Problem to find specific messages in the WAZUH/DASHBOARD/EVENTS by filtering
fabrice pons
I'm new to use WAZUH, I test it to get messages from my firewall STORMSHIELD.
I install the WAZUH version :
/var/ossec/bin/wazuh-control -j info
{"error":0,"data":[{"WAZUH_VERSION":"v4.3.9"},{"WAZUH_REVISION":"40322"},{"WAZUH_TYPE":"server"}]}
On system :
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
cat ossec.conf
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.0.0/24</allowed-ips>
</remote>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>0</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
....
cat local_rules.xml
....
<group name="stormshield,syslog">
<rule id="100005" level="5">
<decoded_as>stormshield_decoder</decoded_as>
<description>Stormshield logs grouping rule</description>
</rule>
</group>
....
cat local_decoder.xml
<decoder name="local_decoder_example">
<program_name>local_decoder_example</program_name>
</decoder>
<decoder name="stormshield_decoder">
<prematch>id=firewall</prematch>
</decoder>
<decoder name="stormshield_decoder_1">
<parent>stormshield_decoder</parent>
<regex offset="after_parent">Accepted=(\S+)</regex>
<order>Accepted</order>
</decoder>
<decoder name="stormshield_decoder_1">
<parent>stormshield_decoder</parent>
<regex offset="after_parent">action=(\S+)</regex>
<order>action</order>
</decoder>
....
<decoder name="stormshield_decoder_1">
<parent>stormshield_decoder</parent>
<regex offset="after_parent">msg="(\.*)"</regex>
<order>msg</order>
</decoder>
....
I receive the messages in the 2 files :
/var/ossec/logs/archives/archives.json
/var/ossec/logs/archives/archives.log
My problem is the following, I look for the messages : "SSL tunnel created" or "SSL tunnel destroyed" in the field msg
I found them in the 2 files but not in the WAZUH/DASHBOARD/EVENTS by filtring on the field "msg"
I found another messages like "User authenticated in ASQ"
cat archives.log | grep "SSL tunnel created"
2022 Nov 10 09:59:45 srvwazuh01->192.168.0.254 id=firewall time="2022-11-10 09:59:53" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-10 09:59:53" ipproto="TCP" user="XXX_XXXXXXXXXX" domain="xxxx.priv" src=176.168.168.168 remotenet=192.10.10.10 localnet=192.10.10.10 port=21484 msg="SSL tunnel created" logtype="xvpn"
....
cat archives.log | grep "SSL tunnel destroyed"
2022 Nov 10 12:05:33 srvwazuh01->192.168.0.254 id=firewall time="2022-11-10 12:05:40" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-10 12:05:40" ipproto="TCP" user="xxxx_xxxxxxxxxx" domain="xxxx.priv" src=88.88.88.88 remotenet=192.10.10.10 localnet=192.10.10.10 port=54041 msg="SSL tunnel destroyed" logtype="xvpn"
I decode with :
../../bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
2022 Nov 10 12:05:33 srvwazuh01->192.168.0.254 id=firewall time="2022-11-10 12:05:40" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-10 12:05:40" ipproto="TCP" user="xxxx_xxxxxxxxxx" domain="xxxx.priv" src=88.88.88.88 remotenet=192.10.10.10 localnet=192.10.10.10 port=54041 msg="SSL tunnel destroyed" logtype="xvpn"
**Phase 1: Completed pre-decoding.
full event: '2022 Nov 10 12:05:33 srvwazuh01->192.168.0.254 id=firewall time="2022-11-10 12:05:40" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-10 12:05:40" ipproto="TCP" user="xxxx_xxxxxxxxxx" domain="xxxx.priv" src=88.88.88.88 remotenet=192.10.10.10 localnet=192.10.10.10 port=54041 msg="SSL tunnel destroyed" logtype="xvpn"'
timestamp: '2022 Nov 10 12:05:33'
