Hola Henry, para cada alerta que no sea decodificada por los ruleset existentes, va a ser necesario que crees decoders y rules siguiendo las guias disponibles.
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/https://documentation.wazuh.com/current/user-manual/ruleset/custom.htmlSiguiendo la configuración que compartí anteriormente, agrego decoders y rules para los eventos "AAA" que te podrán servir de guía para el resto.
************************************************************************************************************************************************************
Samples:Mar 29 09:14:31 172.16.33.3 %AAA-I-DISCONNECT: http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED
Mar 29 09:04:25 172.16.33.3 %AAA-I-CONNECT: New http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED
Mar 29 09:31:52 172.16.33.3 %AAA-W-REJECT: New ssh connection for user sjuarez, source 172.16.33.84 destination 172.16.33.3 REJECTED
Mar 29 08:48:56 172.16.33.3 %AAA-I-CONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 ACCEPTED
Mar 29 09:11:46 172.16.33.3 %AAA-I-DISCONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 TERMINATED. The Telnet/SSH session may still be connected.
Decoder:<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex>^%(AAA-\w+-\w+): (\.*) for user </regex> <!-- This regex will extract the main "AAA" message at the start of the log (i.e: AAA-I-DISCONNECT), as well as the detail of what the event is about (i.e: http connection)-->
<order>AAAcisco_event, AAAcisco_event_details1</order>
</decoder>
<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex> for user (\w+),</regex> <!-- This regex will extract the user name -->
<order>AAAcisco_event_details2</order>
</decoder>
<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex> for user (\w+) over (\w+) , </regex> <!-- This regex will extract the user name as well-->
<order>AAAcisco_event_details2, AAAcisco_event_details3</order>
</decoder>
<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex> source\.*(\d+.\d+.\d+.\d+) </regex> <!-- This regex will extract the source IP address -->
<order>AAAcisco_event_details4</order>
</decoder>
<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex> destination\.*(\d+.\d+.\d+.\d+) </regex> <!-- This regex will extract the destination IP address -->
<order>AAAcisco_event_details5</order>
</decoder>
<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex> \d+.\d+.\d+.\d+ (\w+)$</regex> <!-- This regex will extract the final message (i.e: TERMINATED) -->
<order>AAAcisco_event_details6</order>
</decoder>
<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex> \d+.\d+.\d+.\d+ (\w+)$</regex> <!-- This regex will extract the final message (i.e: TERMINATED) (in this case, whenever there is two spaces in front of the word, instead of one., as I've found on the provided samples) -->
<order>AAAcisco_event_details6</order>
</decoder>
<decoder name="ciscolog">>
<parent>ciscolog</parent>
<regex> (\w+). (\.*).</regex> <!-- This regex covers the one log with a final text phrase at the end (i.e.: The Telnet/SSH session may still be connected.) -->
<order>AAAcisco_event_details6, AAAcisco_event_details9</order>
</decoder>Rule:<group name="ciscologs">
<rule id="100120" level="3">
<decoded_as>ciscolog</decoded_as>
<regex>^%(AAA-\w+-\w+): </regex>
<description>Cisco $(AAAcisco_event) event - $(AAAcisco_event_details1) user $(AAAcisco_event_details2), source $(AAAcisco_event_details4) destination $(AAAcisco_event_details5) $(AAAcisco_event_details6) $(AAAcisco_event_details9)</description>
</rule>Logtest (
/var/ossec/bin/wazuh-logtest-legacy)
[root@allinone aio]# /var/ossec/bin/wazuh-logtest-legacy
2023/04/03 05:36:29 wazuh-testrule: INFO: Started (pid: 5216).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
wazuh-testrule: Type one log per line.
Mar 29 09:14:31 172.16.33.3 %AAA-I-DISCONNECT: http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 09:14:31 172.16.33.3 %AAA-I-DISCONNECT: http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED'
timestamp: 'Mar 29 09:14:31'
hostname: '172.16.33.3'
program_name: '(null)'
log: '%AAA-I-DISCONNECT: http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED'
**Phase 2: Completed decoding.
decoder: 'ciscolog'
AAAcisco_event: 'AAA-I-DISCONNECT'
AAAcisco_event_details1: 'http connection'
AAAcisco_event_details2: 'sjuarez'
AAAcisco_event_details4: '172.16.33.83'
AAAcisco_event_details5: '172.16.33.3'
AAAcisco_event_details6: 'TERMINATED'
**Phase 3: Completed filtering (rules).
Rule id: '100120'
Level: '3'
Description: 'Cisco AAA-I-DISCONNECT event - http connection user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED '
