Decoder for ESET Antivirus
Nataliia
<prematch>^\d \d+-\d+-\d+\w\d+:\d+:\d+.\d+\w SHO-ERA01 ERAServer 1176 - -</prematch>
</decoder>
{"timestamp":"2022-04-20T09:47:13.088+0000","agent":{"id":"000","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"id":"1650448033.41943","full_log":"1 2022-04-20T08:22:15.48Z SHO-ERA02 ERAServer 1176 - - {\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"10.21.14.84\",\"hostname\":\"shod-print01.ent.com\",\"source_uuid\":\"dde4770a-747e-4a87-b3d9-4e06157792bd\",\"occured\":\"20-Apr-2022 08:19:32\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"10.21.115.29\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"Blocked\",\"handled\":true,\"object_uri\":\"http://oprintware.com/update/oprint/update.xml\",\"hash\":\"6021B21E4E9316E87D03C267E2B2BF96E86363AE\",\"username\":\"ENT\\\\svc.print.acc\",\"processname\":\"C:\\\\Program Files (x86)\\\\OPrint\\\\OPrint.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}","decoder":{},"location":"10.21.13.7"}
Can anyone help me to create such decoder?
victor....@wazuh.com
Hello Natalia,
For creating and debugging the ruleset I recommend checking the events in the archives.log file instead of archives.json. You can activate it with the option logall in your ossec.conf file:
<logall>yes</logall>
Regarding your decoder, if we check the full_log field of the event you sent we can assume the received logs from your ESET Antivirus is something like the following
1 2022-04-20T08:22:15.48Z SHO-ERA02 ERAServer 1176 - - {"event_type":"FilteredWebsites_Event",...
If we use the wazuh-logtest tool we see that no fields are gathered even in the pre-decoding phase.
This behavior is produced due to your timestamp and header are not expected for analysisd (2022-04-20T08:22:15.48Z SHO-ERA02 ERAServer 1176)
The best approach to solve this issue is to use the out_format option. Something like this will do the job, replacing the location with your events location file.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/example.log</location>
<out_format>$(timestamp) SHO-ERA02 ESET: $(log)</out_format>
</localfile>
Using this configuration, the following header will be added to your events:
Apr 20 09:16:29 SHO-ERA02 ESET:
So, the full event that analysisd will receive is the following:
Apr 20 09:16:29 SHO-ERA02 ESET: 1 2022-04-20T08:22:15.48Z SHO-ERA02 ERAServer 1176 - - ...
Now if we use logtest with this event:
**Phase 1: Completed pre-decoding.
full event: 'Apr 20 09:16:29 SHO-ERA02 ESET: 1 2022-04-20T08:22:15.48Z SHO-ERA02 ERAServer 1176 - - {"event_type":"FilteredWebsites_Event",...
timestamp: 'Apr 20 09:16:29'
hostname: 'SHO-ERA02'
program_name: 'ESET'
At this point, it will be easier to create custom decoders. For example, the following will gather event_type:
<decoder name="ESET_AV">
<program_name>ESET</program_name>
<regex>"event_type":"(\S+)"</regex>
<order>event_type</order>
</decoder>
wazuh-logtest output:
**Phase 2: Completed decoding.
name: 'ESET_AV'
event_type: 'FilteredWebsites_Event'
If you have any doubt do not hesitate to ask.
Nataliia
<localfile>
<log_format>syslog</log_format>
<location>C:\ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\</location>
<out_format>$(timestamp) SHO-ERA02 ESET: $(log)</out_format>
</localfile>
Wazuh API seems to be down
Settings. 400 - Error reading cluster configuration: Requested component does not exist: mismatched tag: line 403, column 4
Also I activated logall and in archives.log saw this kind of log:
2022 Apr 21 13:06:01 wazuh-manager->10.21.13.7 1 2022-04-21T13:06:01.59Z SHO-ERA01 ERAServer 1176 - - {"event_type":"Firewalll
Aggregated_Event","ipv4":"109.86.118.170","hostname":"nho-055.ent.com","source_uuid":"a7fc15d5-4a61-4d9d-bce4-44bf0799e165","occured":"21-Apr-2022 13:02:23","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.241.196.159","source_address_type":"IPv4","source_port":50062,"target_address":"109.86.118.170","target_address_type":"IPv4","target_port":8888,"protocol":"TCP","action":"Blocked","handled":true,"inbound":true,"threat_name":"EsetIpBlacklist","aggregate_count":1}
Nataliia
Traceback (most recent call last):
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1720, in feed
self.parser.Parse(data, False)
xml.parsers.expat.ExpatError: mismatched tag: line 403, column 4
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/configuration.py", line 480, in get_ossec_conf
xml_data = load_wazuh_xml(conf_file)
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/utils.py", line 739, in load_wazuh_xml
return ElementTree.fromstring(entities + '<root_tag>' + data + '</root_tag>')
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1347, in XML
parser.feed(text)
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1722, in feed
self._raiseerror(v)
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1629, in _raiseerror
raise err
xml.etree.ElementTree.ParseError: mismatched tag: line 403, column 4
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/cluster/utils.py", line 58, in read_cluster_config
config_cluster = get_ossec_conf(section='cluster', conf_file=config_file)['cluster']
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/configuration.py", line 485, in get_ossec_conf
raise WazuhError(1101, extra_message=str(e))
wazuh.core.exception.WazuhError: Error 1101 - Requested component does not exist: mismatched tag: line 403, column 4
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/api/scripts/wazuh-apid.py", line 10, in <module>
from api import alogging, configuration
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.5-py3.9.egg/api/alogging.py", line 11, in <module>
from api.authentication import decode_token
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.5-py3.9.egg/api/authentication.py", line 23, in <module>
from wazuh.core.cluster.dapi.dapi import DistributedAPI
