Changing the timestamp in Wazuh -custom Decoder & Rule-

[Salam Salam]

Hello everyone,

 I created a custom decoder & rule in Wazuh, then I wrote a rule that will be triggered if 5 times of failed logins in less than two minutes .

The problem is : Wazuh doesn't take the timestamp from the logs files, instead, it takes the timestamp of loading of these log files "Log file rotated".

How I can force Wazuh to take the timestamp of the actual log file itself.

Many thanks in advance.

Best Regards,

[Jose Luis Carreras Marin]

Hello, salam.salam8866

The behavior of Wazuh in this case, once the timeframe variable is set, is to calculate the time difference between the processing of each one of the events, saving in each one the time in which they have been generated.

Anyway, could you explain a little more in-depth what is your issue?

Regards

[Salam Salam]

Thank you for your reply.

Lets  suppose we have the following sample log: 

Timestamp  Hostname event

Jul 4 2021 08:40:44 Host1 Failed_Login

________________________

So, the following decoder for this log as below:

  <regex>(\w+\s\d+\s\d+\s\d\d:\d\d:\d\d) (\S+) (\S+)</regex>
  <order>timestamp,hostname,event</order>

_________________________

I edited ossec.conf  to instruct Wazuh to read these logs from a specific folder as follow:

 

<localfile>

  <location>/var/log/example.log</location> 

  <log_format>syslog</log_format>

</localfile>

_________________________

When Wazuh load  logs from /var/log/example.log  , unfortunately, the timestamp  here is the time whenever the log file "example.log"  loaded in the system, not the actual log timestamp which is  "Jul 4 2021 08:40:44" as illustrated within the attached Kibana snapshot

_________