NPS logs decoder

[ektadhu...@gmail.com]

Do we have decoders for NPS logs in Wazuh?

[victor....@wazuh.com]

Hello ektadhussa1113,

Wazuh has no decoder for NPS logs by default. You can create custom decoders. I suggest you follow this guide:

https://documentation.wazuh.com/3.13/user-manual/ruleset/custom.html

Also, this Wazuh blog entry may be useful:

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/ 

If you need help creating your custom decoders, please let me know, and I will help you.

Regards.

[ektadhu...@gmail.com]

It will be great if you can help me to build the decoder for the logs.

[victor....@wazuh.com]

Hi ektadhussa1113,

In order to help you, I need you to share with us one or more example logs corresponding to NPS and some conditions for creating a rule to generate alerts in a given case.

Regards.

[ektadhu...@gmail.com]

Please find the logs for NPS.

[victor....@wazuh.com]

Hi ektadhussa1113,

We are going to make a basic example of a decoder that catches the username when the connection is unsuccessful.

First of all, edit your /var/ossec/etc/decoders/local_decoder.xml adding these new decoders:

<decoder name="nps">

<prematch>^\<Event>\.+</prematch>

</decoder>

<decoder name="nps-failed-connection">

<parent>nps</parent>
<regex>User-Name data_type="\d">(\.+)\<\.+Reason-Code data_type="\d">(\d+)</regex>
<order>nps-user,reason-code</order>

</decoder>

The first one named nps will catch every log that starts with <Event>.

The nps-failed-connection decoder works with logs that match the first decoder and it will get the User-Name and the Reason-Code fields, the values between parenthesis in the regex expression. You can find the used syntax of these decoders in this documentation page: https://documentation.wazuh.com/3.13/user-manual/ruleset/ruleset-xml-syntax/regex.html

Next, add this rule in /var/ossec/etc/rules/local_rules.xml

<rule id="100002" level="5">

<decoded_as>nps</decoded_as>
<description>Failed connection NPS</description>
<field name="reason-code">1|2|3|4|5|6|7|8|9|\d\d</field>

</rule>

This rule will check if the reason-code field is greater than 0. You can choose the level you want taking into account the wazuh rules classification: https://documentation.wazuh.com/3.13/user-manual/ruleset/rules-classification.html .

This is how the log would be analyzed:

**Phase 2: Completed decoding.

decoder: 'nps'
nps-user: 'user'

reason-code: '2'

**Phase 3: Completed filtering (rules).

Rule id: '100002'
Level: '5'

Description: 'Failed connection NPS'

I hope this would help.

Regards.

[ektadhu...@gmail.com]

Thank you very much victor.

We want a rule for the same SAM account name, if there are more than 3 failures, email should be triggered. Will it be possible to create a rule for this requirement.

Regrads,

Ekta
.

[victor....@wazuh.com]

Hi ektadhussa1113,

Yes, it's possible to create a rule for that requirement.

The decoders would be similar to the last message:

<decoder name="nps">
    <prematch>^\<Event>\.+</prematch>
</decoder>
<decoder name="nps-failed-connection">
    <parent>nps</parent>

    <regex>SAM-Account-Name data_type="\d">(\.+)\<\.+Reason-Code data_type="\d">(\d+)</regex>
    <order>sam-account,reason-code</order>
</decoder>

In this case, we catch SAM-Account-Name instead of User-Name

Now you only need to change your rule configuration.

 <rule id="100002" level="3">
    <decoded_as>nps</decoded_as>
    <description>Failed conection NPS</description>

    <field name="reason-code">1|2|3|4|5|6|7|8|9|\d\d</field>
  </rule>

 <rule id="100023" level="5" frequency="3">
    <if_matched_sid>100002</if_matched_sid>
    <description>3 times Failed connection</description
    <same_field>sam-account</same_field>
    <options>alert_by_email</options>
  </rule>

This configuration will send an email every time rule 100023 is triggered.

