No alerts in Elastic is displayed when one field named as a "Timestamp"

[Alaa Junaid]

Hi All,

I've a custom a simple decoder:

Timestamp                     host            ProductVersion

Jul 26 2021 07:42:30     host1                 123

I've tested successfully with a custom rule ID:110140 as follow:

Unfortunately, no alert is displayed in Elastic:

Once I rename the field "Timestamp" to "Timestamp1" for example everything is OK

I need your kind support for this issue.

Best Regards,

[Matias Ezequiel Moreno]

Hi, thanks for using Wazuh,

in order to help you let me asking with the team about your issue.  

Thanks for you patience, I'm answering you the fastest possible. 

In order to provide better support, could you tell me which version of Kibana Wazuh you are using? are you using opendistro or x-pack?

Regards
Matias

[Alaa Junaid]

Thank you for your reply.

I'm using:

       OS:  CentOS 7

        Wazuh manager: 4.1.0
    Kibana: 7.10.0

        Open Distro for Elasticsearch: 7.10.0

Regards,

[Salam Salam]

Any good news dear. 

Best Regards, 

[Matias Ezequiel Moreno]

Hello again,

Below I share some guides which can be of great help to you in solving that problem
Custom rules and decoders and Testing decoders and rules
in case of not being able to solve it, do not hesitate to contact me again.

Best Regards

[Salam Salam]

  Hi Dear, 

Thank you for your reply. 

Unfortunately, these guides does not mention my timestamp problem :( 

Regards,

[Matias Ezequiel Moreno]

Hello again, I was consulting with the rest of the team and we could observe that the log format does not comply with the 'Timestamp' syslog standard. Currently where are you getting the log from?

At the moment we could use the following options:

1 - Could you modify the log of  'Jul 26 2021 07:42:30 host 123'  --> 'Jul 26 07:42:30 host 123'  (I don't know if there is any app / script that you are using to modify the logs and send them?)

2 - Modify in the decoder 'Timestamp' by 'Timestamp1'. (As you have done before)

3 - You could modify the log before being delivered to Elasticsearch. (Something similar as it happens here)

Let me know if some of those options can solve your problem, otherwise feel free to let me know

Regards

[Salam Salam]

Dear ,

Thank you for your response.

I'm getting the logs from an application that exports its logs in a txt file.

 In Wazuh server I configured the collection of log data from files by editing ossec.conf  to

<localfile>

  <log_format>syslog</log_format>

    <location>/var/log/*</location>
</localfile>

Then I put these txt logs within the mentioned directory on a daily basis.

 

Any way- I need Wazuh to choose the timestamp of the actual log -regardless of its name timestamp or timestamp1- when I create rules later

For example, If I have a simple rule triggers an alert if a log contains a time between 6 pm - 8:30 am as follows:

<rule id="100127" level="10">

       <decoded_as>test</decoded_as>

       <time>6 pm - 8:30 am</time>

       <description>Login outside business hours.</description>

       <group>policy_violation</group>

</rule>

I need Wazuh  when it tests this mentioned criteria to look at time of the actual log Not the time when the log it is read by Wazuh as the two samples:

Jul 26 2021 01:42:30 host  123 -------------->      Triggers   Here

Jul 26 2021 09:42:30 host 123   -------------->  Not Triggers here

Best Regards,

[Alaa Junaid]

Any good news regarding this issue dear.

Many thanks in advance.

Best Regards,,

[Matias Ezequiel Moreno]

Hi, I checked back with the team regarding your problem.

Thanks for your patience, I will answer you as quickly as possible.

Best Regards.
Matias Moreno