Wazuh Custom Decoder for pfSense Firewall Logs
1,278 views
Skip to first unread message
Nikolai D
Nov 6, 2023, 2:32:03 PM11/6/23
to Wazuh | Mailing List
Hi, I am a Wazuh Noobie and need help with a custom Decoder. This is what I have done so far after reading multiple posts from other people with a simmelar problem.
On my pfSense Firewall (version: 2.7.0) I configured my Wazuh Server as its Remote log Server and the syslogs are being sent there.
In the Wazuh (version 4.5.2) Configurations I added rsyslog:
For debugging purposes I activated the logall feature and can thus see my pfSense logs in /var/ossec/logs/archives/archives.json:
My problem is that I dont see any pfSense Logs in my Wazuh and that no alerts are generated from my pfSense syslogs. After reading many other posts about this, my guess is that I need a custom Decoder/Rule for them to show up on Wazuh or make an alert. Because I am very new in this field and the regex seems rather complex, I ask for help here.
Also, when inserted into the (legacy) logtest it says no decoder matched with just "full event":... and "timestamp":..
I used the following log entry for that:
Also, when inserted into the (legacy) logtest it says no decoder matched with just "full event":... and "timestamp":..
I used the following log entry for that:
{"timestamp":"2023-11-06T17:53:08.155+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1699293188.7944115","full_log":"1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale","decoder":{},"location":"192.168.178.55"}
Any help is apprechiated and thanks in advance,
Nikolai
Christian Borla
Nov 6, 2023, 2:46:42 PM11/6/23
to Wazuh | Mailing List
Hi
Nikolai
I hope you are doing fine!
Perfect you are half way there, that the event reaches the manager, now you must generate a custom decoder, in this case, to be able to process your event.
the Json that you find in the archives.json file is an object enriched by the agent and manager, in addition to the raw event that is receiving, so we must focus on the value of the full_log, that section contains the string as it will be processed by the decoder.
Testing it in wazuh-logtest
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.0
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
No decoder matched.
So it's necessary creates a decoder and then some rules.
I will back as soon as possible with some examples.
I hope you are doing fine!
Perfect you are half way there, that the event reaches the manager, now you must generate a custom decoder, in this case, to be able to process your event.
the Json that you find in the archives.json file is an object enriched by the agent and manager, in addition to the raw event that is receiving, so we must focus on the value of the full_log, that section contains the string as it will be processed by the decoder.
Testing it in wazuh-logtest
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.0
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
No decoder matched.
So it's necessary creates a decoder and then some rules.
I will back as soon as possible with some examples.
Christian Borla
Nov 6, 2023, 3:01:56 PM11/6/23
to Wazuh | Mailing List
Hi Nikolai.
Here you have an example, processing first section of the pfsense log.
Add following Custom decoder in /var/ossec/etc/decoders/local_decoder.xml:
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
Here you have an example, processing first section of the pfsense log.
Add following Custom decoder in /var/ossec/etc/decoders/local_decoder.xml:
<decoder name="pfsense">
<prematch>pfSense</prematch>
</decoder>
<decoder name="pfsense-child">
<parent>pfsense</parent>
<regex type="pcre2">\d+\s+(\d+-\d+-\d+T\d+:\d+:\d+.\d+\+\d+:\d+)\s+(pfSense\S+)\s+(\S+)\s+</regex>
<order>date,host,action</order>
</decoder>
Restart the manager, and by testing it in the wazuh-logtest tool, you can see how the decoder processes the event.
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.6.0
<prematch>pfSense</prematch>
</decoder>
<decoder name="pfsense-child">
<parent>pfsense</parent>
<regex type="pcre2">\d+\s+(\d+-\d+-\d+T\d+:\d+:\d+.\d+\+\d+:\d+)\s+(pfSense\S+)\s+(\S+)\s+</regex>
<order>date,host,action</order>
</decoder>
Restart the manager, and by testing it in the wazuh-logtest tool, you can see how the decoder processes the event.
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.6.0
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
name: 'pfsense'
action: 'filterlog'
date: '2023-11-06T18:43:48.398094+01:00'
host: 'pfSense.meinlab.local'
I hope it helps.
Regards.
action: 'filterlog'
date: '2023-11-06T18:43:48.398094+01:00'
host: 'pfSense.meinlab.local'
I hope it helps.
Regards.
Nikolai D
Nov 6, 2023, 6:52:22 PM11/6/23
to Wazuh | Mailing List
Hi Christian, thank you for helping me!
