Wazuh decoders for aruba switches

[SP_11]

Hi,

I have onboarded some aruba switches to wazuh but unfortunately the logs are not being showed in the wazuh dashboards since there are not proper decoders available (but logs are stored in /var/ossec/logs/archives with log all option)

I would like to know, can I use a simple decoreder only with the "pre match" being set. Will that bring the events to the dashboards or do I have to create a complex decoder which will extract all the fields in the log message?

Appreciate your expert opinions and assistance on this.

Thank you

[Tomasz Buziak]

For my aruba and d-link switches, I wrote the rules below:

<group name="coreswitch,">
  <rule id="111001" level="3">
    <hostname>192.168.xxx|192.168.xxx|192.168.xxx|192.168....</hostname>
    <description>Core switch logs.</description>
  </rule>
 
  <rule id="111004" level="3">
    <if_sid>111001</if_sid>
    <match>Successful login|logged in</match>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
    <description>Core switch: successful login.</description>
    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>
 
  <rule id="111005" level="5">
    <if_sid>111001</if_sid>
    <match>login failed|Invalid user</match>
    <description>Core switch: authentication failed.</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
 
  <rule id="111006" level="10" frequency="8" timeframe="120">
    <if_matched_sid>111005</if_matched_sid>
    <same_source_ip />
    <description>Multiple Cores witch user authentication failures.</description>
    <mitre>
      <id>T1110</id>
      <id>T1497</id>
    </mitre>
    <group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>
 
  <rule id="111002" level="11">
    <if_sid>111001</if_sid>
    <match>link down|now off-line</match>
    <description>Core switch link down.</description>
    <group>gpg13_4.3,</group>
  </rule>
 
  <rule id="111003" level="11">
    <if_sid>111001</if_sid>
    <match>error|bad|failure|failed|warning|fatal|abnormal|denied|fault|collision|drop</match>
    <description>Core switch problem.</description>
    <group>gpg13_4.3,</group>
  </rule>
</group>

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d565df4c-eb8d-4e7e-b415-09e2cdf62f61n%40googlegroups.com.

[Sebastian Dario Bustos]

Hello Shenal,

Thank you for using Wazuh!!!

Yes, you can make a simple parent decoder to catch all the logs comming from your device, you just have to specify a uniquely identifier string on your prematch, then create a level 3 rule that has your decoder name  in the decoded_as field.

Please share a log sample so I can draft a decoder and rule if you like.

Let me know.

Regards.

[SP_11]

Hi sebastian

Thanks for the information. Below are some sample logs. Appreciate it if you could help me with this.

[root@wazuh-server archives]# cat archives.json | grep 2.2.2.2
{"timestamp":"2022-10-20T10:55:20.240+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666263320.2070409387","full_log":"1 2020-11-27T10:00:52Z 2.2.2.2 AAA - DISCONNECT - Hostname: <Switch1>,http connection for user admin, source 1.1.1.1 destination 2.2.2.2 TERMINATED  ","decoder":{},"location":"2.2.2.2"}
{"timestamp":"2022-10-20T11:17:08.669+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666264628.2138985272","full_log":"1 2020-11-27T10:22:41Z 2.2.2.2 NT_LLDP - LLDP_TRAP - Hostname: <Switch1>,LLDP status: entry deleted on 19.  ","decoder":{},"location":"2.2.2.2"}
{"timestamp":"2022-10-20T11:17:09.639+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666264629.2139134904","full_log":"1 2020-11-27T10:22:42Z 2.2.2.2 LINK - Down - Hostname: <Switch1>, 19  ","decoder":{},"location":"2.2.2.2"}
{"timestamp":"2022-10-20T11:17:12.434+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666264632.2139312368","full_log":"1 2020-11-27T10:22:44Z 2.2.2.2 LINK - Up - Hostname: <Switch1>, 19  ","decoder":{},"location":"2.2.2.2"}
{"timestamp":"2022-10-20T11:22:08.840+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666264928.2154175608","full_log":"1 2020-11-27T10:27:41Z 2.2.2.2 NT_LLDP - LLDP_TRAP - Hostname: <Switch1>,LLDP status: entry deleted on 21.  ","decoder":{},"location":"2.2.2.2"}
{"timestamp":"2022-10-20T11:23:10.082+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666264990.2157118764","full_log":"1 2020-11-27T10:28:42Z 2.2.2.2 LINK - Down - Hostname: <Switch1>, 19  ","decoder":{},"location":"2.2.2.2"}
{"timestamp":"2022-10-20T11:23:12.968+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666264992.2157253416","full_log":"1 2020-11-27T10:28:45Z 2.2.2.2 LINK - Up - Hostname: <Switch1>, 19  ","decoder":{},"location":"2.2.2.2"}
{"timestamp":"2022-10-20T11:23:22.785+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1666265002.2157976600","full_log":"1 2020-11-27T10:28:55Z 2.2.2.2 NT_LLDP - LLDP_TRAP - Hostname: <Switch1>,LLDP status: entry inserted on 19.  ","decoder":{},"location":"2.2.2.2"}

[Sebastian Dario Bustos]

Hello Shenal,
I see the logs are pretty generic, are you ingesting these logs
through syslog? if so, please answer the following questions in
order to better help you configure this:
- Seems like these logs are being ingested directly to the manager, is
this correct?
- How did you configure the reception of the logs? through a remote
config block in your ossec.conf file? or through rsyslog service on
your manager's O.S. to direct the logs to a local file?

The reason I'm asking this is because you can add fields to each log
if you are reading them from a local file making the decoder
unequivocally identify these logs.

Let me know.
Regards.

On Mon, Oct 24, 2022 at 4:02 AM SP_11 <she...@crypto-gen.com> wrote:
>
> Hi sebastian,
>
> were you able to check the sample logs?
>
> Thank you

>
> On Friday, October 21, 2022 at 5:39:36 AM UTC+5:30 sebastia...@wazuh.com wrote:
>>

> --
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b34f3d8a-8f80-4f8f-bffa-e7ae17ab9693n%40googlegroups.com.