How to get Router(like Cisco,mikrotik..etc) syslogs.

Lokman Hakim

unread,

Apr 2, 2020, 7:57:56 AM4/2/20

to Wazuh mailing list

Hi Guys,

I face some problem about router Syslog wazuh-manager configure done service up and running.Configure like this

<connection>secure</connection>

<allowed-ips>192.168.1.1</allowed-ips>

<queue_size>16384</queue_size>

</remote>

but when I forward log from MikroTik Router to wazuh manager then I got this message like this

2020/04/02 17:31:40 ossec-remoted WARNING: (1213): Message from '192.168.88.1' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.

if requerment more info plese see below

========================================

Wazuh Manager status.

=====================

● wazuh-manager.service - Wazuh manager

Loaded: loaded (/etc/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

Active: active (running) since Thu 2020-04-02 17:48:02 +06; 7s ago

Process: 12103 ExecStop=/usr/bin/env ${DIRECTORY}/bin/ossec-control stop (code=exited, status=0/SUCCESS)

Process: 12224 ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-control start (code=exited, status=0/SUCCESS)

CGroup: /system.slice/wazuh-manager.service

├─12309 /var/ossec/bin/ossec-authd

Service Wazuh v3.12.0

============================

[root@wazuh_server ~]# /var/ossec/bin/ossec-control restart

wazuh-clusterd not running...

Killing wazuh-modulesd...

Killing ossec-monitord...

Killing ossec-logcollector...

Killing ossec-remoted...

Killing ossec-syscheckd...

Killing ossec-analysisd...

ossec-maild not running...

Killing ossec-execd...

Killing wazuh-db...

Killing ossec-authd...

ossec-agentlessd not running...

ossec-integratord not running...

ossec-dbd not running...

ossec-csyslogd not running...

Wazuh v3.12.0 Stopped

Starting Wazuh v3.12.0...

Started ossec-csyslogd...

Started ossec-dbd...

2020/04/02 17:45:57 ossec-integratord: INFO: Remote integrations not configured. Clean exit.

Started ossec-integratord...

Started ossec-agentlessd...

Started ossec-authd...

Started wazuh-db...

Started ossec-execd...

Started ossec-analysisd...

Started ossec-syscheckd...

Started ossec-remoted...

Started ossec-logcollector...

Started ossec-monitord...

Started wazuh-modulesd...

Completed.

Note: Please help me as your end.

Mauro Ezequiel Moltrasio

unread,

Apr 2, 2020, 9:24:54 AM4/2/20

to Wazuh mailing list

Hi Lokman,

The connection type secure on remote tags is used by agents, in order to capture logs from a router you need to define another remote tag with a syslog type of connection on a different port, for instance:

<connection>syslog</connection>

<allowed-ips>192.168.1.1</allowed-ips>

<queue_size>16384</queue_size>

</remote>

Remember to change the port on the router and restart the manager after changing this configuration.

For some more details on this configuration, you can check out this link

Let me know if this was useful and if you need any further help.

Best regards,

Mauro Moltrasio.

Lokman Hakim

unread,

Apr 2, 2020, 9:48:49 PM4/2/20

to Wazuh mailing list

Hello Mauro,

Thanks for your replay.

I did, after configure service will not up and running.

* I'm trying to configure two-way fast time configured like this

<connection>syslog</connection>

<allowed-ips>192.168.1.1</allowed-ips>

</remote>

<connection>secure</connection>

<queue_size>16384</queue_size>

</remote>

** second time configured like this

------------------------------------------------------

<connection>syslog</connection>

<allowed-ips>192.168.1.1</allowed-ips>

<local_ip>192.168.1.11</local_ip>

</remote>

<connection>secure</connection>

<queue_size>16384</queue_size>

</remote>

journalctl -xe error log below.

================================================

--

-- Unit wazuh-manager.service has failed.

--

-- The result is failed.

Apr 03 07:27:39 wazuh_server.ufl.com systemd[1]: Unit wazuh-manager.service entered failed state.

