I can't see any Cisco logs alert in Kibana.
334 views
Skip to first unread message
Still Guru
Apr 28, 2021, 12:52:28 PM4/28/21
to Wazuh mailing list
All I managed to configure a wazuh on a two nodes setup.
node 1---> wazuh manager and filebeat
Node 2---->elasticsearch and kibana
everything is working for agent devices.
Issue
I configured cisco Switch to send logs to wazuh manager syslog server.
tcpdump indicated that logs are been received on the syslog. logs are decoded properly tested with logtest. I am still new to wazuh and learning my way around. I am at a lost. I don't seem to understand why any event related cisco devices are not showing on kibana. its not making it to tail -f /var/ossec/logs/alerts/alerts.json either. any help or sample for custom decoder for Cisco devices will be appreciated.
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
ossec-testrule: Type one log per line.
470: Apr 28 10:48:52 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: Doe] [Source: X.X.X.X] [localport: 22] at 10:48:52 EDT Wed Apr 28 2021
**Phase 1: Completed pre-decoding.
full event: '470: Apr 28 10:48:52 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:Doe] [Source: 10.83.9.212] [localport: 22] at 10:48:52 EDT Wed Apr 28 2021'
timestamp: '470: Apr 28 10:48:52'
hostname: 'TesT'
program_name: 'EDT'
log: '%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: Doe] [Source: X. X.X.X ] [localport: 22] at 10:48:52 EDT Wed Apr 28 2021'
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%SEC_LOGIN-5-LOGIN_SUCCESS'
id: '%SEC_LOGIN-5-LOGIN_SUCCESS'
**Phase 3: Completed filtering (rules).
Rule id: '4722'
Level: '3'
Description: 'Cisco IOS: Successful login to the router.'
**Alert to be generated.
Thanks
Still.
Still Guru
Apr 28, 2021, 3:51:02 PM4/28/21
to Wazuh mailing list
Addition information, any help will be greatly appreciated.
The wazuh manager are logging all Cisco events at var/ossec/logs/archives/archives.log but it seems even though the rule are been match, No message are been written into var/ossec/logs/alerts/alerts.json for filebeat to forward it to elasticsearch for kibana to show it in the UI.
cat /var/ossec/logs/archives/archives.log | grep X.X.X.X
2021 Apr 28 00:29:11 X.X.X.X->/var/log/syslog Apr 28 00:29:10 X.X.X.X : 2021 Apr 27 20:29:10 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, High Temperature Warning
2021 Apr 28 00:29:11 X.X.X.X->/var/log/syslog Apr 28 00:29:10 X.X.X.X : 2021 Apr 27 20:29:10 EDT: %ETHPORT-3-IF_SFP_ALARM: Interface Ethernet3/44, High Temperature Alarm cleared
2021 Apr 28 00:34:12 X.X.X.X->/var/log/syslog Apr 28 00:34:10 X.X.X.X : 2021 Apr 27 20:34:10 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, High Temperature Warning cleared
Juan Pablo Soliani
Apr 29, 2021, 11:18:37 AM4/29/21
to Wazuh mailing list
Hello Still,
Hope you are doing great.
The samples you sent from the archives.log are not the clean logs, the first part (2021 Apr 28 00:29:11 X.X.X.X->/var/log/syslog Apr 28 00:29:10 X.X.X.X :) is added by the manager, so the clean log would be:
Hope you are doing great.
The samples you sent from the archives.log are not the clean logs, the first part (2021 Apr 28 00:29:11 X.X.X.X->/var/log/syslog Apr 28 00:29:10 X.X.X.X :) is added by the manager, so the clean log would be:
2021 Apr 27 20:29:10 EDT: %ETHPORT-3-IF_SFP_ALARM: Interface Ethernet3/44, High Temperature Alarm cleared
And these logs should work fine with stack decoders 'cisco-ios' and trigger alerts level 4 (Cisco IOS ....).
One thing worth being mentioned is that archives.log isn't that useful as archives.json is. Could you enable in /var/ossec/etc/ossec.conf the <logall_json>, disable <logall> and restart the manager (systemctl restart wazuh-manager)?
Then run tail -f /var/ossec/logs/archives/archives.json | grep 'IF_SFP_' and you should see something like this:
{"timestamp":"2021-04-29T11:18:27.193-0300","rule":{"level":4,"description":"Cisco IOS error message.","id":"4713","firedtimes":1,"mail":false,"groups":["syslog","cisco_ios"],"gpg13":["3.5"]},"agent":{"id":"000","name":"AXXXX0"},"manager":{"name":"AXXXX0"},"id":"1619705907.4883","full_log":"2021 Apr 27 20:29:10 EDT: %ETHPORT-3-IF_SFP_ALARM: Interface Ethernet3/44, High Temperature Alarm cleared","predecoder":{"program_name":"EDT","timestamp":"2021 Apr 27 20:29:10"},"decoder":{"name":"cisco-ios"},"data":{"id":"%ETHPORT-3-IF_SFP_ALARM"},"location":"/var/testlog.log"}
If you don't, send me a sample of what you get from the archives.json file. Also, check that files /ruleset/decoders/0065-cisco-ios_decoders.xml and /ruleset/rules/0075-cisco-ios_rules.xml exist, we need them to process the logs.