**Phase 2: Completed decoding.
name: 'stormshield_decoder'
domain: 'xxxx.priv'
dstuser: 'xxxx_xxxxxxxxxx'
fw: 'fw.xxxx.priv'
ipproto: '"TCP"'
localnet: '192.10.10.10'
logtype: 'xvpn'
msg: 'SSL tunnel destroyed'
port: '54041'
proto: '"TCP"'
remotenet: '192.10.10.10'
src: '88.88.88.88'
startime: '2022-11-10 12:05:40'
time: '2022-11-10 12:05:40'
tz: '+0100'
**Phase 3: Completed filtering (rules).
id: '100005'
level: '5'
description: 'Stormshield logs grouping rule'
groups: '['stormshield', 'syslog']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Any help will be very appreciated.
Best regards
Fabrice
Emiliano Zorn
I see that your problem is that you are not finding the alert when you filter by the "msg" field.
But as far as I can see, you don't have such a field assigned to your 100005 rule.
If you filter by any of these fields: mail, firedtimes, groups, description, level, id.
fabrice pons
Hello Emiliano,
For the moment, I don’t test the alert, I shall like to create a dashboard for the connection VPN on my firewall.
When a connection begins, a first message is send to syslog server “SSL VPN created”, then “User authenticated from ASQ”, at the end of connection “User deauthenticated from ASQ” and “SSL tunnel destroyed”
I don’t understand why when I do filtering on field msg I don’t have all the messages send by STORMSHIELD, only “User authenticated from ASQ” and “User authenticated from ASQ”
I add the filtering rule.groups withe value "stormshield" but I’m not lucky one, it's same result.
Thank you for your help.
Best regards
Fabrice
Emiliano Zorn
It is strange because when you check the rule, it gives you the following information:
**Phase 2: Completed decoding.
name: 'stormshield_decoder'
domain: 'xxxx.priv'
dstuser: 'xxxx_xxxxxxxxxx'
fw: 'fw.xxxx.priv'
ipproto: '"TCP"'
localnet: '192.10.10.10'
logtype: 'xvpn'
msg: 'SSL tunnel destroyed'
port: '54041'
proto: '"TCP"'
remotenet: '192.10.10.10'
src: '88.88.88.88'
startime: '2022-11-10 12:05:40'
time: '2022-11-10 12:05:40'
tz: '+0100'
**Phase 3: Completed filtering (rules).
id: '100005'
level: '5'
description: 'Stormshield logs grouping rule'
groups: '['stormshield', 'syslog']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Can you provide me with the logs you are working with so I can test on my side?
fabrice pons
Hello Emiliano,
The logs for the problem « tunnel » :
2022 Nov 18 08:56:15 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 08:56:23" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 08:56:23" ipproto="TCP" user="toto" domain="xxxx.priv" src=91.171.31.250 remotenet=192.10.172.6 localnet=192.10.172.5 port=61748 msg="SSL tunnel created" logtype="xvpn"
2022 Nov 18 10:08:34 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 10:08:42" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 10:08:42" ipproto="TCP" user="tata" domain="xxxx.priv" src=176.168.168.100 remotenet=192.10.172.10 localnet=192.10.172.9 port=3098 msg="SSL tunnel created" logtype="xvpn"
2022 Nov 18 10:49:11 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 10:49:20" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 10:49:20" ipproto="TCP" user="tata" domain="xxxx.priv" src=176.168.168.100 remotenet=192.10.172.10 localnet=192.10.172.9 port=3098 msg="SSL tunnel destroyed" logtype="xvpn"
2022 Nov 18 15:05:50 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 15:05:59" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 15:05:59" ipproto="TCP" user="titi" domain="xxxx.priv" src=88.209.80.142 remotenet=192.10.172.10 localnet=192.10.172.9 port=57993 msg="SSL tunnel created" logtype="xvpn"
2022 Nov 18 16:26:37 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 16:26:46" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 16:26:46" ipproto="TCP" user="titi" domain="xxxx.priv" src=88.209.80.142 remotenet=192.10.172.10 localnet=192.10.172.9 port=57993 msg="SSL tunnel destroyed" logtype="xvpn"
2022 Nov 18 16:28:07 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 16:28:15" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 16:28:15" ipproto="TCP" user="tata" domain="xxxx.priv" src=176.168.168.100 remotenet=192.10.172.10 localnet=192.10.172.9 port=57510 msg="SSL tunnel created" logtype="xvpn"