Apr 03 07:27:39 wazuh_server.ufl.com systemd[1]: wazuh-manager.service failed.

Apr 03 07:27:39 wazuh_server.ufl.com polkitd[627]: Unregistered Authentication Agent for unix-process:22048:3558201 (system bus name :1.71, object path /org/

Apr 03 07:27:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:27:47.790+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:28:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:28:17.793+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:28:24 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:28:24.077+0600 INFO log/harvester.go:324 File is inactive: /var/ossec

Apr 03 07:28:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:28:47.793+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:29:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:29:17.788+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:29:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:29:47.788+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:30:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:30:17.791+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:30:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:30:47.790+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:31:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:31:17.786+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:31:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:31:47.786+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:32:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:32:17.790+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:32:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:32:47.794+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:33:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:33:17.787+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:33:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:33:47.791+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:34:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:34:17.790+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:34:47 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:34:47.792+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:35:17 wazuh_server.ufl.com filebeat[1022]: 2020-04-03T07:35:17.789+0600 INFO [monitoring] log/log.go:145 Non-zero metri

Apr 03 07:35:40 wazuh_server.ufl.com sshd[22089]: Accepted password for root from 192.168.1.254 port 2881 ssh2

Apr 03 07:35:40 wazuh_server.ufl.com systemd-logind[637]: New session 18 of user root.

-- Subject: A new session 18 has been created for user root

-- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat

--

-- A new session with the ID 18 has been created for the user root.

--

-- The leading process of the session is 22089.

Apr 03 07:35:40 wazuh_server.ufl.com systemd[1]: Started Session 18 of user root.

-- Subject: Unit session-18.scope has finished start-up

-- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

--

-- Unit session-18.scope has finished starting up.

--

-- The start-up result is done.

Apr 03 07:35:40 wazuh_server.ufl.com sshd[22089]: pam_unix(sshd:session): session opened for user root by (uid=0)

lines 1076-1118/1118 (END)

Thanks

Hakim

Mauro Ezequiel Moltrasio

unread,

Apr 3, 2020, 4:28:26 AM4/3/20

to Wazuh mailing list

Hi Lokman,

You chould check the output on the ossec.log file in your server install directory for further information on what might be going wrong. From the output on journalctl, it seems your server might have a policy rule to prevent unauthenticated use of the 514 port, if this is the case tou would need to either modify the policy or pick another port that is not filtered.

Let me know if you need any further help.

Best regards,

Mauro Moltrasio.

Lokman Hakim

unread,

Apr 4, 2020, 10:53:59 AM4/4/20

to Wazuh mailing list

Hello Mauro,

I did, New wazuh-manager up & running

but I face some other problem when I use a port number like this 514 from Mikrotik Router then I did not get any log on the other hand

when I use a port number like this 1514 from Mikrotik Router then I got Syslog from Mikrotik please see below log.

Note: This log not allowed because Cannot find the ID of the agent. The source agent ID is unknown. now share your opinion what can I do?

[root@wazuh_server ~]# tail -f /var/ossec/logs/ossec.log

2020/04/03 20:54:19 ossec-remoted: WARNING: (1213): Message from '192.168.1.1' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.

Thanks

Lokman Hakim

router.JPG

Clyde B

unread,

Apr 4, 2020, 12:33:35 PM4/4/20

to Wazuh mailing list

Hi,

Recently, I needed to transfer logs from the router, where I can't install the wazuh-agent.

I have achieved this under several assumptions:

- port 1514 is for agent communication - therefore, will not accept the raw syslog and return a message "Cannot find the ID of the agent"

- I did not try to use the standard port 514 for listening raw syslog by wazuh, because I have several other services on the server and because the instruction said so ( https://documentation.wazuh.com/3.12/user-manual/capabilities/log-data-collection/how-it-works.html )

What I did:

- In /var/ossec/etc/ossec.conf added

"

<remote>
    <connection>syslog</connection>
    <port>32514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.10.0/24</allowed-ips>
</remote>
"

just below the existing one

"

<remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>udp</protocol>

<queue_size>131072</queue_size>
</remote>
"

After restarting wazuh-manager it started listening in addition to syslog on the port 32514/udp.

