CSV decoder for SonicWall logs
80 views
Skip to first unread message
Denys Shevchuk
Jul 26, 2024, 5:11:35 AMJul 26
to Wazuh | Mailing List
Hi there,
I'm trying to pull the SonicWall logs to the Wazuh server using the Wazuh agent. For some reason it doesn't show the logs on the dashboard, so I hope someone can help me understand why. Here are my settings:
1) Config on the Wazuh agent
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>C:\temp\syslogs\*</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>C:\temp\syslogs\*</location>
</localfile>
2) Information that the Wazuh agent is trying to analyse the log:
2024/07/26 09:33:35 wazuh-agent: INFO: (1950): Analyzing file: 'C:\temp\syslogs\log_052AC8-0124_03_28_22_58-1.csv'.
2024/07/26 09:33:35 wazuh-agent: INFO: (1950): Analyzing file: 'C:\temp\syslogs\log_052AC8-0124_03_28_22_58-1.csv'.
3) Example of CSV log file attached.
4) Wazuh custom decoder:
<decoder name="sonicwall-csv">
<prematch>^UTC</prematch>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall-csv</parent>
<regex offset="after_parent">([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)$</regex>
<order>
Time, ID, Category, Group, Event, Msg. Type, Priority, Ether Type, Src. MAC, Src. Vendor, Src. Int., Src. Zone, Dst. MAC, Dst. Vendor, Dst. Int., Dst. Zone, Src. IP, Src. Port, Src. Name, Src. NAT IP, Src. NAT Port, In SPI, Dst. IP, Dst. Port, Dst. Name, Dst. NAT IP, Dst. NAT Port, Out SPI, IP Protocol, ICMP Type, ICMP Code, RX Bytes, TX Bytes, Access Rule, NAT Policy, User Name, Session Time, Session Type, IDP Rule, IDP Priority, HTTP OP, URL, VPN Policy, HTTP Result, Block Cat, Application, FW Action, DPI, Notes, Message, HTTP Referer
</order>
</decoder>
<decoder name="sonicwall-csv">
<prematch>^UTC</prematch>
</decoder>
<decoder name="sonicwall-fields">
<parent>sonicwall-csv</parent>
<regex offset="after_parent">([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)\s([^,]+)$</regex>
<order>
Time, ID, Category, Group, Event, Msg. Type, Priority, Ether Type, Src. MAC, Src. Vendor, Src. Int., Src. Zone, Dst. MAC, Dst. Vendor, Dst. Int., Dst. Zone, Src. IP, Src. Port, Src. Name, Src. NAT IP, Src. NAT Port, In SPI, Dst. IP, Dst. Port, Dst. Name, Dst. NAT IP, Dst. NAT Port, Out SPI, IP Protocol, ICMP Type, ICMP Code, RX Bytes, TX Bytes, Access Rule, NAT Policy, User Name, Session Time, Session Type, IDP Rule, IDP Priority, HTTP OP, URL, VPN Policy, HTTP Result, Block Cat, Application, FW Action, DPI, Notes, Message, HTTP Referer
</order>
</decoder>
5) Wazuh custom rule.
<group name="sonicwall">
<rule id="120502" level="3">
<decoded_as>sonicwall-csv</decoded_as>
<description>SonicWall log event</description>
</rule>
</group>
<group name="sonicwall">
<rule id="120502" level="3">
<decoded_as>sonicwall-csv</decoded_as>
<description>SonicWall log event</description>
</rule>
</group>
6) Decoder test result:
**Phase 1: Completed pre-decoding.
full event: 'UTC 03/20/2024 23:00:37 939 VPN VPN IKEv2 Responder: Received IKE_SA_INIT Request Standard Note String Information'
**Phase 2: Completed decoding.
name: 'sonicwall-csv'
**Phase 3: Completed filtering (rules).
id: '120502'
level: '3'
description: 'SonicWall log event'
groups: '["sonicwall"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
The problem is that I cannot see them in the dashboard. I have enabled logall to see the arhives.log and I can't find them there.
Any help much appricieted.
Thanks,
Denys
Diego Mendez Sakugawa
Jul 26, 2024, 7:27:01 AMJul 26
to Wazuh | Mailing List
Hello Denys Shevchuk,
What version of Wazuh are you using?
Please let me perform a few tests with the information you shared.
Best regards,
Diego
Denys Shevchuk
Aug 2, 2024, 4:54:30 AMAug 2
to Wazuh | Mailing List
Hi Diego,
App version: 4.7.3
Agent version: 4.7.3
Agent version: 4.7.3
Thanks,
Denys
Reply all
Reply to author
Forward
0 new messages