2022 Nov 18 16:30:15 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 16:30:24" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 16:30:24" ipproto="TCP" user="tata" domain="xxxx.priv" src=176.168.168.100 remotenet=192.10.172.10 localnet=192.10.172.9 port=57510 msg="SSL tunnel destroyed" logtype="xvpn"
2022 Nov 18 17:47:35 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 17:47:44" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 17:47:44" ipproto="TCP" user="toto" domain="xxxx.priv" src=91.171.31.250 remotenet=192.10.172.6 localnet=192.10.172.5 port=61748 msg="SSL tunnel destroyed" logtype="xvpn"
root@srvwazuh01:/var/ossec/logs/archives/temp# /var/ossec/bin/wazuh-logtest -v
Starting wazuh-logtest v4.3.10
Type one log per line
2022 Nov 18 16:26:37 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 16:26:46" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 16:26:46" ipproto="TCP" user="titi" domain="xxxx.priv" src=88.209.80.142 remotenet=192.10.172.10 localnet=192.10.172.9 port=57993 msg="SSL tunnel destroyed" logtype="xvpn"
**Phase 1: Completed pre-decoding.
full event: '2022 Nov 18 16:26:37 srvwazuh01->192.168.0.254 id=firewall time="2022-11-18 16:26:46" fw="fw.xxxx.priv" tz=+0100 startime="2022-11-18 16:26:46" ipproto="TCP" user="titi" domain="xxxx.priv" src=88.209.80.142 remotenet=192.10.172.10 localnet=192.10.172.9 port=57993 msg="SSL tunnel destroyed" logtype="xvpn"'
timestamp: '2022 Nov 18 16:26:37'
**Phase 2: Completed decoding.
name: 'stormshield_decoder'
stormshield_domain: 'xxxx.priv'
stormshield_fw: 'fw.xxxx.priv'
stormshield_ipproto: '"TCP"'
stormshield_localnet: '192.10.172.9'
stormshield_logtype: 'xvpn'
stormshield_msg: 'SSL tunnel destroyed'
stormshield_port: '57993'
stormshield_proto: '"TCP"'
stormshield_remotenet: '192.10.172.10'
stormshield_src: '88.209.80.142'
stormshield_startime: '2022-11-18 16:26:46'
stormshield_time: '2022-11-18 16:26:46'
stormshield_tz: '+0100'
stormshield_user: 'titi'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched
*Trying child rules
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 650 - Active Response JSON Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 400 - Rules for Wazuh API events.
Trying rule: 420 - Rules for Wazuh API events.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache: Messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: Messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 44400 - FortiNet Rules.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81641 - Fortigate v6 messages grouped.
Trying rule: 44640 - FortiMail Rules.
Trying rule: 44698 - FortiMail: System Event System log messages.
Trying rule: 44730 - Alert from Forti Authenticator.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 64270 - savscan category
Trying rule: 64274 - Update category
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim: SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 65000 - GCP alert.
Trying rule: 65260 - F5 Networks BigIP events
Trying rule: 65293 - F5 BigIP CEF decoded grouped alerts
Trying rule: 64500 - Palo Alto $(type) event.
Trying rule: 70020 - Sophos XG210 Firewall event
Trying rule: 70000 - FreePBX parent
Trying rule: 91100 - GitHub alert.
Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation.
Trying rule: 88800 - Arbor
Trying rule: 150100 - FireEye
Trying rule: 89200 - Grouping of Huawei USG rules.
Trying rule: 91500 - cisco-ftd rules
Trying rule: 42001 - ESET console logs.
Trying rule: 92501 - Cloudflare WAF rules
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 91002 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-26855).
Trying rule: 91003 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-27065).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 89101 - Oracle DB alerts.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 87508 - Exim: RCPT rejected. Error: $(error_message).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 1010 - Process segfaulted.