On the source/router side, you had to redirect syslog to wazuh-manager address and port 32514/udp. Of course, communication can also be set to tcp - the configuration must match on both sides (source and wazuh-manager)

This was enough to successfully collect logs from the router. For checking, you can set the <logall>yes</logall> in the file ossec.conf, restart manager and after several events were generated on the source check the content of /var/ossec/logs/archives/archives.log. If you find the entries you expect there, it means that the logs are correctly transferred. However, you have to think about what you expect that wazuh will do with them.

The next steps for me was setting the decoder (/var/ossec/etc/decoders/local_decoder.xml) and rules (/var/ossec/etc/rules/local_rules.xml) to respond to specific events from the router syslog. Very helpful for further testing with /var/ossec/bin/ossec-logtest.

In short, choose a custom port, configure the additional section <remote><connection>syslog</connection>.. in ossec.conf and configure syslog from the router on these parameters.

Regards,

Open Source User

unread,

Apr 5, 2020, 10:42:42 AM4/5/20

to Wazuh mailing list

hello,

I did but not work....

Clyde B

unread,

Apr 5, 2020, 11:27:16 AM4/5/20

to Wazuh mailing list

Can you share

- your <global> and <remote> sections of your ossec.conf

- syslog forwarding configuration of source router

- output of "sudo netstat -ltup | grep ossec" on system where is wazuh manager

?

Mauro Ezequiel Moltrasio

unread,

Apr 6, 2020, 3:30:29 AM4/6/20

to Wazuh mailing list

Hi all,

As Clyde states, the 1514 port is used for agent authentication and should not be used for agentless devices.

If after configuring a different port you were not receiving any messages, it might mean you have a restriction on the port you chose (maybe it is used by another application, might have a firewall blocking it, etc...). You should make sure your router is free to access the port you asigned in the server.

How are you checking to see if your server is getting log messages? Are you using the <logall> global tag? By using this tag you can check if any events from your router are reaching the server in the logs/archives directory.

https://documentation.wazuh.com/3.12/user-manual/reference/ossec-conf/global.html?highlight=logall#logall

Remember to turn off this option after testing if you son't require it, since it produces a large amount of log entries.

Best regards,

Mauro Moltrasio.

Open Source User

unread,

Apr 6, 2020, 1:50:48 PM4/6/20

to Wazuh mailing list

Hello Guys,

Sorry for late's replay

As per your instruction, I did configure as like below. but when use this 32514 port in the router I did not get any log from the router. on the other hand, if I use 1514 then I got some log from the router like this (( 2020/04/06 23:36:01 ossec-remoted WARNING: (1213): Message from '192.168.1.1' not allowed. Cannot find the ID of the agent. Source agent ID is unknown)) Now I going to show some important configuration.

Note: all service in the same machine

Configuration below.

=====================

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall>yes</logall>

<logall_json>no</logall_json>

<email_notification>no</email_notification>

<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>oss...@example.wazuh.com</email_from>

<email_to>reci...@example.wazuh.com</email_to>

<email_maxperhour>12</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

</global>

<connection>syslog</connection>

<port>32514</port>

<allowed-ips>192.168.1.0/24</allowed-ips>

</remote>

<connection>secure</connection>

<queue_size>16384</queue_size>

</remote>

[root@wazuh_server ~]# sudo netstat -ltup | grep ossec

tcp 0 0 0.0.0.0:ifor-protocol 0.0.0.0:* LISTEN 3994/ossec-authd

udp 0 0 0.0.0.0:fujitsu-dtcns 0.0.0.0:* 4125/ossec-remoted

udp 0 0 0.0.0.0:32514 0.0.0.0:* 4124/ossec-remoted

[root@wazuh_server ~]# /var/ossec/bin/ossec-logtest

2020/04/06 23:14:28 ossec-testrule: INFO: Started (pid: 5619).

ossec-testrule: Type one log per line.

