PaloAlto Global Protect decoder
426 views
Skip to first unread message
Steve O'Brien
Apr 17, 2023, 7:39:06 PM4/17/23
to Wazuh mailing list
I have been struggling trying to get my globalprotect authentication logs decoded. I have tested my decoder with a regex debugger and I think they should be right but I am not seeing any of the fields that are in my decoder, just very generic info. Here is my local_decoder:
<decoder name="paloalto-globalprotect-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,GLOBALPROTECT,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(GLOBALPROTECT)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="paloalto-globalprotect-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>content_type, generated_time, virtual_system, event_id, stage, authentication_method, tunnel_type, source_user, source_region, machine_name, public_ip, public_ipv6, private_ip, private_ipv6, host_id, serial_number, client_version, client_os, client_os_version, repeat_count, reason, error, description, status, location, login_duration, connect_method, error_code, portal, sequence_number, action_flags, high_res_timestamp, selection_type, response_time, priority, attempted_gateways, gateway, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name, virtual_system_id</order>
</decoder>
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,GLOBALPROTECT,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(GLOBALPROTECT)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="paloalto-globalprotect-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>content_type, generated_time, virtual_system, event_id, stage, authentication_method, tunnel_type, source_user, source_region, machine_name, public_ip, public_ipv6, private_ip, private_ipv6, host_id, serial_number, client_version, client_os, client_os_version, repeat_count, reason, error, description, status, location, login_duration, connect_method, error_code, portal, sequence_number, action_flags, high_res_timestamp, selection_type, response_time, priority, attempted_gateways, gateway, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name, virtual_system_id</order>
</decoder>
Here is the log from wazuh:
2023 Apr 17 21:11:52 (syslog.server) any->/var/log/hosts/firewall-messages.log <190>1 2023-04-17T11:11:52-10:00 S3AA3-PA5220-01.summit.nso.edu - - - - 1,2023/04/17 11:11:51,013201027519,GLOBALPROTECT,0,2561,2023/04/17 11:11:51,vsys1,portal-auth,login,Other,,testuser-local,US,Test-MacBook-Pro,66.8.174.83,0.0.0.0,0.0.0.0,0.0.0.0,3c:22:fb:3e:11:78,C02CJ2W9ML7J,6.0.3,Mac,"Apple Mac OS X 13.3.1",1,,,,success,,0,,0,Summit VPN,7199699939377566884,0x0,2023-04-17T11:11:52.624-10:00,,,,,,0,0,0,0,,S3AA3-PA5220-01,0
From what I understand the prematch should match:
2023 Apr 17 21:11:52 (syslog.server) any->/var/log/hosts/firewall-messages.log <190>1 2023-04-17T11:11:52-10:00 S3AA3-PA5220-01.summit.nso.edu - - - - 1,2023/04/17 11:11:51,013201027519,GLOBALPROTECT
Which leaves the "after_regex":
,2023 Apr 17 21:11:52 (syslog.server) any->/var/log/hosts/firewall-messages.log <190>1 2023-04-17T11:11:52-10:00 S3AA3-PA5220-01.summit.nso.edu - - - - 1,2023/04/17 11:11:51,013201027519,GLOBALPROTECT
Which according to the regexp debugger should match:
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
Any help would be greatly appreciated
Steve O'Brien
Apr 17, 2023, 9:44:32 PM4/17/23
to Wazuh mailing list
I am looking for guidance on where to put these, I though I was only supposed to edit the local_decoder.xml, so I was adding it there but it was not working. When I moved it to the 0505-paloalto_decoders.xml file it now works. Can anyone explain that?
Benjamin Nworah
Apr 18, 2023, 9:24:01 AM4/18/23
to Wazuh mailing list
Hello Steve,
Thank you for using Wazuh.
I am currently taking a look at this. I will revert back..
I am currently taking a look at this. I will revert back..
Regards,
Benjamin Nworah
Apr 19, 2023, 12:45:52 AM4/19/23
to Wazuh mailing list
Dear Steve,
Thank you for your patience on this thread.
I tested your sample log using the Wazuh-logtest, and I can confirmed that when placed inside the /var/ossec/etc/decoders/local_decoder.xml file, the sample log is not parse by your decoder. This is because the default Paloalto decoder file .i.e, 0505-paloalto_decoders.xml has a parent decoder "paloalto" that matches your sample log.
You can follow the below steps to customize the existing 050-paloalto_decoders.xml file:
To keep the changes when updating to a newer version, instead of editing the original file we recommend copying it to a new file in the /var/ossec/etc/decoders/ directory and excluding the original file from the loading list in the ossec.conf configuration file.
