Decoder HPE Alletra and HPE Primera

Kobrik Kobrikovic

unread,

Jul 12, 2024, 3:52:19 AM7/12/24

to Wazuh | Mailing List

Hi, I need help with a decoder. I'm trying to create a decoder and ruleset for a syslog of an HPE Alletra and HPE Primera disk array.
I manage to decode everything after timestamp and hostname in batches. But I need the timestamp and hostname for further processing of the ruleset.

Log:
Jul 11 14:29:38 3PAR_XZ123456SV new_obj sw_user_conn:11374:10.100.0.103:55555:jiri.novak User Connection 11374(10.1.1.10:55555:jiri.novak) added

Decoders:
<decoder name="alletra">
<prematch>new_obj</prematch>
</decoder>

<decoder name="alletra">
<parent>alletra</parent>
<regex>(\w+ \d+ \d+:\d+:\d+) ([^^s]+) new_obj (\w+)</regex>
<order>timestamp,hostname,program,action</order>
</decoder>

<decoder name="alletra">
<parent>alletra</parent>
<regex> (\w+) new_obj</regex>
<order>system_hostname</order>
</decoder>

<decoder name="alletra">
<parent>alletra</parent>
<regex>new_obj (\w+)</regex>
<order>action</order>
</decoder>

<decoder name="alletra">
<parent>alletra</parent>
<regex>sw_user_conn:(\w+):(\S+):(\S+):(\S+)</regex>
<order>action_id,srcip,srcport,username</order>
</decoder>

Test result:

**Phase 1: Completed pre-decoding.

full event: ' Jul 11 14:29:38 3PAR_XZ123456SV new_obj sw_user_conn:11374:10.100.0.103:55555:jiri.novak User Connection 11374(10.1.1.10:55555:jiri.novak) added '

timestamp: ' Jul 11 14:29:38'

hostname: ' 3PAR_XZ123456SV '

**Phase 2: Completed decoding.

name: 'alletra'

action: 'sw_user_conn'

action_id: '30854'

srcip: '10.100.0.103'

srcport: '55555'

username: 'jiri.novotny'

Please, why timestamp and hostname remains only in pre-decoded? Thank you very much for your help.

**Messages: WARNING: (7003): '8c2550a6' token expires INFO: (7202): Session initialized with token 'a1d2ecbf' **Phase 1: Completed pre-decoding. full event: 'Jul 11 11:09:33 3PAR_CZ230208SV new_obj sw_user_conn:30854:127.0.0.1:45794:bohdan.danek User Connection 30854(127.0.0.1:45794:bohdan.danek) added' timestamp: 'Jul 11 11:09:33' hostname: '3PAR_CZ230208SV' **Phase 2: Completed decoding. name: 'alletra' action: 'sw_user_conn' action_id: '30854' srcip: '127.0.0.1' srcport: '45794' username: 'bohdan.danek'

Md. Nazmur Sakib

unread,

Jul 12, 2024, 6:03:22 AM7/12/24

to Wazuh | Mailing List

Hi Kobrik Kobrikovic, There are two phases of decoding. The input log first goes through the pre-decoding phase, during which general information, such as a timestamp, a hostname, and a program name, are extracted when a Syslog-like header is present.

In the decoding phase, the decoder extracts information from the remaining log. In this example, the decoder only analyzes the message: new_obj sw_user_conn:30854:127.0.0.1:45794:bohdan.danek User Connection 30854(127.0.0.1:45794:bohdan.danek) added'

I have written a sample decoder to test it.

<decoder name="alletra">

</decoder>

<parent>alletra</parent>

</decoder>

So it is not possible to grip the hostname in the decoding phase and use it in a rule.

Alternatively, if you are using localfile to forward these logs to Wazuh you can add some additional value at the start of the log.

<log_format>syslog</log_format>

<out_format target="custom_socket">alletra log: $(log)</out_format>

</localfile>

After this, the log format will be changed to this
alletra log: Jul 11 14:29:38 3PAR_XZ123456SV new_obj sw_user_conn:11374:10.100.0.103:55555:jiri.novak User Connection 11374(10.1.1.10:55555:jiri.novak) added

and will not go to the pre-decoding phase.

Now you will be able to use those values in the decoder and rules.

Let me know if you need any furter assistance on this.

Kobrik Kobrikovic

unread,

Jul 29, 2024, 3:48:38 AM7/29/24

to Wazuh | Mailing List

Hello, thank you for the directions. I kind of figured. After adjusting according to your recommendation, everything is OK.

Dne pátek 12. července 2024 v 12:03:22 UTC+2 uživatel Md. Nazmur Sakib napsal:

Reply all

Reply to author

Forward