Getting syslog messages into GUI
112 views
Skip to first unread message
Jody Fx
Aug 5, 2022, 12:34:34 PM8/5/22
to Wazuh mailing list
Hi,
i'm struggeling for a while now to get my messages from ESXi into wazuh.
Currently messages come directly to wazuh via syslog and are stored in /var/syslog/messages. I can see entries in /var/ossec/logs/archives/archives.json from my ESXi server as well.
Which looks like this:
/var/syslog/messages
Aug 5 16:28:29 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped
/var/ossec/logs/archives/archives.json
{"timestamp":"2022-08-05T18:07:39.243+0200","agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1659715659.5018135","full_log":"Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped","predecoder":{"program_name":"VSANMGMTSVC","timestamp":"Aug 5 16:07:38","hostname":"esxiserver"},"decoder":{},"location":"/var/log/messages"}
Seems like the decoder is not working correctly? Would be grateful for any help or ideas.
Regards
Christian Borla
Aug 5, 2022, 1:57:54 PM8/5/22
to Wazuh mailing list
Hi Peter!
I hope you are doing fine!
I did a quick test with your example log and I have a doubt, Is it correct esxiserver falls as hostname?
Running on wazuh-logtest tool
/var/ossec/bin/wazuh-logtest
Type one log per line
Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped
**Phase 1: Completed pre-decoding.
full event: 'Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped'
timestamp: 'Aug 5 16:07:38'
hostname: 'esxiserver'
program_name: 'VSANMGMTSVC'
**Phase 2: Completed decoding.
No decoder matched.
If that is correct, the decoder could be something like: add this in /var/ossec/etc/decoders/local_decoder.xml
<decoder name="esxi">
<program_name>VSANMGMTSVC</program_name>
</decoder>
<decoder name="esxi_child">
<parent>esxi</parent>
<regex type="pcre2">(\S+)\s+vsand\[\d+\]\s+.*?configInfo:\s+(\w+)</regex>
<order>status,action</order>
</decoder>
And an example rule: add it in /var/ossec/etc/rules/local_rules.xml
<rule id="100555" level="5">
<decoded_as>esxi</decoded_as>
<description>ESXI event</description>
</rule>
Running wazuh-logtest tool
/var/ossec/bin/wazuh-logtest
Type one log per line
full event: 'Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped'
timestamp: 'Aug 5 16:07:38'
hostname: 'esxiserver'
program_name: 'VSANMGMTSVC'
**Phase 2: Completed decoding.
name: 'esxi'
action: 'skipped'
status: 'info'
**Phase 3: Completed filtering (rules).
id: '100555'
level: '5'
description: 'ESXI event'
groups: '['syscheck']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Now it creates an alert, and it should be available into GUI.
Let me know if this information is useful.
Regards!
I hope you are doing fine!
I did a quick test with your example log and I have a doubt, Is it correct esxiserver falls as hostname?
Running on wazuh-logtest tool
/var/ossec/bin/wazuh-logtest
Type one log per line
Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped
full event: 'Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped'
timestamp: 'Aug 5 16:07:38'
hostname: 'esxiserver'
program_name: 'VSANMGMTSVC'
**Phase 2: Completed decoding.
No decoder matched.
If that is correct, the decoder could be something like: add this in /var/ossec/etc/decoders/local_decoder.xml
<decoder name="esxi">
<program_name>VSANMGMTSVC</program_name>
</decoder>
<decoder name="esxi_child">
<parent>esxi</parent>
<regex type="pcre2">(\S+)\s+vsand\[\d+\]\s+.*?configInfo:\s+(\w+)</regex>
<order>status,action</order>
</decoder>
And an example rule: add it in /var/ossec/etc/rules/local_rules.xml
<rule id="100555" level="5">
<decoded_as>esxi</decoded_as>
<description>ESXI event</description>
</rule>
Running wazuh-logtest tool
/var/ossec/bin/wazuh-logtest
Type one log per line
Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped
**Phase 1: Completed pre-decoding.full event: 'Aug 5 16:07:38 esxiserver VSANMGMTSVC: info vsand[2102373] [opID=Thread-2 VsanSystemImpl::_ConfigInfoPrintLog] configInfo: skipped'
timestamp: 'Aug 5 16:07:38'
hostname: 'esxiserver'
program_name: 'VSANMGMTSVC'
**Phase 2: Completed decoding.
name: 'esxi'
action: 'skipped'
status: 'info'
**Phase 3: Completed filtering (rules).
id: '100555'
level: '5'
description: 'ESXI event'
groups: '['syscheck']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Now it creates an alert, and it should be available into GUI.
Let me know if this information is useful.
Regards!
Jody Fx
Aug 8, 2022, 3:35:45 AM8/8/22
to Wazuh mailing list
Hey, thanks i will test it. Yes, i replaced the actual internal name with "esxiserver"
Jody Fx
Aug 17, 2022, 2:52:20 AM8/17/22
to Wazuh mailing list
Hi,
i think i still dont get this right. The decoder you created would be just for this specific event? (or those who are similar to it). What do i have to do if i want all my esxi logs in my wazuh gui?
Regards,
Christian Borla
Aug 17, 2022, 8:48:41 AM8/17/22
to Wazuh mailing list
Hi Peter!
I hope you are doing fine!
Yes, the decoder works only with the example log, I can help to you to create a set of decoders for esxi logs, maybe it's possible creates a generic decoder too, it depends on the format of the logs.I hope you are doing fine!
If you want a set of decoders, share an example log for each case.
Regards!
Reply all
Reply to author
Forward
0 new messages