[root@wazuh_server ~]# netstat -lntu

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

tcp 0 0 192.168.1.11:5601 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN

tcp6 0 0 :::22 :::* LISTEN

tcp6 0 0 :::55000 :::* LISTEN

tcp6 0 0 ::1:25 :::* LISTEN

tcp6 0 0 :::9200 :::* LISTEN

tcp6 0 0 192.168.1.11:9300 :::* LISTEN

udp 0 0 192.168.1.11:123 0.0.0.0:*

udp 0 0 127.0.0.1:123 0.0.0.0:*

udp 0 0 0.0.0.0:123 0.0.0.0:*

udp 0 0 0.0.0.0:1514 0.0.0.0:*

udp 0 0 0.0.0.0:32514 0.0.0.0:*

udp6 0 0 fe80::20c:29ff:fe7b:123 :::*

udp6 0 0 ::1:123 :::*

udp6 0 0 :::123

[root@wazuh_server ~]# ss -lntu

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port

udp UNCONN 0 0 192.168.1.11:123 *:*

udp UNCONN 0 0 127.0.0.1:123 *:*

udp UNCONN 0 0 *:123 *:*

udp UNCONN 0 0 *:1514 *:*

udp UNCONN 0 0 *:32514 *:*

udp UNCONN 0 0 [fe80::20c:29ff:fe7b:403]%ens33:123 [::]:*

udp UNCONN 0 0 [::1]:123 [::]:*

udp UNCONN 0 0 [::]:123 [::]:*

tcp LISTEN 0 128 *:22 *:*

tcp LISTEN 0 100 127.0.0.1:25 *:*

tcp LISTEN 0 128 192.168.1.11:5601 *:*

tcp LISTEN 0 128 *:1515 *:*

tcp LISTEN 0 128 [::]:22 [::]:*

tcp LISTEN 0 128 [::]:55000 [::]:*

tcp LISTEN 0 100 [::1]:25 [::]:*

tcp LISTEN 0 128 [::]:9200 [::]:*

tcp LISTEN 0 128 [::ffff:192.168.1.11]:9300 [::]:*

[root@wazuh_server ~]# sudo firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33

sources:

services: dhcpv6-client ntp ssh

ports: 514/tcp 1514/tcp 1515/tcp 1516/tcp 514/udp 1514/udp 55000/tcp 9200/tcp 9300/tcp 5601/tcp 32514/udp 32514/tcp 513/tcp 513/udp

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

if you have required any information please free to ask me. I waiting for your replay.

Thank's Brother

local_decoder.xml

local_rules.xml

router.JPG

Mauro Ezequiel Moltrasio

unread,

Apr 7, 2020, 3:41:51 AM4/7/20

to Wazuh mailing list

Hi,

After configuring <logall> to yes, have you checked inside the logs/archives/archive.log file for any events coming from your router? It might be that you are getting events but none are triggering alerts.

You could also try to telnet from your router into port 32514 of your server in order to guarantee it is reachable, just remember to stop the wazuh manager for the duration of this test.

Also, I am not seeing any configuration for tcp/udp mode on the router screen, are you certain it runs on udp?

Best regards,

Mauro Moltrasio.

On Monday, April 6, 2020 at 7:50:48 PM UTC+2, Open Source User wrote:

Hello Guys,
Sorry for late's replay
As per your instruction, I did configure as like below. but when use this 32514 port in the router I did not get any log from the router. on the other hand, if I use 1514 then I got some log from the router like this (( 2020/04/06 23:36:01 ossec-remoted WARNING: (1213): Message from '192.168.1.1' not allowed. Cannot find the ID of the agent. Source agent ID is unknown)) Now I going to show some important configuration.