Trying rule: 2501 - syslog: User authentication failure.
Trying rule: 2503 - syslog: Connection blocked by Tcp Wrappers.
Trying rule: 5604 - telnetd: Reverse lookup error (bad hostname config).
Trying rule: 14101 - racoon: VPN authentication failed.
Trying rule: 66001 - Zeek: SSH Connection
Trying rule: 66002 - Zeek: SSL Connection
Trying rule: 66003 - Zeek: DNS Query
Trying rule: 66004 - Zeek: Connection detail
Trying rule: 65601 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65602 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 65607 - (Gitlab) $(message).
Trying rule: 65609 - (Gitlab) $(severity):$(message).
Trying rule: 65611 - (Gitlab) $(severity):$(message).
Trying rule: 65617 - (Gitlab) $(severity): $(message).
Trying rule: 65619 - (Gitlab) $(severity): $(message).
Trying rule: 65622 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65623 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 900001 - Stormshield logs grouping rule
*Rule 900001 matched
**Phase 3: Completed filtering (rules).
id: '900001'
level: '5'
description: 'Stormshield logs grouping rule'
groups: '['stormshield', 'syslog']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
^C
root@srvwazuh01:/var/ossec/logs/archives/temp#
I’ve the same problem with alcatel switch :
Logs :
2022 Nov 21 10:19:56 IM2S_6250_4->192.168.1.244 Nov 21 10:19:56 IM2S_6250_4 SSH(109) Data: Session 29 New SSH Connection from 192.168.1.11 port 55804
2022 Nov 21 10:20:15 IM2S_6250_4->192.168.1.244 Nov 21 10:20:16 IM2S_6250_4 LINKAGG(12) Data: la_cmm_to_lani_send_conf_f event:Send CONF SYNCHRO to target slot 1
2022 Nov 21 10:20:15 IM2S_6250_4->192.168.1.244 Nov 21 10:20:16 IM2S_6250_4 LINKAGG(12) Data: LA_CONF_SYNCHRO_EVT event from CMM received - slot :1
2022 Nov 21 10:20:20 IM2S_6250_4->192.168.1.244 Nov 21 10:20:20 IM2S_6250_4 CLI(67) Data: USERCMD: <admin> <192.168.1.11> [write memory] <SUCCESS>
2022 Nov 21 10:23:53 IM2S_6250_4->192.168.1.244 Nov 21 10:23:53 IM2S_6250_4 NTP(29) Data: NTP server 138.96.64.10 is unreachable.
My decoder :
<decoder name="essai_switch_decoder_essai">
<prematch>\s\w\w\w\s\d\d\s\d\d:\d\d:\d\d\sIM2S_6250_4\s</prematch>
</decoder>
<decoder name="essai_switch_decoder_1">
<parent>essai_switch_decoder_essai</parent>
<regex offset="after_parent">(\.+)</regex>
<order>essai_c1</order>
</decoder>
My rule :
<!-- Switch essai essai Rules 15112022 -->
<group name="essai_switch,syslog">
<rule id="900004" level="5">
<decoded_as>essai_switch_decoder_essai</decoded_as>
<description>essai Switch essai logs grouping rule</description>
</rule>
</group>
root@srvwazuh01:/var/ossec/logs/archives# /var/ossec/bin/wazuh-logtest -v
Starting wazuh-logtest v4.3.10
Type one log per line
2022 Nov 21 10:19:56 IM2S_6250_4->192.168.1.244 Nov 21 10:19:56 IM2S_6250_4 SSH(109) Data: Session 29 New SSH Connection from 192.168.1.11 port 55804
**Phase 1: Completed pre-decoding.
full event: '2022 Nov 21 10:19:56 IM2S_6250_4->192.168.1.244 Nov 21 10:19:56 IM2S_6250_4 SSH(109) Data: Session 29 New SSH Connection from 192.168.1.11 port 55804'
timestamp: '2022 Nov 21 10:19:56'
**Phase 2: Completed decoding.
name: 'essai_switch_decoder_essai'
essai_c1: 'SSH(109) Data: Session 29 New SSH Connection from 192.168.1.11 port 55804'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched
*Trying child rules
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 650 - Active Response JSON Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 400 - Rules for Wazuh API events.
