regex decoder
41 views
Skip to first unread message
Romain Hennebois
May 15, 2024, 3:02:15 AM5/15/24
to Wazuh | Mailing List
Hi team,
I am currently trying to make a decoder for this type of logs :
May 15 08:58:25 vm-zosma LLNG[1028012]: [notice] User mdelpech is redirected to https://mail.ville-nevers.fr/
May 15 08:58:25 vm-zosma LLNG[1028012]: [notice] mdelpech connected
May 15 08:58:25 vm-zosma LLNG[1028012]: [notice] User mdelpech successfully authenticated at level 9
but I'm having problems with regex. The results are as follows :
May 14 10:10:31 vm-zosma LLNG[837938]: [notice] User [username] successfully authenticated at level 9
**Phase 1: Completed pre-decoding.
full event: 'May 14 10:10:31 vm-zosma LLNG[837938]: [notice] User [username] successfully authenticated at level 9'
timestamp: 'May 14 10:10:31'
hostname: 'vm-zosma'
program_name: 'LLNG'
**Phase 2: Completed decoding.
name: 'LDAP'
I would like some help with the decoder. Any help would be appreciated.
I am currently trying to make a decoder for this type of logs :
May 15 08:58:25 vm-zosma LLNG[1028012]: [notice] User mdelpech is redirected to https://mail.ville-nevers.fr/
May 15 08:58:25 vm-zosma LLNG[1028012]: [notice] mdelpech connected
May 15 08:58:25 vm-zosma LLNG[1028012]: [notice] User mdelpech successfully authenticated at level 9
but I'm having problems with regex. The results are as follows :
May 14 10:10:31 vm-zosma LLNG[837938]: [notice] User [username] successfully authenticated at level 9
**Phase 1: Completed pre-decoding.
full event: 'May 14 10:10:31 vm-zosma LLNG[837938]: [notice] User [username] successfully authenticated at level 9'
timestamp: 'May 14 10:10:31'
hostname: 'vm-zosma'
program_name: 'LLNG'
**Phase 2: Completed decoding.
name: 'LDAP'
I would like some help with the decoder. Any help would be appreciated.
Stuti Gupta
May 15, 2024, 3:43:31 AM5/15/24
to Wazuh | Mailing List
Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Stuti Gupta
May 15, 2024, 5:07:48 AM5/15/24
to Wazuh | Mailing List
Hi
Romain Hennebois
When you run this log through wazuh-logtest or the Ruleset test, the "LLNG" is pre-decoded as program_name. Therefore, the custom decoder should be based on this program_name field. You can create a decoder for these logs like this:
<decoder name="LLNG">
<program_name>LLNG</program_name>
</decoder>
<decoder name="LLNG_redirected">
<parent>LLNG</parent>
<prematch>redirected</prematch>
<regex>[notice] User (\.+) (\.+) to (\.+)</regex>
<order>user, action, dst</order>
</decoder>
<decoder name="LLNG_connected">
<parent>LLNG</parent>
<prematch>connected</prematch>
<regex>[notice] (\S+) (\S+)</regex>
<order>user, action</order>
</decoder>
<decoder name="LLNG_successfully">
<parent>LLNG</parent>
<prematch>successfully authenticated</prematch>
<regex>[notice] User (\.+) (\.+) at level (\d+)</regex>
<order>user, action, level</order>
</decoder>
Since log patterns vary, you need to create specific child decoders for each unique log pattern. You can create decoder as shown in the example above according your log requirement
To know more about custom decoders you can refer to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Hope this helps
When you run this log through wazuh-logtest or the Ruleset test, the "LLNG" is pre-decoded as program_name. Therefore, the custom decoder should be based on this program_name field. You can create a decoder for these logs like this:
<decoder name="LLNG">
<program_name>LLNG</program_name>
</decoder>
<decoder name="LLNG_redirected">
<parent>LLNG</parent>
<prematch>redirected</prematch>
<regex>[notice] User (\.+) (\.+) to (\.+)</regex>
<order>user, action, dst</order>
</decoder>
<decoder name="LLNG_connected">
<parent>LLNG</parent>
<prematch>connected</prematch>
<regex>[notice] (\S+) (\S+)</regex>
<order>user, action</order>
</decoder>
<decoder name="LLNG_successfully">
<parent>LLNG</parent>
<prematch>successfully authenticated</prematch>
<regex>[notice] User (\.+) (\.+) at level (\d+)</regex>
<order>user, action, level</order>
</decoder>
Since log patterns vary, you need to create specific child decoders for each unique log pattern. You can create decoder as shown in the example above according your log requirement
To know more about custom decoders you can refer to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Hope this helps
Romain Hennebois
May 15, 2024, 5:12:07 AM5/15/24
to Wazuh | Mailing List
Hi Stuti,
Thank you so much for your help. It works perfectly, you saved my day!
Thank you so much for your help. It works perfectly, you saved my day!
Reply all
Reply to author
Forward
0 new messages