Note: all service in the same machine

Configuration below.
=====================

<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>

Open Source User

unread,

Apr 7, 2020, 4:40:39 AM4/7/20

to Wazuh mailing list

Hello Mauro,

Thanks for your reply

I got a log as per my requirement but how can I visualize the router log in kibana.

Thanks

Mauro Ezequiel Moltrasio

unread,

Apr 7, 2020, 5:09:00 AM4/7/20

to Wazuh mailing list

Hi,

If the log is triggering an alert it should show up in kibana automatically, you can use ossec-logtest with the log line received on your wazuh manager in order to confirm it triggers an alert. I can find a quick tutorial on how to use logtest here:

https://documentation.wazuh.com/3.12/user-manual/ruleset/testing.html

Best regards,

Mauro Moltrasio.

Open Source User

unread,

Apr 7, 2020, 6:45:26 AM4/7/20

to Wazuh mailing list

Hello Guys,

I did but I not get any visual log. I apply Bold Common please see below.

[root@wazuh_server ~]# /var/ossec/bin/ossec-logtest

2020/04/07 16:40:01 ossec-testrule: INFO: Started (pid: 3523).

ossec-testrule: Type one log per line.

Mar 8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516

**Phase 1: Completed pre-decoding.

full event: 'Mar 8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516'

timestamp: 'Mar 8 22:39:13'

hostname: 'ip-10-0-0-10'

program_name: 'sshd'

log: 'Accepted publickey for root from 73.189.131.56 port 57516'

**Phase 2: Completed decoding.

decoder: 'sshd'

dstuser: 'root'

srcip: '73.189.131.56'

**Phase 3: Completed filtering (rules).

Rule id: '5715'

Level: '3'

Description: 'sshd: authentication success.'

**Alert to be generated.

This is my original log below.

Note: 2020 Apr 07 14:06:20 UFL->192.168.1.1 Apr 7 14:06:19 UFL log action changed by admin

Mauro Ezequiel Moltrasio

unread,

Apr 7, 2020, 9:38:35 AM4/7/20

to Wazuh mailing list

Sorry for the delayed response, I was testing it on my own environment since I don't usually use the wazuh app.

As far as I can see, events generated from forwarded syslogs are taken into account under the "syslog" category of the manager. You can also check the alerts are being generated in the logs/alerts/alerts.log file, if the alerts show up there then the app will pick them up.

Best regards,

Mauro Moltrasio.

Open Source User

unread,

Apr 7, 2020, 10:40:39 AM4/7/20

to Wazuh mailing list

Hello Mauro,

Thanks for your replay.

I checked logs/alerts/alerts.log but I did not see any Syslog which coming from the router.

Thanks

OSU

Mauro Ezequiel Moltrasio

unread,

Apr 7, 2020, 11:08:10 AM4/7/20

to Wazuh mailing list

Hi,

Inside the alerts.log file you should see alerts in this manner:

** Alert 1586266938.367774: - pam,syslog,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,
2020 Apr 07 15:42:18 ubuntu18LTS->192.168.50.200
Rule: 5502 (level 3) -> 'PAM: Login session closed.'
User: vagrant
Apr  7 13:42:17 ubuntu18LTS sshd[1990]: pam_unix(sshd:session): session closed for user vagrant

See the line stating that my manager (hostname: ubuntu18LTS) received a message from 192.168.50.200, which in my case is another Ubuntu forwarding log messages, you should see the router ip in these alerts.

Best regards,

Mauro Moltrasio.

Open Source User

unread,

Apr 7, 2020, 11:34:56 AM4/7/20

to Wazuh mailing list

Dear Brother,

Thanks for your reply

This location logs/alerts/alerts.log when I open I see below type of log which is com from another PC.

** Alert 1586255992.1063113: - pam,syslog,authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,

2020 Apr 07 16:39:52 wazuh_server->/var/log/secure

Rule: 5501 (level 3) -> 'PAM: Login session opened.'