Trying rule: 420 - Rules for Wazuh API events.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache: Messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: Messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 44400 - FortiNet Rules.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81641 - Fortigate v6 messages grouped.
Trying rule: 44640 - FortiMail Rules.
Trying rule: 44698 - FortiMail: System Event System log messages.
Trying rule: 44730 - Alert from Forti Authenticator.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 64270 - savscan category
Trying rule: 64274 - Update category
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim: SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 65000 - GCP alert.
Trying rule: 65260 - F5 Networks BigIP events
Trying rule: 65293 - F5 BigIP CEF decoded grouped alerts
Trying rule: 64500 - Palo Alto $(type) event.
Trying rule: 70020 - Sophos XG210 Firewall event
Trying rule: 70000 - FreePBX parent
Trying rule: 91100 - GitHub alert.
Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation.
Trying rule: 88800 - Arbor
Trying rule: 150100 - FireEye
Trying rule: 89200 - Grouping of Huawei USG rules.
Trying rule: 91500 - cisco-ftd rules
Trying rule: 42001 - ESET console logs.
Trying rule: 92501 - Cloudflare WAF rules
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 91002 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-26855).
Trying rule: 91003 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-27065).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 89101 - Oracle DB alerts.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 87508 - Exim: RCPT rejected. Error: $(error_message).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 1010 - Process segfaulted.
Trying rule: 2501 - syslog: User authentication failure.
Trying rule: 2503 - syslog: Connection blocked by Tcp Wrappers.
Trying rule: 5604 - telnetd: Reverse lookup error (bad hostname config).
Trying rule: 14101 - racoon: VPN authentication failed.
Trying rule: 66001 - Zeek: SSH Connection
Trying rule: 66002 - Zeek: SSL Connection
Trying rule: 66003 - Zeek: DNS Query
Trying rule: 66004 - Zeek: Connection detail
Trying rule: 65601 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65602 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 65607 - (Gitlab) $(message).
Trying rule: 65609 - (Gitlab) $(severity):$(message).
Trying rule: 65611 - (Gitlab) $(severity):$(message).
Trying rule: 65617 - (Gitlab) $(severity): $(message).
Trying rule: 65619 - (Gitlab) $(severity): $(message).
Trying rule: 65622 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65623 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 900001 - Stormshield logs grouping rule
Trying rule: 900004 - essai Switch essai logs grouping rule
*Rule 900004 matched
**Phase 3: Completed filtering (rules).
id: '900004'
level: '5'
description: 'essai Switch essai logs grouping rule'
groups: '['essai_switch', 'syslog']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
^C
root@srvwazuh01:/var/ossec/logs/archives#
Nothing appears in dashboard, field essai_c1 does not exist…
I try to search with id from json file but nothing
Thank you
Best Regards
Fabrice
fabrice pons
fabrice pons
Sorry for the spam but I found something for my alcatel switch problem :
I receive from my switch on WAZUH syslog server, it writes to files :
LOG file :
2022 Nov 23 00:38:25 XXXX_6250_3SS->192.168.1.237 Nov 23 00:38:25 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 01:14:08 XXXX_6250_3SS->192.168.1.237 Nov 23 01:14:08 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 02:25:14 XXXX_6250_3SS->192.168.1.237 Nov 23 02:25:14 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 03:37:23 XXXX_6250_3SS->192.168.1.237 Nov 23 03:37:23 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 04:13:07 XXXX_6250_3SS->192.168.1.237 Nov 23 04:13:07 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 05:16:18 XXXX_6250_3SS->192.168.1.237 Nov 23 05:16:18 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 05:51:56 XXXX_6250_3SS->192.168.1.237 Nov 23 05:51:56 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 07:02:58 XXXX_6250_3SS->192.168.1.237 Nov 23 07:02:58 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 09:38:56 XXXX_6250_3SS->192.168.1.237 Nov 23 09:38:56 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
