Re: OpenShift Integration – How to Exclude Low Severity Logs in Wazuh

[Luis Enrique Chico Capistrano]

Hi Faber,

Based on your logs and decoder, here's a suggested approach:

# Decoders:

<decoder name="openshift_logs">
  <prematch>apv.cluosv4.local</prematch>
</decoder>

<decoder name="openshift_logs">
  <parent>openshift_logs</parent>
  <regex type="pcre2">"severity":"(.*?)"</regex>
  <order>severity</order>
</decoder>

Note: You can add more decoders, such as the severity field, with any additional fields you need.

# Rule example:

<group name="openshift_logs">
  <rule id="100005" level="2">
    <decoded_as>openshift_logs</decoded_as>
    <field name="severity">info</field>
    <description>Severity info</description>
    <group>openshift</group>
  </rule>
</group>

Note: In this case, I’ve set the severity to "info" with a level of 2. Based on the default values for alerts, this will not trigger an alert unless the level is greater than 3.

Decoder Reference:

• Wazuh Decoder Syntax Documentation

Rule Reference:

• Wazuh Rule Customization Documentation

Using wazuh-logtest tool:

bash-5.2# /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest v4.11.0
Type one log per line

1 2025-04-25T13:15:36.628Z apv.cluosv4.local openshift-oauth-apiserver_apiserver-546985d6c5-vbm96_oauth-apiserver 5b2dd55c-7be2-4084-b9fb-0ad1ffecf9c7 container - {"@timestamp":"2025-04-25T13:15:36.628957322Z","app_name":"openshift-oauth-apiserver_apiserver-546985d6c5-vbm96_oauth-apiserver","facility":"user","hostname":"apv.cluosv4.local","kubernetes":{"annotations":{"k8s.v1.cni.cncf.io/network-status":"[{\n    \"name\": \"openshift-sdn\",\n    \"interface\": \"eth0\",\n    \"ips\": [\n        \"10.129.1.23\"\n    ],\n    \"default\": true,\n    \"dns\": {}\n}]","openshift.io/required-scc":"privileged","openshift.io/scc":"privileged","operator.openshift.io/dep-openshift-oauth-apiserver.etcd-client.secret":"P0TsSw==","operator.openshift.io/dep-openshift-oauth-apiserver.etcd-serving-ca.configmap":"AyyqkQ=="},"container_id":"cri-o://69ef516ebfcc94181a669245f433ba0005f8877883c643a251a4dfa99b586a3f","container_image":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2b5dbab4857a1ddd419b13c22a264dcc655a90512abbe40022d1cfaa5e3e7c28","container_image_id":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2b5dbab4857a1ddd419b13c22a264dcc655a90512abbe40022d1cfaa5e3e7c28","container_iostream":"stderr","container_name":"oauth-apiserver","labels":{"apiserver":"true","app":"openshift-oauth-apiserver","oauth-apiserver-anti-affinity":"true","pod-template-hash":"546985d6c5","revision":"460"},"namespace_id":"29ed785d-3acc-4609-b93b-891ce7112a4d","namespace_labels":{"kubernetes_io_metadata_name":"openshift-oauth-apiserver","olm_operatorgroup_uid_103189ed-b771-447a-9f03-972fb49e7561":"","openshift_io_cluster-monitoring":"true","pod-security_kubernetes_io_audit":"privileged","pod-security_kubernetes_io_enforce":"privileged","pod-security_kubernetes_io_warn":"privileged"},"namespace_name":"openshift-oauth-apiserver","pod_id":"5b2dd55c-7be2-4084-b9fb-0ad1ffecf9c7","pod_ip":"10.229.0.23","pod_name":"apiserver-546985d6c5-vbm96","pod_owner":"ReplicaSet/apiserver-546985d6c5"},"level":"info","log_source":"container","log_type":"infrastructure","message":"I0425 13:15:36.628882       1 httplog.go:132] \"HTTP\" verb=\"GET\" URI=\"/apis/user.openshift.io/v1\" latency=\"1.016449ms\" userAgent=\"Go-http-client/2.0\" audit-ID=\"58aeade3-2700-456a-b48c-2d52bf7fd546\" srcIP=\"10.229.0.1:51840\" apf_pl=\"exempt\" apf_fs=\"exempt\" apf_iseats=1 apf_fseats=0 apf_additionalLatency=\"0s\" apf_execution_time=\"182.405µs\" resp=200","msg_id":"container","openshift":{"cluster_id":"e65fea38-64bc-4fe6-a0fd-1e315012ea75","sequence":1745586936737440816},"proc_id":"5b2dd55c-7be2-4084-b9fb-0ad1ffecf9c7","severity":"info"}