**Alert to be generated.
Mar 29 09:04:25 172.16.33.3 %AAA-I-CONNECT: New http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 09:04:25 172.16.33.3 %AAA-I-CONNECT: New http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED'
timestamp: 'Mar 29 09:04:25'
hostname: '172.16.33.3'
program_name: '(null)'
log: '%AAA-I-CONNECT: New http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED'
**Phase 2: Completed decoding.
decoder: 'ciscolog'
AAAcisco_event: 'AAA-I-CONNECT'
AAAcisco_event_details1: 'New http connection'
AAAcisco_event_details2: 'sjuarez'
AAAcisco_event_details4: '172.16.33.83'
AAAcisco_event_details5: '172.16.33.3'
AAAcisco_event_details6: 'ACCEPTED'
**Phase 3: Completed filtering (rules).
Rule id: '100120'
Level: '3'
Description: 'Cisco AAA-I-CONNECT event - New http connection user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED '
**Alert to be generated.
Mar 29 09:31:52 172.16.33.3 %AAA-W-REJECT: New ssh connection for user sjuarez, source 172.16.33.84 destination 172.16.33.3 REJECTED
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 09:31:52 172.16.33.3 %AAA-W-REJECT: New ssh connection for user sjuarez, source 172.16.33.84 destination 172.16.33.3 REJECTED'
timestamp: 'Mar 29 09:31:52'
hostname: '172.16.33.3'
program_name: '(null)'
log: '%AAA-W-REJECT: New ssh connection for user sjuarez, source 172.16.33.84 destination 172.16.33.3 REJECTED'
**Phase 2: Completed decoding.
decoder: 'ciscolog'
AAAcisco_event: 'AAA-W-REJECT'
AAAcisco_event_details1: 'New ssh connection'
AAAcisco_event_details2: 'sjuarez'
AAAcisco_event_details4: '172.16.33.84'
AAAcisco_event_details5: '172.16.33.3'
AAAcisco_event_details6: 'REJECTED'
**Phase 3: Completed filtering (rules).
Rule id: '100120'
Level: '3'
Description: 'Cisco AAA-W-REJECT event - New ssh connection user sjuarez, source 172.16.33.84 destination 172.16.33.3 REJECTED '
**Alert to be generated.
Mar 29 08:48:56 172.16.33.3 %AAA-I-CONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 ACCEPTED
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 08:48:56 172.16.33.3 %AAA-I-CONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 ACCEPTED'
timestamp: 'Mar 29 08:48:56'
hostname: '172.16.33.3'
program_name: '(null)'
log: '%AAA-I-CONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 ACCEPTED'
**Phase 2: Completed decoding.
decoder: 'ciscolog'
AAAcisco_event: 'AAA-I-CONNECT'
AAAcisco_event_details1: 'User CLI session'
AAAcisco_event_details2: 'sjuarez'
AAAcisco_event_details3: 'ssh'
AAAcisco_event_details4: '172.16.33.83'
AAAcisco_event_details5: '172.16.33.3'
AAAcisco_event_details6: 'ACCEPTED'
**Phase 3: Completed filtering (rules).
Rule id: '100120'
Level: '3'
Description: 'Cisco AAA-I-CONNECT event - User CLI session user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED '
**Alert to be generated.
Mar 29 09:11:46 172.16.33.3 %AAA-I-DISCONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 TERMINATED. The Telnet/SSH session may still be connected.
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 09:11:46 172.16.33.3 %AAA-I-DISCONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 TERMINATED. The Telnet/SSH session may still be connected.'
timestamp: 'Mar 29 09:11:46'
hostname: '172.16.33.3'
program_name: '(null)'
log: '%AAA-I-DISCONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 TERMINATED. The Telnet/SSH session may still be connected.'
**Phase 2: Completed decoding.
decoder: 'ciscolog'
AAAcisco_event: 'AAA-I-DISCONNECT'
AAAcisco_event_details1: 'User CLI session'
AAAcisco_event_details2: 'sjuarez'
AAAcisco_event_details3: 'ssh'
AAAcisco_event_details4: '172.16.33.83'
AAAcisco_event_details5: '172.16.33.3'
AAAcisco_event_details6: 'TERMINATED'
AAAcisco_event_details9: 'The Telnet/SSH session may still be connected'
**Phase 3: Completed filtering (rules).
Rule id: '100120'
Level: '3'
Description: 'Cisco AAA-I-DISCONNECT event - User CLI session user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED The Telnet/SSH session may still be connected'
**Alert to be generated.************************************************************************************************************************************************************
Espero que este ejemplo pueda ser de ayuda para poder continuar trabajando con los decoders y rules faltantes.
Ante cualquier duda durante el desarrollo de los mismos, por favor no dudes con consultarnos!.
Saludos,