
could u give me a sample log and wazuh-logtest result?
Reply all
Reply to author
Forward
0 new messages