2022 Nov 23 10:14:28 XXXX_6250_3SS->192.168.1.237 Nov 23 10:14:28 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.
JSON file :
{"timestamp":"2022-11-23T00:38:25.489+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669160305.34145876","full_log":"Nov 23 00:38:25 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 00:38:25","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T01:14:08.460+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669162448.64610882","full_log":"Nov 23 01:14:08 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 01:14:08","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T02:25:14.402+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669166714.117259009","full_log":"Nov 23 02:25:14 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 02:25:14","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T03:37:23.343+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669171043.170734083","full_log":"Nov 23 03:37:23 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 03:37:23","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T04:13:07.314+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669173187.199701333","full_log":"Nov 23 04:13:07 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 04:13:07","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T05:16:18.263+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669176978.243669240","full_log":"Nov 23 05:16:18 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 05:16:18","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T05:51:56.235+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669179116.270904994","full_log":"Nov 23 05:51:56 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 05:51:56","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T07:02:58.342+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669183378.351294527","full_log":"Nov 23 07:02:58 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 07:02:58","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T09:38:56.062+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669192736.855471493","full_log":"Nov 23 09:38:56 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 09:38:56","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
{"timestamp":"2022-11-23T10:14:28.019+0100","agent":{"id":"000","name":"srvwazuh01"},"manager":{"name":"srvwazuh01"},"id":"1669194868.1026772965","full_log":"Nov 23 10:14:28 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.\n \n","predecoder":{"timestamp":"Nov 23 10:14:28","hostname":"XXXX_6250_3SS"},"decoder":{},"location":"192.168.1.237"}
my decoder :
<decoder name="alcatel_switch_decoder_XXXX_6250_3SS">
<prematch>\s\w\w\w\s\d\d\s\d\d:\d\d:\d\d\sXXXX_6250_3SS\s</prematch>
</decoder>
<decoder name="alcatel_switch_decoder_1">
<parent>alcatel_switch_decoder_XXXX_6250_3SS</parent>
<regex offset="after_parent">(\.+)\((\.+)\)\sData:\s(\.+)</regex>
<order>alcatel_switch_task,alcatel_switch_typetask,alcatel_switch_msg</order>
</decoder>
my rule :
<group name="alcatel_switch,syslog,">
<rule id="900108" level="5">
<decoded_as>alcatel_switch_decoder_XXXX_6250_3SS</decoded_as>
<description>Alcatel Switch XXXX_6250_3SS logs grouping rule</description>
</rule>
</group>
test decoder :
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '2022 Nov 23 10:14:28 XXXX_6250_3SS->192.168.1.237 Nov 23 10:14:28 XXXX_6250_3SS NTP(29) Data: NTP server 138.96.64.10 is unreachable.'
timestamp: '2022 Nov 23 10:14:28'
**Phase 2: Completed decoding.
name: 'alcatel_switch_decoder_XXXX_6250_3SS'
alcatel_switch_msg: 'NTP server 138.96.64.10 is unreachable.'
alcatel_switch_task: 'NTP'
alcatel_switch_typetask: '29'
**Phase 3: Completed filtering (rules).
level: '5'
description: 'Alcatel Switch XXXX_6250_3SS logs grouping rule'
groups: '['alcatel_switch', 'syslog']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
^C
Why in the log file JSON this field is empty ? "decoder":{}
Do you have an idea ?
Thank you
Best regards,
Fabrice
Emiliano Zorn
I am glad that now the VPN-destroyed messages are being displayed in the Dashboard, logically, if the rule and decoder is correctly applied, you should see the alert in the Wazuh Security Events Dashboard.
What I find strange is that you still cannot see the events related to rule 900108, applied and attached in the previous message.
What happens if you filter by the rule number from the "Discovery" section in the OpenSearch Menu?
fabrice pons
fabrice pons
swlog syslog-facility-id syslog
swlog remote command-log enable
swlog console level info