Adding entry to CDB list
965 views
Skip to first unread message
Samir Kandel
Jun 18, 2023, 10:54:33 PM6/18/23
to Wazuh mailing list
Hi folks,
I also tried:
Key
"C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.EXE"
Error saving list: Could not upload CDB list file (1800) - Bad format in CDB list {path}
Could not upload CDB list file (1800) - Bad format in CDB list {path}
Also, no value was added for each time a key was added. I have included my approach and error on screenshots.
I have recently started using Wazuh for log parsing and visualization, trigger alerts. I tried to make exclusion using CDB list for the safe processes denoted by file paths.
Key:
C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.EXEI also tried:
Key
"C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.EXE"
When i try to save it, it gives me an error for both of above keys:
Could not upload CDB list file (1800) - Bad format in CDB list {path}
Any idea on what the problem is?
Thanks,
Samir
Aditya Sharma
Jun 18, 2023, 11:24:11 PM6/18/23
to Wazuh mailing list
Hi Samir,
Based on the error message you provided, it seems that there is an issue with the format of the CDB list file you're trying to save. The error suggests that the format is not correct, which is why you're unable to upload the file.
To troubleshoot this issue, here are a few suggestions:
1. File Format: Ensure that you are using the correct file format for the CDB list file. Wazuh typically uses a simple text file with one entry per line. Each entry should contain the file path or pattern you want to exclude. Make sure there are no extra characters or formatting issues in the file.
2. Encoding: Check the encoding of the CDB list file. It should be in a compatible format, such as UTF-8. If the file has a different encoding, try converting it to UTF-8 and then attempt to upload it again.
3. File Permissions: Verify that you have the necessary permissions to upload and save files in the Wazuh system. Ensure that the user or account you are using has the appropriate privileges.
4. File Size Limit: Check if there is a limit on the file size you can upload. If the CDB list file is too large, it may exceed the allowed limit. In that case, you might need to split the file into smaller chunks or contact the Wazuh support team for assistance.
Please refer to the CDB documentation once for the correct format and all: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
I hope this helps you.
Regards
Aditya Sharma
Based on the error message you provided, it seems that there is an issue with the format of the CDB list file you're trying to save. The error suggests that the format is not correct, which is why you're unable to upload the file.
To troubleshoot this issue, here are a few suggestions:
1. File Format: Ensure that you are using the correct file format for the CDB list file. Wazuh typically uses a simple text file with one entry per line. Each entry should contain the file path or pattern you want to exclude. Make sure there are no extra characters or formatting issues in the file.
2. Encoding: Check the encoding of the CDB list file. It should be in a compatible format, such as UTF-8. If the file has a different encoding, try converting it to UTF-8 and then attempt to upload it again.
3. File Permissions: Verify that you have the necessary permissions to upload and save files in the Wazuh system. Ensure that the user or account you are using has the appropriate privileges.
4. File Size Limit: Check if there is a limit on the file size you can upload. If the CDB list file is too large, it may exceed the allowed limit. In that case, you might need to split the file into smaller chunks or contact the Wazuh support team for assistance.
Please refer to the CDB documentation once for the correct format and all: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
I hope this helps you.
Regards
Aditya Sharma
Samir Kandel
Jun 21, 2023, 8:33:59 PM6/21/23
to Wazuh mailing list
Dear Aditya,
Thanks for the quick response.
I have converted the path into UTF-8 as such:
I was able to save it successfully this time.
However, there is another issue that i am having, where <list field="data.win.eventdata.currentDirectory" lookup="match_key">etc/lists/eventdata-currentDirectory-test-list</list> is not matching to the both file path "C:\\Program Files\\Rivet Networks\\SmartByte\\" and "C:\\WINDOWS\\system32\\". How can this be mitigated? Am i missing something?
Thanks and regards,
Samir
0 new messages