**Phase 1: Completed pre-decoding.
full event: '1 2025-04-25T13:15:36.628Z apv.cluosv4.local openshift-oauth-apiserver_apiserver-546985d6c5-vbm96_oauth-apiserver 5b2dd55c-7be2-4084-b9fb-0ad1ffecf9c7 container - {"@timestamp":"2025-04-25T13:15:36.628957322Z","app_name":"openshift-oauth-apiserver_apiserver-546985d6c5-vbm96_oauth-apiserver","facility":"user","hostname":"apv.cluosv4.local","kubernetes":{"annotations":{"k8s.v1.cni.cncf.io/network-status":"[{\n    \"name\": \"openshift-sdn\",\n    \"interface\": \"eth0\",\n    \"ips\": [\n        \"10.129.1.23\"\n    ],\n    \"default\": true,\n    \"dns\": {}\n}]","openshift.io/required-scc":"privileged","openshift.io/scc":"privileged","operator.openshift.io/dep-openshift-oauth-apiserver.etcd-client.secret":"P0TsSw==","operator.openshift.io/dep-openshift-oauth-apiserver.etcd-serving-ca.configmap":"AyyqkQ=="},"container_id":"cri-o://69ef516ebfcc94181a669245f433ba0005f8877883c643a251a4dfa99b586a3f","container_image":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2b5dbab4857a1ddd419b13c22a264dcc655a90512abbe40022d1cfaa5e3e7c28","container_image_id":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2b5dbab4857a1ddd419b13c22a264dcc655a90512abbe40022d1cfaa5e3e7c28","container_iostream":"stderr","container_name":"oauth-apiserver","labels":{"apiserver":"true","app":"openshift-oauth-apiserver","oauth-apiserver-anti-affinity":"true","pod-template-hash":"546985d6c5","revision":"460"},"namespace_id":"29ed785d-3acc-4609-b93b-891ce7112a4d","namespace_labels":{"kubernetes_io_metadata_name":"openshift-oauth-apiserver","olm_operatorgroup_uid_103189ed-b771-447a-9f03-972fb49e7561":"","openshift_io_cluster-monitoring":"true","pod-security_kubernetes_io_audit":"privileged","pod-security_kubernetes_io_enforce":"privileged","pod-security_kubernetes_io_warn":"privileged"},"namespace_name":"openshift-oauth-apiserver","pod_id":"5b2dd55c-7be2-4084-b9fb-0ad1ffecf9c7","pod_ip":"10.229.0.23","pod_name":"apiserver-546985d6c5-vbm96","pod_owner":"ReplicaSet/apiserver-546985d6c5"},"level":"info","log_source":"container","log_type":"infrastructure","message":"I0425 13:15:36.628882       1 httplog.go:132] \"HTTP\" verb=\"GET\" URI=\"/apis/user.openshift.io/v1\" latency=\"1.016449ms\" userAgent=\"Go-http-client/2.0\" audit-ID=\"58aeade3-2700-456a-b48c-2d52bf7fd546\" srcIP=\"10.229.0.1:51840\" apf_pl=\"exempt\" apf_fs=\"exempt\" apf_iseats=1 apf_fseats=0 apf_additionalLatency=\"0s\" apf_execution_time=\"182.405µs\" resp=200","msg_id":"container","openshift":{"cluster_id":"e65fea38-64bc-4fe6-a0fd-1e315012ea75","sequence":1745586936737440816},"proc_id":"5b2dd55c-7be2-4084-b9fb-0ad1ffecf9c7","severity":"info"}'

**Phase 2: Completed decoding.
name: 'openshift_logs'
severity: 'info'

**Phase 3: Completed filtering (rules).
id: '100005'
level: '2'
description: 'Severity info'
groups: '['openshift_logsopenshift']'
firedtimes: '1'
mail: 'False'

On Friday, April 25, 2025 at 2:40:12 PM UTC-3 Faber Andres Cubides wrote:

Hi everyone,

I'm using Wazuh version 4.9 and have integrated OpenShift logs into my environment. I'm not very experienced with creating decoders and rules, so I'm reaching out for some help.

I created a decoder and a rule to process all logs coming from a specific host, and it's working as expected. However, I wasn't anticipating the high volume of alerts being generated.

I'm looking for a way to exclude certain events, for example based on the severity level or a similar field in the message.

Could someone guide me on how to create one or more decoders that can filter or exclude events based on certain conditions (like the severity field)? Below, I'm sharing my decoder, the rule I'm using, and a sample of the logs.

I would really appreciate any help or suggestions. 🙏

Decoder

<decoder name="openshift_logs">
  <prematch>apv.cluosv4.local</prematch>
  <regex>^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$</regex>
  <order>time, host, program, pid, message</order>
</decoder>

Rule

<group name="openshift_logs">

  <rule id="100005" level="0">
    <decoded_as>openshift_logs</decoded_as>
    <description>OpenShift log detected</description>
    <group>openshift</group>
  </rule>
</group>

Thanks in advance!