Wazuh agent not collecting custom logs

[Jayakrishnan P]

Hi all,

I am testing on how to mock a log source in wazuh. My set up is wazuh ova installed on virtualbox and agent installed on host machine. So, what I did was made a log file which have json logs in my host machine and configured its path in ossec.conf file in agent which is in my host machine. I then made a rule in wazuh server(virtualbox) which will fire every time when log's 'src_ip' field is not empty. Rule is written in local_rule.xml btw. The problem is rule is not getting fired everytime a log is added to the monitored log file. It only get fired when I erase some log entries and add a new log. That time rule is fired for all the logs remaining on the file. I feel this to be strange. It will be a great help if anybody could help

Thanks

Jayakrishnan

[Marcos Darío Buslaiman]

Hi Jayakrishnan,
Thanks for using Wazuh!
I will help you with this issue,  and I would like to check your configuration files, could you share with me the ossec.conf file from Wazuh-Manager and agent, and also your custom rule. (Please remember to remove all sensitive data from your config files.)
Regards!

[Jayakrishnan P]

Log file

[Marcos Darío Buslaiman]

Hi Jayakrishnan,

I have been verifying this and I have observed that the monitoring of the file is in real-time, with the consideration that every time a log line is written, it must include a line break, this is because the normal operation is with logs that are written continuously.
In order to test, you can enable the log all, configuration on the manager side on ossec.conf.
<ossec_config>
  <global>
    <logall>yes</logall>
Then, you can keep the following commands on different consoles just to see the behavior when it triggered the alert and when is not. (user your rull.Id I have changed to 100555)

 tail -f /var/ossec/logs/archives/archives.log | grep FIREWALL1
   
 tail -f /var/ossec/logs/alerts/alerts.json | grep "100555"

Then, add log lines to your test file, taking into account the next line at the end.
And you will see on /var/ossec/logs/archives/archives.log each event after adding the new lines and on /var/ossec/logs/alerts/alerts.json only when the alert is triggered.

Please just let me know for any questions.
Best Regards!

[Jayakrishnan P]

Thanks a lot Marcos for helping. I have tried what you said. archives.log or archives.json is not showing the log.  I add log in a new line using notepad.  I believe agent is not even picking the log when a new log is added. Log seems coming to archives.json and alerts.json files when I replace 2 or 3 lines of log with a new one. The my rule is fired for each of the logs present in the log file at the time, after rule no 592(Log file size reduced) is fired. 

Best regards.

[Marcos Darío Buslaiman]

Hi  Jayakrishnan, 
Just to clarify, I think we should review 2 issues:
1) Check the rule is working as you expect, here you need to use the logtest like the following:

[root@localhost ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line

{"date":"14/02/2023","src_ip":"","name":"FIREWALL1"}

**Phase 1: Completed pre-decoding.
        full event: '{"date":"14/02/2023","src_ip":"","name":"FIREWALL1"}'

**Phase 2: Completed decoding.
        name: 'json'
        date: '14/02/2023'
        name: 'FIREWALL1'

{"date":"14/02/2023","src_ip":"192.168.1.198","name":"FIREWALL1"}

**Phase 1: Completed pre-decoding.
        full event: '{"date":"14/02/2023","src_ip":"192.168.1.198","name":"FIREWALL1"}'

**Phase 2: Completed decoding.
        name: 'json'
        date: '14/02/2023'
        name: 'FIREWALL1'
        src_ip: '192.168.1.198'

**Phase 3: Completed filtering (rules).
        id: '100555'
        level: '3'
        description: 'FIREWALL1 traffic'
        groups: '['firewall1']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.
So, with this test, you will be sure about your custom rule is working as you expect, in this example, my rule 100555, is alerting when the log line has the field src_ip not empty.

2) The other issue is regarding the log.
To check this, you will need to verify the behavior when a new line is written on your log file. you can test according to what I mentioned in my other post, keeping a tail -f to the logs files, the "archive.log" should be written every time that you add a new line to your log, keeping in mind that your last line should have a "next line", and the alerts.json should write just only when the alarm is triggered (only when the logline has src_ip not empty).
Like the image below, every new line that you add to the file should have a new line at the end:


Please let me know about your tests or if you have some questions about this.
Regards!

[Jayakrishnan P]

Thanks a lot Marcos. You helped me finding the result. Putting a new line was the problem. Your first condition was already met. ie rule is getting fired when the ip field is not empty. I got the new line thing only when I saw your picture even though you said about it earlier(I am not that experienced). Thanks a lot for putting this much effort in this. 

Best Regards

Jayakrishnan

[Marcos Darío Buslaiman]

Excellent Jayakrishnan!
I'm glad to helped you, please if you need other questions or doubts feel free to contact us again.
Best Regards