Alert created with wazuh-logtest but not in real

[Sabbat X]

Hi community ! I hope you're all doing great.

TLDR : Alert created when testing with wazuh-logtest but not in real.

I created a custom decoder and a custom rule to generate alerts when receiving UniFi logs via syslog.

When I use the wazuh-logtest binary to test these with a UniFi log, the custom rule is triggered and an alert is generated.

But in real, nothing happens...

Here are my decoder and rule :

<decoder name="unifi">

        <prematch type="pcre2">UAP-</prematch>

</decoder>

<rule id="100013" level="5">

        <decoded\_as>unifi</decoded\_as>

        <description>UniFi wifi log</description>

</rule>

Here is how I configured my Wazuh manager to listen for Syslog :

<remote>

        <connection>syslog</connection>

        <port>514</port>

        <protocol>udp</protocol>

        <allowed-ips>my LAN IP range</allowed-ips>

</remote>

For now they are really simple, as I just want to trigger the rule and have an alert generated with any message received from the UniFi controller. I want to be sure that the log matches with my decoder. No need to extract any information for now.

FYI, here's what an UniFi log looks like (listened with a Syslog server) :

May 28 17:36:23 wap001 78455819c06f,UAP-AC-InWall-6.0.18+13660: kernel: [ 205.373214] ol_ath_vap_set_param: Now supported MGMT RATE is 6000(kbps) and rate code: 0x3

As I said, it triggers the rule and creates an alert when I test it with /var/ossec/bin/wazuh-logtest, but not in real use.

I already configured the same stuff for Synology logs and it works great. But for Unifi it doesn't.

I am using Wazuh v4.2.5 and UniFi controller v7.1.65
My Wazuh and Unifi servers are both Debian VMs. The Wazuh agent is not installed on the Unifi controller, I only want to use Syslog for now.

Many thanks for your help !

First asked on Reddit : https://www.reddit.com/r/Wazuh/comments/uy3q3q/alert_triggered_with_wazuhlogtest_but_not_in_real/

[Julio Gasco]

Hi! Thanks for using our community

First we need to see if logs are being sent to the Manager.
From the manager try running

tcpdump -i any udp -nn port 514 -AA

With that you will see the traffic coming to the 514 Port on your manager, try to filter the result with the UniFi controller ip to see if anything is coming from it.
In case nothing shows up you will need to check that syslog forwarding is correctly configured on the UniFi and that connections are opened between the VMs

In case you see traffic between the server, please edit your ossec.conf file on the manager ( /var/ossec/etc/ossec.conf ) and edit the line

no to yes
After that restart the manager: systemctl restart wazuh-manager

This will save all the incoming logs either they trigger alerts or not in the /var/ossec/logs/alerts/alerts.json file, you can filter by the IP of the UniFi controller to see the information on the logs being received and what wazuh is doing with them (rule.id if triggered, full_log, etc). If you have that information please share it so we can analyze it.

Also if you can please attach the example of wazuh-logtest you are getting, I tried to replicate on my lab with the log you shared and Wazuh is decoding the message as this:

**Phase 3: Completed filtering (rules).
       Rule id: '7300'
       Level: '0'
       Description: 'Grouping of Symantec AV rules.'

Let me know if this helps

Reference:
global - Local configuration (ossec.conf) · Wazuh documentation (logall_json)

Regards!

​

[Sabbat X]

Hi ! Thanks a lot for all your precious advice :-)

I have 2 labs. One at home, the other at the office.

I tried the tcpdump on both and had the same result : syslog messages received on both !

Before the ossec.conf modification, I tried a quick cat /var/ossec/logs/alerts/alerts.log on both my labs :

• on the one at work : no UniFi log alerts
• on the one at home : UniFi log alerts !!!
  I looked on the web interface, but no alerts appeared there…

After that, I modified the ossec.conf file to edit the <logall> and <logall_json> options to “yes”.
Restarted the wazuh-manager.

cat /var/ossec/logs/alerts/alerts.json | grep "*unifi controller IP and other filters*"

At work : nothing… (but in the documentation, it mentions the archives.json file, see below)
At home : as I said before, I already had alerts created with the custom decoder and rule triggered in the alerts.json file, so still had them with the <logall> option to yes.

I also check in the /var/ossec/logs/archives/archives.log file and there I found the UniFi logs, at home and at work.

Well, at least it reminded me of a difference between my 2 labs : I installed the wazuh-agent on the UniFi controller from work. Don’t know if it makes a difference in the Syslog sending behavior…
Also I forgot to mention that I disabled the symantec-av decoders and rules by renaming their config files (with “.off” at the end). My logs were triggering them, so I disabled them in order to use mine. As I am not using any Symantec product it should not be a problem, right ?

