Modifying the wazuh.alerts-3.x index to include additional fields within an existing field

[we...@olsdallas.com]

Hello, 

I would like to know the best steps to go about modifying wazuh.alerts-3.x index to include additional fields for us to create dashboards from. Currently there is a field named "full_log " that provides the entire Windows Security Event log. The goal would be to parse that field so that specific data sets within that field like Workstation Name would be included in the Index as a field. Is this feasible? If so, what would be the best method to go about implementing such a change? 

Thanks,

[jesus.g...@wazuh.com]

Hello @west,

Hello CL Martinez,

I'm going to explain a sample procedure to capture fields for your own purposes and how to use them into a Kibana dashboard.

Let's assume the next log:

Application: ERROR(8198): Software Protection Platform Service: (no user): no domain: WIN-GDE1GO1DA68: License Activation (slui.exe) failed with the following error code:  hr=0x87E10BC6  Command-line arguments:  RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=afd55ac6-d0b0-4812-9047-6c756d82bedf;NotificationInterval=1440;Trigger=TimerEvent

Our goal is to catch WIN-GDE1GO1DA68 as value for a new field named domain.

Let's say the log file is located under /tmp/my_log.log, we need to add the next lines to the ossec.conf file from Wazuh manager:

<localfile>
 <log_format>syslog</log_format>
 <location>/tmp/my_log.log</location>
</localfile>

Create an empty log file:

touch /tmp/my_log.log

At this point, Wazuh manager is reading that log file.

Now we need a new custom decoder:

<decoder name="local_decoder_example">
 <prematch>Application</prematch>
 <regex>no domain: (\S*):</regex>
 <order>domain</order>
</decoder>

Read about decoders at https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

And now we are going to create a new rule which is fired after our decoder matches the log:

<rule id="100001" level="5">
 <decoded_as>local_decoder_example</decoded_as>
 <description>This alert is including domain as new field</description>
 <field name="domain">$(domain)</field>
</rule>

Read about rules at https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

Restart Wazuh manager:

# /var/ossec/bin/ossec-control restart

Now let's append a sample log to our file:

echo 'Application: ERROR(8198): Software Protection Platform Service: (no user): no domain: WIN-GDE1GO1DA68: License Activation (slui.exe) failed with the following error code:  hr=0x87E10BC6  Command-line arguments:  RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=afd55ac6-d0b0-4812-9047-6c756d82bedf;NotificationInterval=1440;Trigger=TimerEvent' >> /tmp/my_log.log

Your alerts.json now should has a new entry with a similar structure to this example:

{"timestamp":"2018-07-02T08:33:00.340-0400","rule":{"level":5,"description":"Hello world!","id":"100001","firedtimes":3,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"osboxes"},"manager":{"name":"osboxes"},"id":"1530534780.125057","cluster":{"name":"wazuh","node":"node01"},"full_log":"Application: ERROR(8198): Software Protection Platform Service: (no user): no domain: WIN-GDE1GO1DA68: License Activation (slui.exe) failed with the following error code:  hr=0x87E10BC6  Command-line arguments:  RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=afd55ac6-d0b0-4812-9047-6c756d82bedf;NotificationInterval=1440;Trigger=TimerEvent","decoder":{"name":"local_decoder_example"},"data":{"domain":"WIN-GDE1GO1DA68"},"predecoder":{"hostname":"osboxes"},"location":"/tmp/my_log.log"}

As you can see we are including this:

"data":{"domain":"WIN-GDE1GO1DA68"}

If you go to Kibana > Discover you could search for that alert using rule.id for example:

rule.id: 100001

And you'll see the field data.domain appears and shows a warning message "No cached mapping for this field".

Next step is go to Kibana > Management > Index patterns, select your desired pattern and click in the refresh button

at the top right corner ("Refresh field list") and now you can search and use by the term data.domain in Discover and/or use

it to create custom dashboards.

Note: If you restart Kibana and the Wazuh App is installed it will restore the cached mapping for all fields that appear

in index patterns that are compatible with the Wazuh App, if you need help with this task, let us know (fix in progress, sorry

about the inconvenience).

Another one useful link is https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Best regards,

Jesús

[C. L. Martinez]

Perfect. Many thanks for your explanation Jesus.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b5e9de0a-281b-45c8-96b6-38467a3f3d82%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.