1- Copy the original file to the custom decoder folder :
cp /var/ossec/ruleset/decoders/0505-paloalto_decoders.xml /var/ossec/etc/decoders/
2- Change the ownership of the file:
chown wazuh: /var/ossec/etc/decoders/0505-paloalto_decoders.xml
3- Edit the Wazuh manager /var/ossec/etc/ossec.conf configuration file and exclude the original file from the loading list using the decorder_exclude tag <decoder_exclude>ruleset/decoders/0505-paloalto_decoders.xml</decoder_exclude>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<decoder_exclude>ruleset/decoders/0505-paloalto_decoders.xml</decoder_exclude>
</ruleset>
4. Edit /var/ossec/etc/decoders/0505-paloalto_decoders.xml and add your decoder after the parent decoder paloalto and before the decoder paloalto-system-fields , your new decoder file will have this structure:
<decoder name="paloalto">
----------------------------------------
<decoder name="paloalto-globalprotect-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,GLOBALPROTECT,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(GLOBALPROTECT)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="paloalto-globalprotect-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>content_type, generated_time, virtual_system, event_id, stage, authentication_method, tunnel_type, source_user, source_region, machine_name, public_ip, public_ipv6, private_ip, private_ipv6, host_id, serial_number, client_version, client_os, client_os_version, repeat_count, reason, error, description, status, location, login_duration, connect_method, error_code, portal, sequence_number, action_flags, high_res_timestamp, selection_type, response_time, priority, attempted_gateways, gateway, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name, virtual_system_id</order>
</decoder>
Thank you for your patience on this thread.
I tested your sample log using the Wazuh-logtest, and I can confirmed that when placed inside the /var/ossec/etc/decoders/local_decoder.xml file, the sample log is not parse by your decoder. This is because the default Paloalto decoder file .i.e, 0505-paloalto_decoders.xml has a parent decoder "paloalto" that matches your sample log.
You can follow the below steps to customize the existing 050-paloalto_decoders.xml file:
To keep the changes when updating to a newer version, instead of editing the original file we recommend copying it to a new file in the /var/ossec/etc/decoders/ directory and excluding the original file from the loading list in the ossec.conf configuration file.
1- Copy the original file to the custom decoder folder :
cp /var/ossec/ruleset/decoders/0505-paloalto_decoders.xml /var/ossec/etc/decoders/
2- Change the ownership of the file:
chown wazuh: /var/ossec/etc/decoders/0505-paloalto_decoders.xml
3- Edit the Wazuh manager /var/ossec/etc/ossec.conf configuration file and exclude the original file from the loading list using the decorder_exclude tag <decoder_exclude>ruleset/decoders/0505-paloalto_decoders.xml</decoder_exclude>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<decoder_exclude>ruleset/decoders/0505-paloalto_decoders.xml</decoder_exclude>
</ruleset>
4. Edit /var/ossec/etc/decoders/0505-paloalto_decoders.xml and add your decoder after the parent decoder paloalto and before the decoder paloalto-system-fields , your new decoder file will have this structure:
<decoder name="paloalto">
----------------------------------------
<decoder name="paloalto-globalprotect-fields">
<parent>paloalto</parent>
<prematch type="pcre2">^[^,]*,\d+\/\d+\/\d+\s\d+:\d+:\d+,\d+,GLOBALPROTECT,</prematch>
<regex type="pcre2">^[^,]*,(\d+\/\d+\/\d+\s\d+:\d+:\d+),(\d+),(GLOBALPROTECT)</regex>
<order>receive_time, serial_number, type</order>
</decoder>
<decoder name="paloalto-globalprotect-fields">
<parent>paloalto</parent>
<regex type="pcre2" offset="after_regex">^,([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),[^,]*,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)</regex>
<order>content_type, generated_time, virtual_system, event_id, stage, authentication_method, tunnel_type, source_user, source_region, machine_name, public_ip, public_ipv6, private_ip, private_ipv6, host_id, serial_number, client_version, client_os, client_os_version, repeat_count, reason, error, description, status, location, login_duration, connect_method, error_code, portal, sequence_number, action_flags, high_res_timestamp, selection_type, response_time, priority, attempted_gateways, gateway, device_group_hierarchy_level_1, device_group_hierarchy_level_2, device_group_hierarchy_level_3, device_group_hierarchy_level_4, virtual_system_name, device_name, virtual_system_id</order>
</decoder>
<decoder name="paloalto-system-fields">
......................................................................
5- Restart the Wazuh manager:
systemctl restart wazuh-manager
Please let me know if this helps.
Regards,
......................................................................
5- Restart the Wazuh manager:
systemctl restart wazuh-manager
Please let me know if this helps.
Regards,
Reply all
Reply to author
Forward
0 new messages