Here are some logs found in the /var/ossec/logs/alerts/alerts.json file in my home lab :

{"timestamp":"2022-05-31T22:19:38.099+0200","rule":{"level":5,"description":" WIFI log UniFi","id":"100013","firedtimes":19,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"id":"1654028378.13441","full_log":"May 31 22:19:38 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: mcad: mcad[1464]: wireless_agg_stats.log_sta_anomalies(): bssid=7e:45:58:1b:c0:6e radio=wifi1 vap=ath3 sta=1a:77:92:7c:fc:a8 satisfaction_now=60 anomalies=tcp
_latency","predecoder":{"timestamp":"May 31 22:19:38","hostname":"wap001"},"decoder":{"name":"unifi"},"location":"192.168.1.31"}
{"timestamp":"2022-05-31T22:19:42.734+0200","rule":{"level":5,"description":" WIFI log UniFi","id":"100013","firedtimes":20,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"id":"1654028382.13807","full_log":"May 31 22:19:42 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: mcad: mcad[1464]: wireless_agg_stats.log_sta_anomalies(): bssid=7e:45:58:1b:c0:6e radio=wifi1 vap=ath3 sta=1a:77:92:7c:fc:a8 satisfaction_now=60 anomalies=tcp_latency","predecoder":{"timestamp":"May 31 22:19:42","hostname":"wap001"},"decoder":{"name":"unifi"},"location":"192.168.1.31"}
{"timestamp":"2022-05-31T22:19:53.320+0200","rule":{"level":5,"description":" WIFI log UniFi","id":"100013","firedtimes":21,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"id":"1654028393.14173","full_log":"May 31 22:19:53 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: mcad: mcad[1464]: wireless_agg_stats.log_sta_anomalies(): bssid=7e:45:58:1b:c0:6e radio=wifi1 vap=ath3 sta=1a:77:92:7c:fc:a8 satisfaction_now=60 anomalies=tcp_latency","predecoder":{"timestamp":"May 31 22:19:53","hostname":"wap001"},"decoder":{"name":"unifi"},"location":"192.168.1.31"}
{"timestamp":"2022-05-31T22:19:53.727+0200","rule":{"level":5,"description":" WIFI log UniFi","id":"100013","firedtimes":22,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"id":"1654028393.14539","full_log":"May 31 22:19:53 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: mcad: mcad[1464]: wireless_agg_stats.log_sta_anomalies(): bssid=7e:45:58:1b:c0:6e radio=wifi1 vap=ath3 sta=1a:77:92:7c:fc:a8 satisfaction_now=60 anomalies=tcp_latency","predecoder":{"timestamp":"May 31 22:19:53","hostname":"wap001"},"decoder":{"name":"unifi"},"location":"192.168.1.31"}

Here are some logs found in the /var/ossec/logs/archives/archives.log file in my home lab :

2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760732] [wifi1] FWLOG: [7277914] WLAN_DEBUG_DBGID_PEER ( 0xdead, 0x1a7cfca8, 0x1 )
2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760749] [wifi1] FWLOG: [7277960] WLAN_DEBUG_DBGID_PEER ( 0xadd, 0x4e4573c1, 0x1, 0x3, 0x65 )
2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760771] [wifi1] FWLOG: [7277964] WAL_DBGID_TX_AC_BUFFER_SET ( 0x678, 0x87, 0x13 )
2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760787] [wifi1] FWLOG: [7277964] RATE: ChainMask 1, peer_mac 73:c1, phymode 1044484, ni_flags 0x00201006, vht_mcs_set 0x0000, ht_mcs_set 0x00ff, legacy_rate_set 0x0000
2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760810] [wifi1] FWLOG: [7278019] WAL_DBGID_SECURITY_UCAST_KEY_SET ( 0x0, 0x4ece73c1 )
2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760824] [wifi1] FWLOG: [7278019] WAL_DBGID_SECURITY_ENCR_EN (  )
2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760835] [wifi1] FWLOG: [7278019] WAL_DBGID_SECURITY_ALLOW_DATA ( 0x4349a4 )
2022 May 31 23:10:25 wap001->192.168.1.31 May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760847] [wifi1] FWLOG: [7278064] RATE: ChainMask 1, peer_mac 73:c1, phymode 1044484, ni_flags 0x00201006, vht_mcs_set 0x0000, ht_mcs_set 0x00ff, legacy_rate_set 0x0000

(please note : 192.168.1.31 is the wifi access point IP address)