Regards,
John.-
Still Guru
Apr 29, 2021, 1:52:25 PM4/29/21
to Wazuh mailing list
John,
Thanks for your response.
<logall_json>yes</logall_json> is already enable.
below is the output of the command you requested
# tail -f /var/ossec/logs/archives/archives.json | grep 'IF_SFP_'
{"timestamp":"2021-04-29T16:42:52.833+0000","agent":{"id":"000","name":"Doe"},"manager":{"name":"Doe"},"id":"1619714572.1468241","full_log":"Apr 29 16:42:52 X.X.X.X : 2021 Apr 29 12:42:52 EDT: %ETHPORT-3-IF_SFP_ALARM: Interface Ethernet3/44, Low Temperature Alarm","predecoder":{"program_name":"","timestamp":"Apr 29 16:42:52","hostname":"X.X.X.X"},"decoder":{},"location":"/var/log/syslog"}
{"timestamp":"2021-04-29T16:42:52.833+0000","agent":{"id":"000","name":"Doe"},"manager":{"name":"Doe"},"id":"1619714572.1468241","full_log":"Apr 29 16:42:52 X.X.X.X : 2021 Apr 29 12:42:52 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning","predecoder":{"program_name":"","timestamp":"Apr 29 16:42:52","hostname":"X.X.X.X"},"decoder":{},"location":"/var/log/syslog"}
these logs should work fine with stack decoders 'cisco-ios' and trigger alerts level 4 (Cisco IOS ....).
yes it trigger level4 last time I checked with /var/ossec/bin/ossec-logtest and said **Alert to be generate but never see it in Kibana.
check that files /ruleset/decoders/0065-cisco-ios_decoders.xml and /ruleset/rules/0075-cisco-ios_rules.xml.
both files exist.
JohnDoe:/var/ossec/ruleset/rules# ls -l 0075-cisco-ios_rules.xml
-rw-r----- 1 root ossec 2794 Mar 22 13:27 0075-cisco-ios_rules.xml
:/var/ossec/ruleset/decoders# ls -l 0065-cisco-ios_decoders.xml
-rw-r----- 1 root ossec 3933 Mar 22 13:27 0065-cisco-ios_decoders.xml
Note I have alert set to 3.
alerts>
<log_alert_level>3</log_alert_level>
Juan Pablo Soliani
Apr 30, 2021, 8:03:31 PM4/30/21
to Wazuh mailing list
Hello Still,
Hope you are doing great.
Hope you are doing great.
According to the data from the archives.json you've sent us, we can see that the log arriving to the manager is this one (I added a valid IPv4 address to match the decoder):
Apr 29 16:42:52 10.1.1.10 : 2021 Apr 29 12:42:52 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature WarningWe only have a pre-decoder matching the timestamp, the hostname and program_name. We need a cisco-ios sibling decoder to work with this format. Let's create it:
Add to /var/ossec/etc/decoders/local_decoder.xml these lines (or create a new decoder file in the same location):
<decoder name="cisco-ios">
<program_name />
<prematch>^\d\d\d\d \w+ \d+ \d+:\d+:\d+ \w+: </prematch>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex>^(\d\d\d\d \w+ \d+ \d+:\d+:\d+) \w+: </regex>
<order>timegenerated</order>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex offset="after_parent">(\.+): </regex>
<order>id</order>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex offset="after_parent">\.+: (\.+),</regex>
<order>interface</order>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex offset="after_parent">\.+: \.+,\.\.(\.+)$</regex>
<order>message</order>
</decoder>
<program_name />
<prematch>^\d\d\d\d \w+ \d+ \d+:\d+:\d+ \w+: </prematch>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex>^(\d\d\d\d \w+ \d+ \d+:\d+:\d+) \w+: </regex>
<order>timegenerated</order>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex offset="after_parent">(\.+): </regex>
<order>id</order>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex offset="after_parent">\.+: (\.+),</regex>
<order>interface</order>
</decoder>
<decoder name="cisco-ios_child">
<parent>cisco-ios</parent>
<regex offset="after_parent">\.+: \.+,\.\.(\.+)$</regex>
<order>message</order>
</decoder>
This 'cisco-ios' sibling decoder will be able to get timegenerated, id, interface and message data from the log. After this is done cisco-ios stack rules will trigger alerts by default. Test it with logtest tool!
