Remote Syslog from Cisco ESA/WSA
396 views
Skip to first unread message
Tassilo Erlewein
Mar 3, 2021, 8:15:41 AM3/3/21
to Wazuh mailing list
Hello wazuh community,
a couple of weeks ago I discovered wazuh after fiddling with ossec to no real outcome and I must say wazuh is an impressive project, well worth the fork and all your effort.
I have a problem feeding Cisco ESA (email gateway) and WSA (web proxy) security related messages into my wazuh-manager. Using the two methods at hand (either forward to a manager-local rsyslogd and include via <localfile> or direct forward into wazuh-manager:514) I can't seem to get the processing right.
My suspicion is that the predecoder is having problems with timestamps in the (ISO8601?) format like YYYY-MM-DDThh:mm:ss+TZ:tz. If I logtest those messages, the deprecated ossec-logtest reports timestamp and hostname correctly. The wazuh-logtest only reports the timestamp omitting the hostname. If I fake the log message to include a timestamp like "Mar 3 13:07:31" instead the wazuh-logtest seems to like it better. Then the predecoder gives the hostname as expected.
Further on I have the problem which I understand applies to some other users as well that those log messages are registered to the agent.id of the wazuh-manager, regardless of how I add a client matching the hostname in question (tried agentless and regular).
If only I could override the hostname and/or the agent.id in a custom decoder declaration. I'm however not sure what implications that brings with and if it's a meaningful approach at all.
Any help would be greatly appreciated.
Keep up the good work.
Thanks
Tassilo Erlewein
Fabricio Brunetti
Mar 4, 2021, 7:26:27 AM3/4/21
to Wazuh mailing list
Hello Tassilo,
It's good to know you appreciate the improvements of Wazuh over ossec.
Could you share a sample of the problematic logs?
Regards,
Fabricio Brunetti
Tassilo Erlewein
Mar 4, 2021, 8:00:46 AM3/4/21
to Wazuh mailing list
Hello,
thanks for the reply.
I hope the Cisco appliances are an interesting enough topic for other people too.
Let's have two log line examples from a running ESA:
2021-03-01T13:31:15+01:00 mail.company.com mail_logs: Info: MID 2686598 antivirus positive 'CXmail/MalPE-AZ'
2021-03-01T13:31:15+01:00 mail.company.com antivirus: Warning: sophos antivirus - MID 2686598 0 - Virus 'CXmail/MalPE-AZ' 'body.scan/Pending Order Confirmation.gz' 1 0
2021-03-01T13:31:15+01:00 mail.company.com antivirus: Warning: sophos antivirus - MID 2686598 0 - Virus 'CXmail/MalPE-AZ' 'body.scan/Pending Order Confirmation.gz' 1 0
(the idea is to have a virus history added to the wazuh dashboard. Or at least make it appear in the stats...)
I have investigated a bit in the source code. That timestamp format seems indeed to be supported, flagged as "syslog-ng isodate" in analysisd/cleanevent.c
I'm puzzled my findings must be wrong. Or maybe the logtest tool behaves differently from analyzed?
From the code my understanding also is that messages flying in via remote syslog are always mapped to the wazuh-manager's agent.id (000)
regardless of the originating hostname (mail.company.com). My C programming skills are rusty though. I may get it wrong.
Thanks
Tassilo
Reply all
Reply to author
Forward
0 new messages