Parsing PfSense Logs
283 views
Skip to first unread message
SwiftBird
Sep 23, 2023, 1:54:07 PM9/23/23
to Wazuh | Mailing List
Hi I am trying to parse pfSense logs coming via Syslog (agent install doesn't work on the current version). It won't work as expected. Here are my custom decoder:
<decoder name="pf-php-fpm">
<prematch>php-fpm</prematch>
</decoder>
<decoder name="pf-php-fpm-login">
<parent>pf-php-fpm</parent>
<regex type="pcre2">php-fpm\[\d+\]: /index\.php: Successful login for user '(.+?)' from: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</regex>
<order>username, source_ip</order>
</decoder>
<decoder name="pf-php-fpm-auth-error">
<parent>pf-php-fpm</parent>
<regex type="pcre2">php-fpm\[\d+\]: /index\.php: webConfigurator authentication error for user '(.+?)' from: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</regex>
<order>username, source_ip</order>
</decoder>
<decoder name="pf-ssh-connection-closed">
<prematch>Connection closed by authenticating user</prematch>
<regex type="pcre2">user (\S+) (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (\d+)</regex>
<order>username, source_ip, source_port</order>
</decoder>
<decoder name="pf-ssh-publickey-accepted">
<prematch>Accepted publickey for</prematch>
<regex type="pcre2">for (\S+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (\d+) ssh2: (\S+) (\S+)</regex>
<order>username, source_ip, source_port, key_algorithm, key_signature</order>
</decoder>
<prematch>php-fpm</prematch>
</decoder>
<decoder name="pf-php-fpm-login">
<parent>pf-php-fpm</parent>
<regex type="pcre2">php-fpm\[\d+\]: /index\.php: Successful login for user '(.+?)' from: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</regex>
<order>username, source_ip</order>
</decoder>
<decoder name="pf-php-fpm-auth-error">
<parent>pf-php-fpm</parent>
<regex type="pcre2">php-fpm\[\d+\]: /index\.php: webConfigurator authentication error for user '(.+?)' from: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})</regex>
<order>username, source_ip</order>
</decoder>
<decoder name="pf-ssh-connection-closed">
<prematch>Connection closed by authenticating user</prematch>
<regex type="pcre2">user (\S+) (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (\d+)</regex>
<order>username, source_ip, source_port</order>
</decoder>
<decoder name="pf-ssh-publickey-accepted">
<prematch>Accepted publickey for</prematch>
<regex type="pcre2">for (\S+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (\d+) ssh2: (\S+) (\S+)</regex>
<order>username, source_ip, source_port, key_algorithm, key_signature</order>
</decoder>
And here is what happens to an example failed login (from the full_log in the archive.json):
Sep 23 19:43:21 php-fpm[63232]: /index.php: webConfigurator authentication error for user 'Martin' from: 10.21.0.9
**Messages:
WARNING: (7003): 'a49ca664' token expires
INFO: (7202): Session initialized with token '10cd2455'
**Phase 1: Completed pre-decoding.
full event: 'Sep 23 19:43:21 php-fpm[63232]: /index.php: webConfigurator authentication error for user 'Martin' from: 10.21.0.9'
timestamp: 'Sep 23 19:43:21'
hostname: 'php-fpm[63232]:'
**Phase 2: Completed decoding.
name: 'pf-php-fpm'
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5'
description: 'syslog: User authentication failure.'
groups: '["syslog","access_control","authentication_failed"]'
firedtimes: '1'
gdpr: '["IV_35.7.d","IV_32.2"]'
gpg13: '["7.8"]'
hipaa: '["164.312.b"]'
mail: 'false'
nist_800_53: '["AU.14","AC.7"]'
pci_dss: '["10.2.4","10.2.5"]'
tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.
Why is this random syslog alert generated?
Why does it say decoder being 'pf-php-fpm' does that mean that the other sub-decoders failed? if so then why? I don't understand. I just want Wazuh to use my decoders.
Gustavo Choquevilca
Sep 24, 2023, 9:50:58 PM9/24/23
to Wazuh | Mailing List
Hi,
It seems that the random syslog alert is being generated due to a user authentication failure in the pf-php-fpm decoder. The decoder is successfully decoding the log entry 'Sep 23 19:43:21 php-fpm[63232]: /index.php: webConfigurator authentication error for user 'Martin' from: 10.21.0.9', but the alert is triggered by a filtering rule with id '2501' and level '5' that matches the decoded event. The alert is generated because the event matches the criteria defined in the filtering rule, which includes syslog, access control, and authentication failed groups.
What do you mean when they say "The other sub-decoders failed"? Could you give me more details?
Regards.
It seems that the random syslog alert is being generated due to a user authentication failure in the pf-php-fpm decoder. The decoder is successfully decoding the log entry 'Sep 23 19:43:21 php-fpm[63232]: /index.php: webConfigurator authentication error for user 'Martin' from: 10.21.0.9', but the alert is triggered by a filtering rule with id '2501' and level '5' that matches the decoded event. The alert is generated because the event matches the criteria defined in the filtering rule, which includes syslog, access control, and authentication failed groups.
What do you mean when they say "The other sub-decoders failed"? Could you give me more details?
Regards.
Message has been deleted
Gustavo Choquevilca
Sep 26, 2023, 3:06:21 PM9/26/23
to Wazuh | Mailing List
I will investigate this problem and will come back when I have an answer.
Regards
On Monday, September 25, 2023 at 6:00:37 AM UTC-3 SwiftBird wrote:
I want it to use my decoders that I specified (see first post) not the one from php-fpm
Mit freundlichen Grüßen
Martin Offermann
> On 25. Sep 2023, at 03:51, 'Gustavo Choquevilca' via Wazuh | Mailing List <wa...@googlegroups.com> wrote:
>
> php-fpm
Gustavo Choquevilca
Sep 28, 2023, 5:00:51 PM9/28/23
to Wazuh | Mailing List
Gustavo Choquevilca
Oct 2, 2023, 11:07:53 AM10/2/23
to Wazuh | Mailing List
Hi,
Have you found error logs?
Can you share any error logs related to this problem?
Let me know, I'll be attentive.
Have you found error logs?
Can you share any error logs related to this problem?
Let me know, I'll be attentive.
Gustavo Choquevilca
Oct 5, 2023, 5:11:49 PM10/5/23
to Wazuh | Mailing List
Hello,
I have tested the log that you have shared with wazuh-logtest and the same results that you have shared are obtained, this means that the default rules and decoders have been activated.
What you can do in this case is to modify your default rules and decoders.
Here is a guide that defines all the details of the process.
I'm looking forward to your response.
Regards.
I have tested the log that you have shared with wazuh-logtest and the same results that you have shared are obtained, this means that the default rules and decoders have been activated.
What you can do in this case is to modify your default rules and decoders.
Here is a guide that defines all the details of the process.
I'm looking forward to your response.
Regards.
Reply all
Reply to author
Forward
0 new messages