**Phase 1: Completed pre-decoding.
full event: 'Apr 29 16:42:52 10.1.1.10 : 2021 Apr 29 12:42:52 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning'
timestamp: 'Apr 29 16:42:52'
hostname: '10.1.1.10'
program_name: ''
log: '2021 Apr 29 12:42:52 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning'
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%ETHPORT-4-IF_SFP_WARNING'
interface: 'Interface Ethernet3/44'
message: 'Low Temperature Warning'
**Phase 3: Completed filtering (rules).
Level: '4'
Description: 'Cisco IOS warning message.'
**Alert to be generated.
Here's the documentation to create custom decoders and rules, also regular expressions syntax and finally more information regarding sibling decoders.Hope this helps,
Regards,
John.-
Still Guru
May 1, 2021, 12:22:16 PM5/1/21
to Juan Pablo Soliani, Wazuh mailing list
John thanks for the update. I modified the
/var/ossec/etc/decoders/local_decoder.xml and added the decoder you provided. restarted the wazuh manager I tested it and got alert to be generated however I am not seeing it in kibana still.
.
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
ossec-testrule: Type one log per line.
2021 May 1 11:07:23 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning cleared
**Phase 1: Completed pre-decoding.
full event: '2021 May 1 11:07:23 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning cleared'
timestamp: '2021 May 1 11:07:23'
hostname: 'JohnDoe'
program_name: 'EDT'
log: '%ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning cleared'
**Phase 1: Completed pre-decoding.
full event: '2021 May 1 11:07:23 EDT: %ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning cleared'
timestamp: '2021 May 1 11:07:23'
hostname: 'JohnDoe'
program_name: 'EDT'
log: '%ETHPORT-4-IF_SFP_WARNING: Interface Ethernet3/44, Low Temperature Warning cleared'
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%ETHPORT-4-IF_SFP_WARNING'
id: '%ETHPORT-4-IF_SFP_WARNING'
id: '%ETHPORT-4-IF_SFP_WARNING'
**Phase 3: Completed filtering (rules).
Rule id: '4714'
Level: '4'
Description: 'Cisco IOS warning message.'
**Alert to be generated.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ar1P382KfTM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/397d1fa5-9915-47fa-9f9b-e3aff5bc8d07n%40googlegroups.com.
Message has been deleted
Message has been deleted
Message has been deleted
Juan Pablo Soliani
May 5, 2021, 12:54:06 PM5/5/21
to Wazuh mailing list
Hello Still,
Good, decoders are working now. Let's check two things. Make sure alerts.json has logs triggering alerts and also, let's see if Filebeat is connected to ElasticSearch and reading the alerts.json file.
Let's inspect alerts.json file (with cat or tail):
- cat /var/ossec/logs/alerts.json | grep 'ETHPORT-'
- tail -f var/ossec/logs/alerts.json | grep 'ETHPORT-'
Also, let's make sure filebeat is reading the alerts.json:
- lsof /var/ossec/logs/alerts/alerts.json
(you should get this)
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
filebeat 1172 root 10r REG 253,0 6182116 51529284 /var/ossec/logs/alerts/alerts.json
ossec-ana 7464 ossec 13w REG 253,0 6182116 51529284 /var/ossec/logs/alerts/alerts.json
If this is looking good, we'll check filebeat status with:
- filebeat test output
(should return all checks with OK)
elasticsearch: https://x.x.x.x:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: x.x.x.x
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.0
If this is not the case, please send me the results of these commands:
- journalctl -u filebeat --no-pager | grep -E "WARN|ERROR"
- cat /var/log/elasticsearch/elasticsearch.log | grep -E "WARN|ERROR"
Let me know the results.
Regards,
John.-
Still Guru
May 10, 2021, 2:08:29 PM5/10/21
to Wazuh mailing list
Hello John,
I was waiting to see new alert to generate on the switch to verify after testing it wazuh-logtest instead. its working now. I can see the events on Kibana now. thank you very much. the only issue now I am having is before I was getting login message. example when ever I log into the switch. also an interface or UP and down. I was seeing up and down syslog events on wazuh manager for some reason no longer seeing the messages. I think while modifying /var/ossec/etc/decoders/local_decoder.xml or ossec.conf I might have alter something. I am looking into the configs to see if I can get it fix.
sample. no longer seeing this on wazuh manager syslog.
470: Apr 28 10:48:52 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: Doe] [Source: X.X.X.X] [localport: 22] at 10:48:52 EDT Wed Apr 28 2021
Reply all
Reply to author
Forward
0 new messages