Sophos issue: Logtest saying 'Alert to be generated' but nothing added to alerts.log

44 views
Skip to first unread message

F. Meh

unread,
Apr 12, 2023, 4:24:44 AM4/12/23
to Wazuh mailing list
Here's a log line fetched using Sophos SIEM Integration Script:

{"data":{"created_at":1681272932201,"endpoint_id":"c296e19a-d36d-xxxx-xxxx-5b86db0fc266","endpoint_java_id":"c296e19a-d36d-xxxx-xxxx-5b86db0fc266","endpoint_platform":"mac","endpoint_type":"computer","event_service_id":{"type":3,"data":"sN65wcZuTk8w=="},"inserted_at":1681272932201,"make_actionable_at":1681281932197,"source_info":{"ip":"192.168.1.10"},"user_match_id":{"timestamp":1666876969,"date":1666876969000},"user_match_uuid":{"type":3,"data":"EecjTfvjoe/C83DA=="}},"type":"Event::Endpoint::SavDisabled","description":"Real time protection disabled","customer_id":"71fb68b7-2041-xxxx-xxxx-3bcfaf205833","severity":"high","event_service_event_id":"b0deb9c1-xxxx-xxxx-xxxx-39ae8c3154f3","id":"b0deb9c1-xxxx-xxxx-xxxx-39ae8c3154f3","datastream":"alert","suser":"Alan Lee\\alanlee","rt":"2023-04-12T04:15:32.202Z","end":"2023-04-12T06:45:32.197Z","dhost":"alan-lee","name":"Real time protection disabled"}


Here's the rule that I picked up from https://groups.google.com/g/wazuh/c/zJa9-qhcKug:

<group name="sophos,">

    <rule id="130000" level="12">

        <decoded_as>json</decoded_as>

        <field name="data.source_info.ip">\d+.\d+.\d+.\d+</field>

        <description>Sophos rule</description>

    </rule>

</group>

And here's output from logtest saying 'Alert to be generated':

Starting wazuh-logtest v4.4.0                                                                                                       Type one log per line                                                                                                                                                                                                                                                                                       **Phase 1: Completed pre-decoding.                                                                                                          full event: '{"data":{"created_at":1681272932201,"endpoint_id":"c296e19a-d36d-xxxx-xxxx-5b86db0fc266","endpoint_java_id":"c296e19a-d36d-xxxx-xxxx-5b86db0fc266","endpoint_platform":"mac","endpoint_type":"computer","event_service_id":{"type":3,"data":"sN65wcZuTk8w=="},"inserted_at":1681272932201,"make_actionable_at":1681281932197,"source_info":{"ip":"192.168.1.10"},"user_match_id":{"timestamp":1666876969,"date":1666876969000},"user_match_uuid":{"type":3,"data":"EecjTfvjoe/C83DA=="}},"type":"Event::Endpoint::SavDisabled","description":"Real time protection disabled","customer_id":"71fb68b7-2041-xxxx-xxxx-3bcfaf205833","severity":"high","event_service_event_id":"b0deb9c1-xxxx-xxxx-xxxx-39ae8c3154f3","id":"b0deb9c1-xxxx-xxxx-xxxx-39ae8c3154f3","datastream":"alert","suser":"Alan Lee\\alanlee","rt":"2023-04-12T04:15:32.202Z","end":"2023-04-12T06:45:32.197Z","dhost":"alan-lee","name":"Real time protection disabled"}'                                                                                                                        

**Phase 2: Completed decoding.                                                                                                              name: 'json'                                                                                                                        customer_id: '71fb68b7-2041-xxxx-xxxx-3bcfaf205833'                                                                      data.created_at: '1681272932201.000000'  

        data.endpoint_id: 'c296e19a-d36d-xxxx-xxxx-5b86db0fc266'

        data.endpoint_java_id: 'c296e19a-d36d-xxxx-xxxx-5b86db0fc266'

        data.endpoint_platform: 'mac'

        data.endpoint_type: 'computer'

        data.event_service_id.data: 'sN65wcZuTk8w=='

        data.event_service_id.type: '3'

        data.inserted_at: '1681272932201.000000'

        data.make_actionable_at: '1681281932197.000000'

        data.source_info.ip: '192.168.1.10'

        data.user_match_id.date: '1666876969000.000000'

        data.user_match_id.timestamp: '1666876969'

        data.user_match_uuid.data: 'EecjTfvjoe/C83DA=='

        data.user_match_uuid.type: '3'

        datastream: 'alert'

        description: 'Real time protection disabled'

        dhost: 'alan-lee'

        end: '2023-04-12T06:45:32.197Z'

        event_service_event_id: 'b0deb9c1-xxxx-xxxx-xxxx-39ae8c3154f3'

        id: 'b0deb9c1-xxxx-xxxx-xxxx-39ae8c3154f3'

        name: 'Real time protection disabled'

        rt: '2023-04-12T04:15:32.202Z'

        severity: 'high'

        suser: 'Alan Lee\alanlee'

        type: 'Event::Endpoint::SavDisabled'


**Phase 3: Completed filtering (rules).

        id: '130000'

        level: '12'

        description: 'Sophos rule'

        groups: '['sophos']'

        firedtimes: '1'

        mail: 'True'

**Alert to be generated.


This log message was added to archives.log but not to alerts.json or alerts.log. As a result, I can't view this alert on Kibana either.

Any help would be appreciated!

Miguel Keane

unread,
Apr 17, 2023, 12:18:22 PM4/17/23
to Wazuh mailing list
Hi Faisal, 

Have you restarted the Wazuh Server after applying all changes to the ruleset? Logtest works well without a restart, but in order to apply the changes to the rules, a restart is required. 

Once you restart, future logs should be detected correctly and appear on the Kibana interface and on alerts.json. It would also appear on alerts.log, but this file is mostly being deprecated and barely used by most capabilities. The ones being ingested into Elasticsearc/Wazuh Indexer is the alerts.json only. 

Let me know if this worked for you, and if not, please include some logs, as it should be working after a restart. 

Best regards, 
Miguel Keane

Reply all
Reply to author
Forward
0 new messages