Rule - new user
M G
It is possible to get notification when a new user is added on the server?
I don't know how to create that rule.
Can You help me?
Regards
Mateusz
Pedro Nicolás Gomez
Hi M G,
When an agent (already registered) connects to the manager, an alert like the following one is generated:
{"timestamp":"2023-03-29T09:45:08.229-0300","rule":{"level":3,"description":"Ossec agent started.","id":"503","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1","10.2.6"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14","AU.5"],"tsc":["CC7.2","CC7.3","CC6.8"]},"agent":{"id":"001","name":"agent-name","ip":"1.2.3.4"},"manager":{"name":"nico-VirtualBox"},"id":"1680093908.2424980","full_log":"ossec: Agent started: 'LAPTOP-SI21F60O->any'.","decoder":{"parent":"ossec","name":"ossec"},"data":{"extra_data":"LAPTOP-SI21F60O->any"},"location":"wazuh-agent"}
But if what you want is to generate an alert when a new agent registers, what I think could be a solution is to monitor the ossec.log file of the manager, when a new key is generated a message like the following is logged
2023/03/29 10:01:11 wazuh-authd: INFO: Agent key generated for 'agent-name' (requested by any)
After this, all that remains is to create the decoder and the ruler.
I did this proof of concept:
1. Add the configuration to the manager to monitor ossec.log
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/ossec.log</location>
</localfile>
2. Create the new decoders inside the file /var/ossec/etc/decoders/local_decoder.xml
<decoder name="authd_log">
<prematch>^\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d wazuh-authd: </prematch>
</decoder>
<decoder name="authd_log_new_key">
<parent>authd_log</parent>
<regex type="pcre2">INFO: Agent key generated for '(\S+)'</regex>
<order>agent</order>
</decoder>
3. Create the new rules inside the file /var/ossec/etc/rules/local_rules.xml
<rule id="200001" level="0">
<decoded_as>authd_log</decoded_as>
<description>Wazuh-authd Messages Grouped</description>
</rule>
<rule id="200002" level="3">
<if_sid>200001</if_sid>
<field name="agent">\.+</field>
<description>New agent added: '$(agent)'</description>
</rule>
4. Restart the manager
5. Test decoders and rules with wazuh-logtest
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
2023/03/29 10:01:11 wazuh-authd: INFO: Agent key generated for 'agent-name' (requested by any)
**Phase 1: Completed pre-decoding.
full event: '2023/03/29 10:01:11 wazuh-authd: INFO: Agent key generated for 'agent-name' (requested by any)'
**Phase 2: Completed decoding.
name: 'authd_log'
agent: 'agent-name'
**Phase 3: Completed filtering (rules).
id: '200002'
level: '3'
description: 'New agent added: 'agent-name''
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
6. Register an agent and check that the alert has been generated correctly.
{"timestamp":"2023-03-29T10:34:32.424-0300","rule":{"level":3,"description":"New agent added: 'LAPTOP-SI21F60O'","id":"200002","firedtimes":1,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"nico-VirtualBox"},"manager":{"name":"nico-VirtualBox"},"id":"1680096872.4169774","full_log":"2023/03/29 10:34:31 wazuh-authd: INFO: Agent key generated for 'agent-name' (requested by any)","decoder":{"name":"authd_log"},"data":{"agent":"LAPTOP-SI21F60O"},"location":"/var/ossec/logs/ossec.log"}
Here I share information about custom rules and decoders.
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html
Also, the wazuh_logtest tool can help with the whole process: https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html
I hope it helps.
Best regards,
Pedro Nicolas.