Custom rules question

[Jose Cintron]

I am trying to set up a rule that will alert if the utilization of any partition on any of my servers (mix of Fedora, RHEL, and Ubuntu) hits 75% or more. I followed the instructions in the following article https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/use-cases/disk-space-utilization.html

The rule works as long as I use >= 80% my use case is 75%. I thought that it would be as simple as re-writing the semi-regex for the usage filed (see below)

<group name="disk_space_utilization,">
  <rule id="100015" level="7">
    <decoded_as>disk-usage</decoded_as>
    <field name="filesystem">^/dev/</field>
    <field name="usage">^9\d|^8\d</field>
    <description>Usage $(usage)% of $(filesystem) partition exceeded 80%.</description>
  </rule>
</group>

In my mind doing something like

   ^(7[5-9]|9\d|8\d)

would had solved my issue. Boy was I wrong. The second I introduce the parenthesis I can no longer save the rule from the dashboard interface and if I do it from the command line the second I try to restart the wazuh-manager it just doesn't start. So the solution is obvious. Remove the parenthesis and and add the ^ before the 7, 8, and 9. Well that allows me to save it and restart, but the rule does not fire at all when a partition hits above 75%.

Is there a better/easier way to do this? I was looking at creating a script that would run on the endpoint as a cron job that would do the checking and if it detected a partition above 75% would create a log entry and then I would send that log entry to the manager for parsing. But again I don't know if this is the best way to do it. Any suggestion/ideas will be greatly appreciated.

ps: can I run a wazuh-agent on the same box that hosts the manager (I am running everything in just one box).

[Md. Nazmur Sakib]

Hi Jose,

You can update the rule like this:

<group name="disk_space_utilization,">

  <rule id="100015" level="7">

    <decoded_as>disk-usage</decoded_as>

    <field name="filesystem">^/dev/</field>

    <field name="usage">^9\d|^8\d|^79\d|^78\d|^77\d|^76\d|^75\d</field>

    <description>Usage $(usage)% of $(filesystem) partition exceeded 75%.</description>

  </rule>

</group>

Check this document to learn more about regex:
Regular Expression Syntax

To define a range [5-9]

You need to use PCRE regex

<field name="usage" type="pcre2"> </field>


Check this document to learn more
Perl-compatible Regular Expressions

Field - Rules syntax

The Wazuh manager itself works as an agent for the server where it is deployed. You do not need to install and cannot install an agent on the Wazuh manager server. And you can use the ossec.conf of the manager to configure everything you can configure for an agent.

You will find the manager server logs using the agent.id 000.


Let me know if you need any further information.

[Md. Nazmur Sakib]

Jose Cintron 11:25 AM 

(Hello Nazmur

Thanks for the information and the pointers to the documentation (I'm sure they'll come handy in the future). One more question, when you said 'You will find the manager server logs using the agent.id 000.', what is this in relation to?)

—---------------

If you go to Threat hunting or Discover. And if you filter with agent ID 000, you will be able to see all alerts from the Wazuh manager.

Check the screenshot for reference.



If you want to enable vulnerability detection on the Wazuh manager host, modify the internal_options.conf file at /var/ossec/etc/internal_options.conf. Set the parameter vulnerability-detection.disable_scan_manager from 1 to 0. This change allows the Vulnerability Detection module to include the Wazuh manager host in its scans. After updating the configuration, restart the Wazuh manager to ensure the changes take effect.

Ref: Enable vulnerability detection on the Wazuh manager.

While replying to any post in google group. Please use reply all; otherwise, the reply will not be visible in the post.

Let me know if you need any further information.