This new rule use frequency, same_field and alert_by_email options. You can check more information in this documentation page: https://documentation.wazuh.com/3.13/user-manual/ruleset/ruleset-xml-syntax/rules.html

Also, you need to configure email alerts. For that matter, you need to edit your ossec.conf, in <global> option.

<ossec_config>
    <global>
        <email_notification>yes</email_notification>
        <email_to>m...@test.com</email_to>
        <smtp_server>mail.test.com</smtp_server>
        <email_from>wa...@test.com</email_from>
    </global>
    ...
</ossec_config>

Replacing your email configuration. After that, you need to restart wazuh manager using this command:

systemctl restart wazuh-manager

For more information, you can follow this guide: https://documentation.wazuh.com/3.13/user-manual/manager/manual-email-report/. This blog post could be useful too https://wazuh.com/blog/how-to-send-email-notifications-with-wazuh/

Regards.

[ektadhu...@gmail.com]

Hello Victor,

Thanks for the help.

I have a query these log files are creating on daily basis. If we provide the path of the file in wazuh agent, will wazuh will be able to read it?

Thanks and Regards,

Ekta

[victor....@wazuh.com]

Hi Ekta,

Yes, you need to configure logcollector in the Wazuh agent configuration file. Below, you will find an example.

<localfile>
    <location>YourLogFile</location>
    <log_format>eventchannel</log_format>
</localfile>

Remember to restart Wazuh Agent. For more information, I recommend you this documentation page: https://documentation.wazuh.com/3.13/user-manual/reference/ossec-conf/localfile.html

Let me know if it works.
Regards.

[ektadhu...@gmail.com]

Hello victor,

The logs file are stored with the given name "IN200907" and this is incrementing on daily basis. for example the file generated today is "IN200907" and for tomorrow it will be "IN200908".

So how I can specify this in location tag.

Regards,

Ekta

[victor....@wazuh.com]

Hi Ekta,

On Windows systems you can use the * as a wildcard. In your use case, you can use this setting:

<localfile>
   <location>C:\YourLogPath\IN*</location>
   <log_format>eventchannel</log_format>
</localfile>

The location C:\YourLogPath\IN* will match all files that start with IN.

Let me know if it helps,
Regards

[ektadhu...@gmail.com]

Hi victor,

If I specify as suggested by you  C:\YourLogPath\IN* . Will it not take all the files with starting with IN. 

Like if IN200907 is created yesterday and IN200908 is created today. So now today will wazuh fetch only IN200908 or both IN200907 and 200908. As on daily basis file is creating and dumping data.

Regards,

Ekta 

[victor....@wazuh.com]

Hi Ekta,

With that configuration, Wazuh will take all the files starting with IN.
Wazuh will monitor IN200907 and 200908.

For more information about wildcards, I suggest you this documentation page: https://documentation.wazuh.com/3.13/user-manual/reference/ossec-conf/localfile.html?highlight=wildcards

Regards.

[ektadhu...@gmail.com]

Hi victor,

I want to monitor and fetch logs only for the day it is created. Like if IN200907 is created yesterday but IN200908 is create today, so wazuh should only pick today's file(IN200908) not the yesterday file(IN200907).

Regards,

Ekta

[victor....@wazuh.com]

Hi Ekta,

In that case, you can use strftime format in your `localfile` configuration as follows:

<localfile>

<location>C:\YourLogPath\IN%y%m%d.log </location>

<log_format>syslog</log_format>

</localfile>

Where: 

• %y : Two digit representation of the current year
• %m: Current month
• %d: Current day

With this configuration, wazuh will monitor the log file of the current day.

For example, with the current day (2020/09/10) and above configuration, wazuh will monitor the file called `IN200910.log`

I hope this would help.

Regards.

[Sam Smith]

Hello!

Please, need help with NPS. I have the same logs.

1. error unclosed xml attribute

2. element parse error: Error: invalid tagName:\.+Reason-Code

четверг, 10 сентября 2020 г. в 12:07:26 UTC+2, victor....@wazuh.com: