Wazuh create alert for syslog logs

[Riccardo Olivetto]

Hi, I would like to generate alerts from logs that are written to a specific file located in a wazuh server.

File to monitor: /home/ftp/as.log
I've done the following steps:

1. Added to /var/ossec/etc/ossec.conf:
   <localfile>
       <log_format>full_command</log_format>
       <location>/home/ftpuser/as400.txt</location>
     </localfile>
2. created custom decoders for that type of log
3. Created custom rule in /var/ossec/etc/rules/local_rules.xml
   

Testing the log that will populate /home/ftp/as.log with wazuh-logtest it works:

root@wazuhftp:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.14.1
Type one log per line

CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-GS|Low|reason=Authority changes msg=Grant to *PUBLIC duser=QTCP dproc=040024/QTCP suser=QSECOFR sproc=040209/QTCP shost=10.0.0.5 src=192.168.0.78 spt=64005

**Phase 1: Completed pre-decoding.
        full event: 'CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-GS|Low|reason=Authority changes msg=Grant to *PUBLIC duser=QTCP dproc=040024/QTCP suser=QSECOFR sproc=040209/QTCP shost=10.0.0.5 src=192.168.0.78 spt=64005'

**Phase 2: Completed decoding.
        name: 'ibm_cef_ext'

**Phase 3: Completed filtering (rules).
        id: '100100'
        level: '5'
        description: 'IBM i CEF event'
        groups: '['local', 'syscheck', 'ibmi', 'cef', 'ibmi', 'general']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

If i populate the file it doesn't generate alert and alert.log/json doesn't populate.

Can you help me?

[Olamilekan Abdullateef Ajani]

Hello Riccardo,

I see all you have done with the ingestion and the rule you have created. It seems from the logtest, the rule and decoder were triggered, but in the actual event stream, nothing happened. 

We can start by checking the Wazuh archive file to ensure the logs are ingested exactly as you used while testing; otherwise, your decoder might not match, affecting the rules.

You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.

<ossec_config>
  <global>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep "Authority changes"

Once you find the logs, please disable the archive by setting the logall options above to no, and please revert with a sample log.

Please let me know what you find.

[Riccardo Olivetto]

Hi, I've modified ossec.conf as you wrote and restart the manager but cat /var/ossec/logs/archives/archives.json | grep "Authority changes"

doesn't return me anything.
The test I do is the follow:

echo "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-GS|Low|reason=Authority changes msg=Grant to *PUBLIC duser=QTCP dproc=040024/QTCP suser=QSECOFR sproc=040209/QTCP shost=10.0.0.5 src=192.168.0.78 spt=64005" >> /home/ftpuser/as400.txt

(wazuh user has access to that file)

[Olamilekan Abdullateef Ajani]

Hello Riccardo,

The problem seems to be with the way you have declared Wazuh to read the file, your log_format says full_command. May I know why you used that when you only intend to just capture the logs?

Please refer to the available log_format options in the documentation here, and use the one appropriate to the log. I used syslog, and I was able to capture the log, please see attached. You may want to review that too.

Once this is out of the way, you can use the full_log of the archived log to create a working decoder and rule.

Ref:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format

Please let me know if you require further assistance on this