Wazuh create alert for syslog logs

[Riccardo Olivetto]

Hi, I would like to generate alerts from logs that are written to a specific file located in a wazuh server.

File to monitor: /home/ftp/as.log
I've done the following steps:

1. Added to /var/ossec/etc/ossec.conf:
   <localfile>
       <log_format>full_command</log_format>
       <location>/home/ftpuser/as400.txt</location>
     </localfile>
2. created custom decoders for that type of log
3. Created custom rule in /var/ossec/etc/rules/local_rules.xml
   

Testing the log that will populate /home/ftp/as.log with wazuh-logtest it works:

root@wazuhftp:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.14.1
Type one log per line

CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-GS|Low|reason=Authority changes msg=Grant to *PUBLIC duser=QTCP dproc=040024/QTCP suser=QSECOFR sproc=040209/QTCP shost=10.0.0.5 src=192.168.0.78 spt=64005

**Phase 1: Completed pre-decoding.
        full event: 'CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-GS|Low|reason=Authority changes msg=Grant to *PUBLIC duser=QTCP dproc=040024/QTCP suser=QSECOFR sproc=040209/QTCP shost=10.0.0.5 src=192.168.0.78 spt=64005'

**Phase 2: Completed decoding.
        name: 'ibm_cef_ext'

**Phase 3: Completed filtering (rules).
        id: '100100'
        level: '5'
        description: 'IBM i CEF event'
        groups: '['local', 'syscheck', 'ibmi', 'cef', 'ibmi', 'general']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

If i populate the file it doesn't generate alert and alert.log/json doesn't populate.

Can you help me?

[Olamilekan Abdullateef Ajani]

Hello Riccardo,

I see all you have done with the ingestion and the rule you have created. It seems from the logtest, the rule and decoder were triggered, but in the actual event stream, nothing happened. 

We can start by checking the Wazuh archive file to ensure the logs are ingested exactly as you used while testing; otherwise, your decoder might not match, affecting the rules.

You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.

<ossec_config>
  <global>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep "Authority changes"

Once you find the logs, please disable the archive by setting the logall options above to no, and please revert with a sample log.

Please let me know what you find.

[Riccardo Olivetto]

Hi, I've modified ossec.conf as you wrote and restart the manager but cat /var/ossec/logs/archives/archives.json | grep "Authority changes"

doesn't return me anything.
The test I do is the follow:

echo "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-GS|Low|reason=Authority changes msg=Grant to *PUBLIC duser=QTCP dproc=040024/QTCP suser=QSECOFR sproc=040209/QTCP shost=10.0.0.5 src=192.168.0.78 spt=64005" >> /home/ftpuser/as400.txt

(wazuh user has access to that file)

[Olamilekan Abdullateef Ajani]

Hello Riccardo,

The problem seems to be with the way you have declared Wazuh to read the file, your log_format says full_command. May I know why you used that when you only intend to just capture the logs?

Please refer to the available log_format options in the documentation here, and use the one appropriate to the log. I used syslog, and I was able to capture the log, please see attached. You may want to review that too.

Once this is out of the way, you can use the full_log of the archived log to create a working decoder and rule.

Ref:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format

Please let me know if you require further assistance on this

[Riccardo Olivetto]

Hi, i set up syslog format too but still not able to visualize alerts

[Olamilekan Abdullateef Ajani]

Hello Riccardo,

Not being able to visualize the events can be due to the decoder and rule issue, can you enable archive as I have earlier mentioned and see if the logs are populating?

You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.

<ossec_config>
  <global>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>

Then restart the Wazuh manager. systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep "part-of-the-log"

Once you find the logs, please disable the archive by setting the logall options above to no, and please revert with a sample log.

Please let me know what you find.

[Riccardo Olivetto]

Hi,

now it works. Is it possibile to monitor all logs files?
This is the scenario:
every 5 minutes my power send via FTP logs to wazuh manager at /home/ftpuser/syslog/Timestamp.txt.
I want that every time a file is added here it checks the log.

I know that if i monitor a single file it works and generate alerts 

[Olamilekan Abdullateef Ajani]

Hello Riccardo,

I am glad to hear that it all works now.

For the new use case you have shared, you can make use of the wildcard *. Wildcards can be used on Linux and Windows systems, if the log file doesn't exist at the Wazuh-logcollector start time, such a log will be re-scanned after logcollector.vcheck_files seconds.
An example can be seen below:

<localfile>
    <location> /home/ftpuser/syslog/*</location>
    <log_format>syslog</log_format>
</localfile>

<localfile>
    <location> /home/ftpuser/syslog/*.txt</location>
    <log_format>syslog</log_format>
</localfile>

Ref:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location

Please let me know if you require further assistance on this.