Yes, I get the same results. Sadly I still dont get any logs in Wazuh / any generated alerts. The logall-logs in archives.json look a bit different now though:
..."decoder":{"name":"pfsense"},"data":{"action":"filterlog","date":"2023-11-07T00:41:30.755870+01:00","host":"pfSense.meinlab.local"},"location":"192.168.178.55"}
Yes, I get the same results. Sadly I still dont get any logs in Wazuh / any generated alerts. The logall-logs in archives.json look a bit different now though:
..."decoder":{"name":"pfsense"},"data":{"action":"filterlog","date":"2023-11-07T00:41:30.755870+01:00","host":"pfSense.meinlab.local"},"location":"192.168.178.55"}
It seems like the rules are missing now. Thus I tried a simple rule:
But still no alerts, after restarting.
Could you help me one more time please?
Once I get the foundation of a connection and first alerts, I hope I can configure them on my own to my liking.
Once I get the foundation of a connection and first alerts, I hope I can configure them on my own to my liking.
Best regards,
Nikolai
Nikolai D
Nov 7, 2023, 10:29:10 AM11/7/23
to Wazuh | Mailing List
Just got it working on my own, after reading the rule documentaion carefully. I simply changed the line
<program_name>pfsense</program_namey>
to
<decoded_as>pfsense</decoded_as>
Now, I can start configuring it on my own. Thanks again for the help with the decoder!
Christian Borla
Nov 7, 2023, 10:41:05 AM11/7/23
to Wazuh | Mailing List
Hi Nikolai
Good to know you alredy fix it!!
In this case we are not capturing the application, and your rule searches for the program name, we could take 2 ways, unglob the host with the pfSense and capture that as program_name
I that case we have to change the decoder too, Or change the rule to validate the fields captured by the current decoder.
Option 1: New rule with current decoder.
<rule id="100100" level="5">
<field name="host" type="pcre2">pfSense</field>
<description>pfSense log arrived</description>
</rule>
Testing it
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.6.0
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
name: 'pfsense'
action: 'filterlog'
date: '2023-11-06T18:43:48.398094+01:00'
host: 'pfSense.meinlab.local'
**Phase 3: Completed filtering (rules).
id: '100100'
level: '5'
description: 'pfSense log arrived'
groups: '['test']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Option 2: Updating the decoder
Decoder:
<decoder name="pfsense-child">
<parent>pfsense</parent>
<regex type="pcre2">\d+\s+(\d+-\d+-\d+T\d+:\d+:\d+.\d+\+\d+:\d+)\s+((pfSense)\S+)\s+(\S+)\s+</regex>
<order>date,host,program_name,action</order>
</decoder>
Rule:
<rule id="100111" level="5">
<decoded_as>pfsense</decoded_as>
<description>pfSense log arrived</description>
</rule>
Testing it
/var/ossec/bin/wazuh-logtest
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
name: 'pfsense'
action: 'filterlog'
date: '2023-11-06T18:43:48.398094+01:00'
host: 'pfSense.meinlab.local'
program_name: 'pfSense'
**Phase 3: Completed filtering (rules).
id: '100111'
level: '5'
description: 'pfSense log arrived'
groups: '['test']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Regards!
Good to know you alredy fix it!!
In this case we are not capturing the application, and your rule searches for the program name, we could take 2 ways, unglob the host with the pfSense and capture that as program_name
I that case we have to change the decoder too, Or change the rule to validate the fields captured by the current decoder.
Option 1: New rule with current decoder.
<rule id="100100" level="5">
<field name="host" type="pcre2">pfSense</field>
<description>pfSense log arrived</description>
</rule>
Testing it
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.6.0
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
name: 'pfsense'
action: 'filterlog'
date: '2023-11-06T18:43:48.398094+01:00'
host: 'pfSense.meinlab.local'
id: '100100'
level: '5'
description: 'pfSense log arrived'
groups: '['test']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Option 2: Updating the decoder
Decoder:
<decoder name="pfsense-child">
<parent>pfsense</parent>
<order>date,host,program_name,action</order>
</decoder>
Rule:
<rule id="100111" level="5">
<decoded_as>pfsense</decoded_as>
<description>pfSense log arrived</description>
</rule>
Testing it
/var/ossec/bin/wazuh-logtest
Type one log per line
1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale
**Phase 1: Completed pre-decoding.
full event: '1 2023-11-06T18:43:48.398094+01:00 pfSense.meinlab.local filterlog 26614 - - 81,,,10001,em1,match,pass,in,4,0x0,,64,740,0,none,6,tcp,60,10.10.10.101,10.10.10.1,32846,80,0,S,4272229248,,64240,,mss; sackOK;TS;nop;wscale'
**Phase 2: Completed decoding.
name: 'pfsense'
action: 'filterlog'
date: '2023-11-06T18:43:48.398094+01:00'
host: 'pfSense.meinlab.local'
**Phase 3: Completed filtering (rules).
id: '100111'
level: '5'
description: 'pfSense log arrived'
groups: '['test']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Regards!
Reply all
Reply to author
Forward
0 new messages