RKhunter Logs
412 views
Skip to first unread message
26ayush...@gmail.com
Aug 13, 2021, 4:46:14 AM8/13/21
to Wazuh mailing list
Hello,
I'm trying to integrate RKhunter logs to wazuh. However, I cannot see any alerts related to it, this could be due to no decoders present for it.
I've added the complete path /var/log/rkhunter.log in the agent.conf file to read it from the agents.
Please see the attached log file of rkhunter. I am finding it difficult to decode it, could you please help me on it.
Thank you,
Regards,
Ayush Agarwal
Hanes Nahuel Sciarrone
Aug 18, 2021, 1:55:14 PM8/18/21
to Wazuh mailing list
Hello,
You are right, the issue here is the lack of this specific decoder. Wazuh has only the follow decoders as default:
http://www.wazuh.com/resources/Wazuh_Ruleset.pdf
I could see that you are using centralized configuration because you have written agent.config, Am I right?. If this is the case I deduce that you have this configuration in agent.config:
<localfile>
<frequency>3600</frequency>
<log_format>full_command</log_format>
<command>rkhunter -c --rwo</command>
</localfile>
In the following link you can see all fields available for the "localfile" tag:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile.
I'd suggest applying some custom rules to see alert on manager, you can do this adding rules on /var/ossec/etc/rules/local_rules.xml file. Let me show me an example of this:
<rule id="100001" level="3">
<if_sid>530</if_sid>
<match>^ossec: output: 'rkhunter -c --rwo':</match>
<regex>Warning:</regex>
<check_diff />
<description>RK Hunter Warning</description>
<group>rkhunter,</group>
</rule>
In the following link you can see a deeper explanation of each field's purpose. With this rule created the alert only will trigger when really has a change on logs
You are right, the issue here is the lack of this specific decoder. Wazuh has only the follow decoders as default:
http://www.wazuh.com/resources/Wazuh_Ruleset.pdf
I could see that you are using centralized configuration because you have written agent.config, Am I right?. If this is the case I deduce that you have this configuration in agent.config:
<localfile>
<frequency>3600</frequency>
<log_format>full_command</log_format>
<command>rkhunter -c --rwo</command>
</localfile>
In the following link you can see all fields available for the "localfile" tag:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=localfile.
I'd suggest applying some custom rules to see alert on manager, you can do this adding rules on /var/ossec/etc/rules/local_rules.xml file. Let me show me an example of this:
<rule id="100001" level="3">
<if_sid>530</if_sid>
<match>^ossec: output: 'rkhunter -c --rwo':</match>
<regex>Warning:</regex>
<check_diff />
<description>RK Hunter Warning</description>
<group>rkhunter,</group>
</rule>
In the following link you can see a deeper explanation of each field's purpose. With this rule created the alert only will trigger when really has a change on logs
Reply all
Reply to author
Forward
0 new messages