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/cluster/dapi/dapi.py", line 26, in <module>
from wazuh import agent
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/agent.py", line 21, in <module>
cluster_enabled = not read_cluster_config()['disabled']
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/cluster/utils.py", line 65, in read_cluster_config
raise WazuhError(3006, extra_message=e.message)
wazuh.core.exception.WazuhError: Error 3006 - Error reading cluster configuration: Requested component does not exist: mismatched tag: line 403, column 4
wazuh-apid: Configuration error. Exiting
[root@wazuh-manager etc]# /var/ossec/bin/wazuh-control start
Traceback (most recent call last):
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1720, in feed
self.parser.Parse(data, False)
xml.parsers.expat.ExpatError: mismatched tag: line 403, column 4
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/configuration.py", line 480, in get_ossec_conf
xml_data = load_wazuh_xml(conf_file)
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/utils.py", line 739, in load_wazuh_xml
return ElementTree.fromstring(entities + '<root_tag>' + data + '</root_tag>')
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1347, in XML
parser.feed(text)
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1722, in feed
self._raiseerror(v)
File "/var/ossec/framework/python/lib/python3.9/xml/etree/ElementTree.py", line 1629, in _raiseerror
raise err
xml.etree.ElementTree.ParseError: mismatched tag: line 403, column 4
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/cluster/utils.py", line 58, in read_cluster_config
config_cluster = get_ossec_conf(section='cluster', conf_file=config_file)['cluster']
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/configuration.py", line 485, in get_ossec_conf
raise WazuhError(1101, extra_message=str(e))
wazuh.core.exception.WazuhError: Error 1101 - Requested component does not exist: mismatched tag: line 403, column 4
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/ossec/api/scripts/wazuh-apid.py", line 10, in <module>
from api import alogging, configuration
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.5-py3.9.egg/api/alogging.py", line 11, in <module>
from api.authentication import decode_token
File "/var/ossec/framework/python/lib/python3.9/site-packages/api-4.2.5-py3.9.egg/api/authentication.py", line 23, in <module>
from wazuh.core.cluster.dapi.dapi import DistributedAPI
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/cluster/dapi/dapi.py", line 26, in <module>
from wazuh import agent
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/agent.py", line 21, in <module>
cluster_enabled = not read_cluster_config()['disabled']
File "/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.2.5-py3.9.egg/wazuh/core/cluster/utils.py", line 65, in read_cluster_config
raise WazuhError(3006, extra_message=e.message)
wazuh.core.exception.WazuhError: Error 3006 - Error reading cluster configuration: Requested component does not exist: mismatched tag: line 403, column 4
wazuh-apid: Configuration error. Exiting
victor....@wazuh.com
Hello Natalia,
Sorry for the late response,
The value of location should be a file instead of a folder.
For example:
<localfile>
<log_format>syslog</log_format>
<location>C:\example.log</location>
<out_format>$(timestamp) SHO-ERA02 ESET: $(log)</out_format>
</localfile>
In the archives.log of the manager we get:
2022 Apr 25 07:57:41 (windows) any->\example.log Apr 25 07:57:40 SHO-ERA02 ESET: TESTING LOG
Nataliia
victor....@wazuh.com
I have one more question - as I understood I can collect syslog and send it to Wazuh only with Wazuh agent, isn't it?
You can collect syslog events from your Wazuh agents or directly received them with remote syslog.
In this case, I recommended you store the logs in a plaintext file and monitor that file with Wazuh. This is required in order to use the out_format option to correctly format your events
I only set sending logs to SIEM on the management server by naming Wazuh host and 514 port. And in the archives.json I see only specific logs, as I've written on the first message, but I don't see all logs.
This is a remote Syslog configuration. The archives file should has every log received by the manager. If you are currently getting some of the events in your manager, maybe your environment is configured to only send events of certain severity (like warning in your last message).
Please, check your configuration and if proceed, configure it to send all logs.
If this was not the cause of the problems, let us know and we will help you to solve it.
Nataliia
victor....@wazuh.com
Should I use /etc/rsyslog.conf if I configure directly receiving logs with remote syslog?
It is not needed If you configure your manager to receive Syslog logs by a custom port. However, your use case required to use of the out_formatoption. This option requires storing your Syslog logs into a local file, in order to add a header with timestamp, hostname, and program name. In this case, it is necessary to use configure rsyslog (/etc/rsyslog.conf) to store remote Syslog events into a local file. Check this documentation page for more information about the two options for remote syslog events collection configuration.
Could you give me an example how to configure out_format option?
In my last message, I suggested a configuration, using the out_format option that should fit your use case. Please check it out and let me know if it does fit your needs
https://groups.google.com/g/wazuh/c/jFOc_gALIO4/m/tj5rMmAuFwAJ
Nataliia
Nataliia
victor....@wazuh.com
Hello Natalia,
Sorry for the late response,
Wazuh only supports the following log_formats. In these cases, the best approach is to export those files to a file or send them to a rsyslog server, look out if the software allows one of these options, and let us know if you have any doubt.