User: root

Apr 7 16:39:50 wazuh_server sshd[3496]: pam_unix(sshd:session): session opened for user root by (uid=0)

uid: 0

This location /var/ossec/logs/archives/archives.log original log are available which I want to show

2020 Apr 07 21:32:05 UFL->192.168.1.1 Apr 7 21:32:04 UFL filter rule changed by admin

2020 Apr 07 21:32:05 UFL->192.168.1.1 Apr 7 21:32:05 UFL filter rule changed by admin

Thank's

OSU

Mauro Ezequiel Moltrasio

unread,

Apr 7, 2020, 11:44:22 AM4/7/20

to Wazuh mailing list

Hi,

Running the events you showed in the archive.log file through logtest in my environment does not trigger any alerts, you might need to write a custom decoder and/or rules for those events, here is a link to an example on how to create them:

https://documentation.wazuh.com/3.12/user-manual/ruleset/custom.html

Best regards,

Mauro Moltrasio.

Open Source User

unread,

Apr 8, 2020, 12:15:08 PM4/8/20

to Wazuh mailing list

Dear Mauro,

Thanks for your advice,

I'm trying to understand and make but I can't apologize for a request to you if possible please Create a decoder & rule below 3 logs it's very helpful for me.

2020 Apr 08 21:11:09 UFL->192.168.1.1 Apr 8 21:11:08 UFL user OSU logged in from 192.168.1.254 via ssh

2020 Apr 07 14:06:52 UFL->192.168.1.1 Apr 7 14:06:51 UFL filter rule changed by admin

2020 Apr 06 14:06:37 UFL->192.168.1.1 Apr 6 14:06:36 UFL log action changed by OSU

Thank's

OSU

Open Source User

unread,

Apr 11, 2020, 8:02:13 PM4/11/20

to Wazuh mailing list

Dear Mauro,

I'm waiting for your reply.

Thanks

OSU

Mauro Ezequiel Moltrasio

unread,

Apr 13, 2020, 5:45:54 AM4/13/20

to Wazuh mailing list

Hi OSU, sorry for the delayed response

I see your router is configured to use BSD format log messages, which makes it a little bit harder to make specific decoders for it, could you try disabling it and sending the generated log messages?

Open Source User

unread,

Apr 14, 2020, 2:11:49 AM4/14/20

to Wazuh mailing list

Dear Mauro,

Thanks for your reply

Mikrotik has not any option to customize BSD to the general log. Tha's why No way to change...

I'm waiting for your next reply.

Thanks

OUS

Open Source User

unread,

Apr 15, 2020, 9:30:56 AM4/15/20

to Wazuh mailing list

Hi Mauro,

Again writing to you I have some confusion that's why I need to clarify about blow yellow mark log.

This is your reference log what's the meaning of [12345]

Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'

This is my won log.

Apr 15 19:04:39 UFL user osu logged in from 192.168.88.254 via ssh

please give me your feedback.

Thanks

OSU

Mauro Ezequiel Moltrasio

unread,

Apr 15, 2020, 10:16:56 AM4/15/20

to Wazuh mailing list

Hi OSU,

I apologize for the late response, I haven't had much time to look over this.

On regular log entries the example[12345] translates to program[pid], since your logs don't have that information it's a little bit harder to get a decoder that is specific to your use case. I will try to go over this as soon as I can.

Best regards,

Mauro Moltrasio.

Open Source User

unread,

Apr 15, 2020, 11:51:30 AM4/15/20

to Wazuh mailing list

Hello Mauro,
Thanks for your reply

Okay, I'm waiting for your next feedback...