Here is the output I get when I use the wazuh-logtest tool :

root@wazuh-manager:~# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line

May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760847] [wifi1] FWLOG: [7278064] RATE: ChainMask 1, peer_mac 73:c1, phymode 1044484, ni_flags 0x00201006, vht_mcs_set 0x0000, ht_mcs_set 0x00ff, legacy_rate_set 0x0000

**Phase 1: Completed pre-decoding.
        full event: 'May 31 23:10:25 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: kernel: [ 7087.760847] [wifi1] FWLOG: [7278064] RATE: ChainMask 1, peer_mac 73:c1, phymode 1044484, ni_flags 0x00201006, vht_mcs_set 0x0000, ht_mcs_set 0x00ff, legacy_rate_set 0x0000'
        timestamp: 'May 31 23:10:25'
        hostname: 'wap001'

**Phase 2: Completed decoding.
        name: 'unifi'

**Phase 3: Completed filtering (rules).
        id: '100013'
        level: '5'
        description: ' WIFI log UniFi'
        groups: '['local', 'syslog', 'sshd']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

I paste you here my decoder and rule once more :

<decoder name="unifi">
        <prematch type="pcre2">UAP-</prematch>
</decoder>

<rule id="100013" level="5">
        <decoded_as>unifi</decoded_as>
        <description> WIFI log UniFi</description>
</rule>

I hope you have all the information you requested ^^
If not, please let me know.

Thanks again for your help :-)

Kind regards !

​

[Julio Gasco]

Hi!

Sorry for the delay, I am seeing in the extract you sent from your home lab of /var/ossec/logs/alerts/alerts.json that alerts are showing up with level 5, which should be showing in Kibana with that level.

To look for this alerts go to Wazuh -> Modules -> Security Events

And in the security events page filter by your manager name for the alerts being received by syslog:

I would reproduce the home lab configuration on the work lab one. Can you give me detail on were the UniFi controller was installed, what OS ?

Have you tested the syslog configuration on the Work lab ? Sending the logs directly to the manager as in the working home lab 

Is there any error showing up on ossec.log in the UniFi controller agent installation ?

 

Are all the communications opened in the work lab ? Nothing between the agent and the manager that can be affecting the data transfer

Please let me know if alerts are showing up in Kibana under the Security Events module

Regards!

[Sabbat X]

Hi !

Thanks for your answer.

Yes, as I had the alerts level 5 in the alerts.json file, I checked on the web interface in the Modules > Security Events tab and filtered with my wazuh-manager name, but nothing...

Well, I could see the other alerts (like SSH connection on the manager or the Synology ones), but not the UniFi ones.

The UniFi controller is installed on a Debian 10 VM. I could install the wazuh-agent on the VM, but as I want to be able to get any UniFi log, even if it comes from a Ubiquiti Appliance, I want to get them using only Syslog for now.

Yes, I tested the Syslog conf in the work lab. I am sending logs directly to the manager. Both machines are on the same subnet.

Unfortunatly, no events showing up in Kibana under the Security Events module, even in the "working" home lab. That's weird, because I can see the alerts in the alerts.json file, but not in the web interface...

I think I am going to try to do it all over again. I will tell you in detail what config I do, and we will figure it out x)

Thanks again for your help,

Have a nice day !

Kind regards.

[Sabbat X]

Quick info about my issue : I just reinstalled everything from scratch (as previously using the OVA) and this time it worked just fine for UniFi logs.

Next issue : same problem with custom Windows decoders and rules : triggered when checking with logtest, not triggered in real...

I will continue working on it and post here if I find anything.

If someone has an idea of what could be the source of the problem, I'm listening ;-)

Have a nice day !

[Saddique Khan]

Hello Sabbat,

      I have exactly the same issue. Did you resolve the issue for rules and decoders? I am very cuerious about it.

 Regards,

Saddique

[Sabbat X]

Hello Saddique,

Unfortunatly I stopped working on this project for now...
If I get back to it, be sure that I will get back to you with some answers !

For now, I can suggest you to backup your config files and start again with a fresh install...

I guess the software is not super stable and a bit sensitive (even though it's great !).
Maybe an update will fix the issue, maybe it will break it ^^'

I would also recommend trying another type of installation : e.g. if you tried the OVA, maybe try installing it manually, as the result may not be exactly the same.

You can also temporarly enable some debug logs to get more explicit feedbacks on your issues.

You can do so by using the wazuh-control command : https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-control.html

Moreover, if you are processing UniFi logs, do not forget to disable the Symantec decoders and rules, as they interfere with them.

Good luck with this ! ;-)

Kind regards,
Sabbat X