UFW logs dont go to the wazuh-manager

1,083 views
Skip to first unread message

bars5...@gmail.com

unread,
Dec 28, 2021, 2:34:08 PM12/28/21
to Wazuh mailing list
Hi! Very strange situation for me. I need collect UFW logs.
As usually i add 

<localfile>
  <location>/var/log/ufw.log</location>
 <log_format>syslog</log_format>
</localfile

to agent.conf in shared folder.

all my changes as expected arrive to agent configuration.

but dont UFW logs seemed in /var/ossec/logs/archives/archives.json

in agent ossec log i see /var/log/ufw.log analyzed.

at the same time if i add record to /var/log/ufw.log manually
echo "123 123 bla bla" >> /var/log/ufw.log its logs i see it in  /var/ossec/logs/archives/archives.json on manager. Logs arrives.

but  logs added by firewall i dont see in  /var/ossec/logs/archives/archives.json.

I really dont understand what reason of this situation. Please, help.

Mariano Koremblum

unread,
Dec 28, 2021, 3:47:12 PM12/28/21
to Wazuh mailing list

Hi Bars,

Let us get this clear, please correct me if I am wrong.

What you say is that you have set on an agent’s ossec.conf file (through centralized configuration, as I understand) the following:

<localfile>
    <location>/var/log/ufw.log</location>
    <log_format>syslog</log_format>
</localfile

At the same time, you have on your manager’s ossec.conf file configured the following: <logall_json>yes</logall_json>

On this file, logs from a Firewall (UFW) were written but such entries are not being, apparently, received by the manager (as no firewall logs on the archives.json file can be found). But, when you manually append a log on the very same file, where the UFW logs are, it does indeed reach the manager and is correctly displayed on the archives.json file.

Is this correct? Please let us know,

Mariano Koremblum

Mariano Koremblum

unread,
Dec 28, 2021, 3:58:08 PM12/28/21
to Wazuh mailing list
Could you additionally provide us examples of logs that are not being received and logs that are?

Thanks in advance

bars5...@gmail.com

unread,
Dec 29, 2021, 3:47:25 AM12/29/21
to Wazuh mailing list
Yes. correct.

вторник, 28 декабря 2021 г. в 22:47:12 UTC+2, mariano....@wazuh.com:

bars5...@gmail.com

unread,
Dec 29, 2021, 3:49:34 AM12/29/21
to Wazuh mailing list
вторник, 28 декабря 2021 г. в 22:58:08 UTC+2, mariano....@wazuh.com:
ufw.log

Mariano Koremblum

unread,
Dec 29, 2021, 10:55:39 AM12/29/21
to Wazuh mailing list

Hi Bars!

As you can see on this issue #3231, and because of this block of code, your firewall logs are being dropped given the fact that the “action” field is missing. This can be seen by using the wazuh-logtest tool:

Starting wazuh-logtest v4.2.5
Type one log per line

Dec 26 09:05:47 server01 kernel: [126140.629122] [UFW BLOCK] IN=eth0 OUT= MAC=00:00:5d:10:04:07:00:00:5d:7c:61:13:08:00 SRC=192.168.0.11 DST=192.168.0.114 LEN=52 TOS=0x02 PREC=0x00 TTL=128 ID=9209 DF PROTO=TCP SPT=17833 DPT=22 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 

**Phase 1: Completed pre-decoding.
        full event: 'Dec 26 09:05:47 server01 kernel: [126140.629122] [UFW BLOCK] IN=eth0 OUT= MAC=00:00:5d:10:04:07:00:00:5d:7c:61:13:08:00 SRC=192.168.0.11 DST=192.168.0.114 LEN=52 TOS=0x02 PREC=0x00 TTL=128 ID=9209 DF PROTO=TCP SPT=17833 DPT=22 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0 '
        timestamp: 'Dec 26 09:05:47'
        hostname: 'server01'
        program_name: 'kernel'

**Phase 2: Completed decoding.
        name: 'kernel'
        parent: 'kernel'
        dstip: '192.168.0.114'
        dstport: '22'
        protocol: 'TCP'
        srcip: '192.168.0.11'
        srcport: '17833'

**Phase 3: Completed filtering (rules).
        id: '4100'
        level: '0'
        description: 'Firewall rules grouped.'
        groups: '['firewall']'
        firedtimes: '1'
        mail: 'False'

There is a workaround to continue receiving such logs on the archives files but, as a side effect, you won’t receive any logs on the /var/ossec/logs/firewall/firewall.log and the wazuh-analysisd statistics may be affected too. The workaround would be setting analysisd.log_fw=0 on your /var/ossec/etc/local_internal_options.conf file.

Please, let us know if you find it helpful!

Best Regards,

Mariano Koremblum

bars5...@gmail.com

unread,
Dec 29, 2021, 4:14:45 PM12/29/21
to Wazuh mailing list
If i right understand, problem is in the structure of the UBUNTU firewall logs. Wazuh`s firewall decoder expects an Action (Allow or Drop) field, but instead a [UFW BLOCK] (if blocked), right?

среда, 29 декабря 2021 г. в 17:55:39 UTC+2, mariano....@wazuh.com:

bars5...@gmail.com

unread,
Dec 30, 2021, 2:04:15 AM12/30/21
to Wazuh mailing list
I change parameter from  analysisd.log_fw=1 to analysisd.log_fw=0 on /var/ossec/etc/internal_options.conf (not in local_internal_options.conf on the wazuh-manager side and restart wazuh-manager. After that ufw logs start seen in  /var/ossec/logs/archives/archives.json

its right?
Please, tell is this issue will be resolved in future releases?

среда, 29 декабря 2021 г. в 17:55:39 UTC+2, mariano....@wazuh.com:

Hi Bars!

Mariano Koremblum

unread,
Dec 30, 2021, 12:53:28 PM12/30/21
to Wazuh mailing list
Hi Bars,

After further research, I noticed that there is a bug on a Wazuh decoder that prevents the UFW log to be decoded. I explained such a situation on the Github Issue #11609

Please stay tuned to that issue to know when it is merged. You could also manually add the changes, under your own responsibility, on your local installation.

Best Regards,

Mariano Koremblum

bars5...@gmail.com

unread,
Dec 30, 2021, 3:50:59 PM12/30/21
to Wazuh mailing list
Thank you! After changes all works as needed. UFW logs received.

четверг, 30 декабря 2021 г. в 19:53:28 UTC+2, mariano....@wazuh.com:
Reply all
Reply to author
Forward
0 new messages