Thanks

OSU

Mauro Ezequiel Moltrasio

unread,

Apr 16, 2020, 4:34:58 AM4/16/20

to Wazuh mailing list

Sorry again for the delay, I've created the following decoders and rules based on the information you provided,

decoders:

<decoder name="UFL_login">
    <prematch>^user \w+ logged in from \d+.\d+.\d+.\d+ via ssh$</prematch>
    <regex>^user (\w+) logged in from (\d+.\d+.\d+.\d+) via ssh$</regex>
    <order>srcuser,srcip</order>
</decoder>

<decoder name="UFL_rule_change">
    <prematch>^filter rule changed by \w+$</prematch>
    <regex>^filter rule changed by (\w+)$</regex>
    <order>srcuser</order>
</decoder>

<decoder name="UFL_log_action_changed">
    <prematch>^log action changed by \w+$</prematch>
    <regex>^log action changed by (\w+)$</regex>
    <order>srcuser</order>
</decoder>

Rules:

<group name="local,syslog,sshd,">

  <!--


  Apr  8 21:11:08 UFL user OSU logged in from 192.168.1.254 via ssh

  -->
  <rule id="100002" level="2">
    <decoded_as>UFL_login</decoded_as>
    <description>UFL: authentication</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

  <!--


  Apr  7 14:06:51 UFL filter rule changed by admin

  -->
  <rule id="100003" level="5">
    <decoded_as>UFL_rule_change</decoded_as>
    <description>UFL: filter rule changed</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

  <!--


  Apr  6 14:06:36 UFL log action changed by OSU

  -->
  <rule id="100004" level="10">
    <decoded_as>UFL_log_action_changed</decoded_as>
    <description>UFL: log action changed</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

</group>

Let me know if these work for you and if any further help is needed.

Best regards,

Mauro.

Open Source User

unread,

Apr 17, 2020, 3:32:07 AM4/17/20

to Wazuh mailing list

Dear Mauro,

Thanks for your reply.

Sorry for let reply, your decoder is working fine as like below output. But when I am trying to see the alert in kibana dashboard or wazuh dashboard, then I can't get any event alert.

Question 01: How can I get the alert in wazuh dashboard?

Question 02: If I want to add all Syslog in kibana or wazuh dashboard. How? Syslog location /var/log/messages. also, I added below configuration in ossec.conf.

<localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

[root@wazuh_server ~]# /var/ossec/bin/ossec-logtest

2020/04/17 11:49:13 ossec-testrule: INFO: Started (pid: 4418).

ossec-testrule: Type one log per line.

Apr 17 11:46:11 UFL user test logged in from 192.168.88.254 via ssh

**Phase 1: Completed pre-decoding.

full event: 'Apr 17 11:46:11 UFL user test logged in from 192.168.88.254 via ssh'

timestamp: 'Apr 17 11:46:11'

hostname: 'UFL'

program_name: '(null)'

log: 'user test logged in from 192.168.88.254 via ssh'

**Phase 2: Completed decoding.

decoder: 'UFL_login'

srcuser: 'test'

srcip: '192.168.88.254'

**Phase 3: Completed filtering (rules).

Rule id: '100002'

Level: '2'

Description: 'UFL: authentication'

Note:

Enter the code in this file local_rules.xml

Enter the code in this file local_decoder.xml

Thanks

OSU

Hello Mauro,

udp UNCONN 0 0 <a href="http://127.0.0.1:123" rel="nofollow" target="_blank" onmousedown="this.

Mauro Ezequiel Moltrasio

unread,

Apr 17, 2020, 3:52:36 AM4/17/20

to Wazuh mailing list

Hi OSU,

You should first check if alerts are being generated on Wazuh by checking the file logs/alerts/alerts.json in your manager directory, if the alerts are showing there they will be forwarded automatically to elasticsearch and show up in kibana. Here is a blog post on how to filter alerts on the app in case you need any further help with this.

https://wazuh.com/blog/searching-for-alerts-using-the-wazuh-app-for-kibana/

The localfile tag you added is for logcollector to scan a file called /var/log/messages which is stated to have syslog format. Same as the previous point, if this file exists and log messages written to it are triggering alerts, they should show up automatically in the app.

If the alerts you want to see in the app are being written to the alerts.json file but you are unable to see them in the app, please open up a new thread, this one started as a problem getting messages from syslog and has long stranded from it.