localfile labels

25 views
Skip to first unread message

Tomas Stehlik

unread,
Nov 12, 2024, 4:08:43 AM11/12/24
to Wazuh | Mailing List
Hello,
when i am using localfiles in standard syslog format it would be nice do add same label to sort clients. I checked documentation


and there is written then label is supported only in JSON (not syslog) format. Is there any other way to sort clients? For example i have several customers with same mikrotik routers, one file for one router. I need to group them with some label "customer1", is it possible? 

Thanks for reply

Tomas

Md. Nazmur Sakib

unread,
Nov 12, 2024, 5:28:06 AM11/12/24
to Wazuh | Mailing List

Hi Tomas,


You should check the <out_format> of <localfile>

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format



Suppose you have this log

[2024-11-06 03:57:10.530][6][warning][misc] [source/common/protobuf/message_validator_impl.cc:21] Deprecated field: type envoy.config.bootstrap.v3.Admin Using deprecated option 'envoy.config.bootstrap.v3.Admin.access_log_path' from file bootstrap.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override.


I will suggest changing the <localfile> configuration that you have already added for reading the log file of Mikrotik Routers logs

Add the value  <out_format>customer1 mikrotik_routers_log : $(log)</out_format>


inside the block for error log.

Ex:


<localfile>

 <log_format>syslog</log_format>

 <location>/home/log/mikrotik_routers.log</location>

 <out_format>customer1 mikrotik_routers_log : $(log)</out_format>

</localfile>


Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format

Now your logs should look like this for the Wazuh analysisd engine.

customer1 mikrotik_routers_log : [2024-11-06 03:57:10.530][6][warning][misc] [source/common/protobuf/message_validator_impl.cc:21] Deprecated field: type envoy.config.bootstrap.v3.Admin Using deprecated option 'envoy.config.bootstrap.v3.Admin.access_log_path' from file bootstrap.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override.

Now you can write a parent decoder like this.

<decoder name="mikrotik_routers">

  <prematch>^\.+mikrotik_routers_log : </prematch>

</decoder>

You can write the rest of the decoder using this decoder

<decoder name="mikrotik_routers_junior">

  <parent>mikrotik_routers</parent>

  ...

</decoder>

Rule:

<group name="waf,Coraza,">

  <rule id="100817" level="6">

    <decoded_as>mikrotik_routers</decoded_as>

    <description>Mikrotik Routers log: </description>

  </rule>

</group>

Check the document to learn more about decoders and rules

https://documentation.wazuh.com/current/user-manual/ruleset/index.html

If you need further assistance share some more sample logs from the arcives.json file related to Mikrotik Routers log after making changes in <localfile> configuration.


Let me know if this solves your issue.

Reply all
Reply to author
Forward
0 new messages