MongoDB amd Wazuh
497 views
Skip to first unread message
Slava G.
Apr 9, 2019, 12:58:58 AM4/9/19
to Wazuh mailing list
Hi,
I wanted to monitor MongoDB events.
So, I've installed agent on the momgo server and configured in the osses.conf
<localfile>
<log_format>syslog</log_format>
<location>/mnt/log/mongod.log</location>
</localfile>
But don't see any events from that log coming to Wazuh.
Please advise.
Thanks
Slava G.
Apr 9, 2019, 1:11:03 AM4/9/19
to Wazuh mailing list
Forgot to mention, I do see in the ossec.log file that mongo log is being analyzed :
2019/04/08 11:07:01 ossec-logcollector: INFO: (1950): Analyzing file: '/mnt/log/mongod.log'.
Slava G.
Apr 9, 2019, 1:17:59 AM4/9/19
to Wazuh mailing list
And finally trying ossec-logtest with line from mongo long:
2018-09-09T07:13:57.581+0000 I ACCESS [conn594673] Successfully authenticated as principal xyxyxyxy on admin
Got next output:
**Phase 1: Completed pre-decoding.
full event: '2018-09-09T07:13:57.581+0000 I ACCESS [conn594673] Successfully authenticated as principal xyxyxyxy on admin'
timestamp: '2018-09-09T07:13:57.581+0000 I '
hostname: 'CCESS'
program_name: '(null)'
log: ' [conn594673] Successfully authenticated as principal xyxyxyxy on admin'
**Phase 2: Completed decoding.
No decoder matched.
Jeremy Phillips
Apr 9, 2019, 9:01:48 AM4/9/19
to Slava G., Wazuh mailing list
Hi Slava,
It doesn't look like the log entries are being decoded appropriately by the pre-decoder. It's parsing the severity 'I' as part of the date, etc... Unfortunately, the pre-decoders are a limited set (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html) and there is no way to customize/extend the pre-decoders. The only way that I'm aware of getting around this is to use an external process (filebeat, logstash, fluentd, etc...) to monitor the logfile, transform the log entries to a more 'standard' format, and then drop the log entries into another log file that is monitored by Wazuh (or forward directly to the wazuh thru socket/syslog).
I'd love to hear how others are handling this issue, as I face the same thing for many app logs...
Jeremy
But more importantly, Wazuh will "ignore" an event if it doesn't trigger any rule and get a level over 0 set.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ff27b3f4-371b-4c65-9a64-bd4a07f0d9d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Slava G
Apr 9, 2019, 9:27:25 AM4/9/19
to Jeremy Phillips, Wazuh mailing list
Thanks Jeremy,
Buy MongoDB decoder is part of Wazuh setup, shouldn't be ready to use out of the box?
Thanks.
Jeremy Phillips
Apr 9, 2019, 11:19:20 AM4/9/19
to Slava G, Wazuh mailing list
Huh... Does look like there is a MongoDB parser, though its not working... Not sure on that one then...
Jeremy
Jake Wegman
Apr 11, 2019, 11:36:50 AM4/11/19
to Wazuh mailing list
MongoDB decoding broke for me when updating to 3.8.0:
yum.log:Jan 19 08:47:01 Updated: wazuh-manager.x86_64 3.8.0-1
...my last alert concerning Mongo was on 2019-01-19T08:46:24.790+0000
Regards,
Jake
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Slava G
Apr 11, 2019, 11:55:19 AM4/11/19
to Jake Wegman, Wazuh mailing list
Yes, seems so.
I've opened issue in https://github.com/wazuh/wazuh-ruleset/issues/347
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ff27b3f4-371b-4c65-9a64-bd4a07f0d9d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2f568004-654d-498e-9943-e2361d9352ad%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages