Snort Log parsing
335 views
Skip to first unread message
GG
Feb 17, 2022, 12:45:55 PM2/17/22
to Wazuh mailing list
Hello All,
The snort logs are not parsed in Kibana. But while running the logtest by giving the log in a single line, I see them parsed. Could you please help me with this.
ossec-testrule: Type one log per line.
[**] [122:23:1] "PSNG_UDP_PORTSWEEP_FILTERED" [**] [Classification: Attempted Information Leak] [Priority: 2] 02/17-12:49:07.915611 *.*.*.*:38117 -> *.*.*.*:1514 UDP TTL:64 TOS:0x0 ID:65319 IpLen:20 DgmLen:182 DF Len: 154
**Phase 1: Completed pre-decoding.
full event: '[**] [122:23:1] "PSNG_UDP_PORTSWEEP_FILTERED" [**] [Classification: Attempted Information Leak] [Priority: 2] 02/17-12:49:07.915611 *.*.*.*:38117 -> *.*.*.*:1514 UDP TTL:64 TOS:0x0 ID:65319 IpLen:20 DgmLen:182 DF Len: 154 '
timestamp: '(null)'
hostname: 'Wazuh-server'
program_name: '(null)'
log: '[**] [122:23:1] "PSNG_UDP_PORTSWEEP_FILTERED" [**] [Classification: Attempted Information Leak] [Priority: 2] 02/17-12:49:07.915611 *.*.*.*:38117 -> *.*.*.*:1514 UDP TTL:64 TOS:0x0 ID:65319 IpLen:20 DgmLen:182 DF Len: 154 '
**Phase 2: Completed decoding.
decoder: 'snort'
id: '122:23:1'
srcip: '*.*.*.*'
dstip: '*.*.*.*'
**Phase 3: Completed filtering (rules).
Rule id: '20100'
Level: '8'
Description: 'First time this IDS alert is generated.'
**Alert to be generated.
[**] [122:23:1] "PSNG_UDP_PORTSWEEP_FILTERED" [**] [Classification: Attempted Information Leak] [Priority: 2] 02/17-12:49:07.915611 *.*.*.*:38117 -> *.*.*.*:1514 UDP TTL:64 TOS:0x0 ID:65319 IpLen:20 DgmLen:182 DF Len: 154
**Phase 1: Completed pre-decoding.
full event: '[**] [122:23:1] "PSNG_UDP_PORTSWEEP_FILTERED" [**] [Classification: Attempted Information Leak] [Priority: 2] 02/17-12:49:07.915611 *.*.*.*:38117 -> *.*.*.*:1514 UDP TTL:64 TOS:0x0 ID:65319 IpLen:20 DgmLen:182 DF Len: 154 '
timestamp: '(null)'
hostname: 'Wazuh-server'
program_name: '(null)'
log: '[**] [122:23:1] "PSNG_UDP_PORTSWEEP_FILTERED" [**] [Classification: Attempted Information Leak] [Priority: 2] 02/17-12:49:07.915611 *.*.*.*:38117 -> *.*.*.*:1514 UDP TTL:64 TOS:0x0 ID:65319 IpLen:20 DgmLen:182 DF Len: 154 '
**Phase 2: Completed decoding.
decoder: 'snort'
id: '122:23:1'
srcip: '*.*.*.*'
dstip: '*.*.*.*'
**Phase 3: Completed filtering (rules).
Rule id: '20100'
Level: '8'
Description: 'First time this IDS alert is generated.'
**Alert to be generated.
But in Kibana, the srcip, dstip etc. are not present. I have attached how it looks in Kibana. Could you please help me with this.
Thanks,
Gisha
elw...@wazuh.com
Feb 18, 2022, 2:29:00 AM2/18/22
to Wazuh mailing list
Hello Gisha,
When monitoring Snort logs, you should use the log format snort-full or snort-fast depending on the type of logs, In your case Can you try the following configuration:
<localfile>
<log_format>snort-full</log_format> <location>/var/log/snort.log</location> </localfile>
Make sure to change the location to your perspective one and restart the agent to apply the configuration.
You can find all format log types here https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile#log-format
Hope this helps.
Regards,
Wali
When monitoring Snort logs, you should use the log format snort-full or snort-fast depending on the type of logs, In your case Can you try the following configuration:
<localfile>
<log_format>snort-full</log_format> <location>/var/log/snort.log</location> </localfile>
Make sure to change the location to your perspective one and restart the agent to apply the configuration.
You can find all format log types here https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile#log-format
Hope this helps.
Regards,
Wali
GG
Feb 18, 2022, 3:47:11 AM2/18/22
to Wazuh mailing list
Thanks Wali. I had the same configuration. I am getting the logs. Only problem is that logs are not parsed.
I think the decoder is taking only the first line of snort full format logs. So only the first line is coming in kibana and that does not have srcip etc.
I tried running the logtest by giving the entire full format log in one line and it was getting parsed.
Is there any way that all lines of logs are considered and not just the first line.
Thank you!
Reply all
Reply to author
Forward
0 new messages