Sonicwall Firewall syslog
371 views
Skip to first unread message
Brian Trethaway
Feb 24, 2021, 8:29:12 PM2/24/21
to Wazuh mailing list
Hi I am having an issue with SonicWall syslogs not being decoded correctly. I can see it is using rule 1002 and not the SonicWall rule. How can I fix this?
{
"agent": {
"name": "manager",
"id": "000"
},
"manager": {
"name": "manager"
},
"rule": {
"firedtimes": 266,
"mail": false,
"level": 2,
"description": "Unknown problem somewhere in the system.",
"groups": [
"syslog",
"errors"
],
"id": "1002",
"gpg13": [
"4.3"
]
},
"decoder": {},
"full_log": " id=SonicWall sn=XXXXXXXXXX time=\"2021-02-24 16:59:38\" fw=XXXXXXXX pri=4 c=16 m=200 msg=\"CLI administrator login denied due to bad credentials\" n=4183 usr=\"XXXXXX" src=XXXXXX fw_action=\"NA\"",
"input": {
"type": "log"
},
"@timestamp": "2021-02-25T00:59:38.760Z",
"location": "XXXXXX",
"id": "1614214778.4574638",
"timestamp": "2021-02-25T00:59:38.760+0000",
"_id": "kcSy1ncBejfNwEU45kA3"
}
Thanks!
Dario Menten
Feb 24, 2021, 10:14:22 PM2/24/21
to Wazuh mailing list
Hello Brian,
But if I remove the escape characters, I get this:
Thank you for using our mailing list.
I am analyzing the full_log, and I see something weird, maybe when you obfuscated it you removed something else. If I use the entire log in the /var/ossec/bin/ossec-logtest I see the same as you:
**Phase 1: Completed pre-decoding.
full event: 'id=SonicWall sn=XXXXXXXXXX time=\"2021-02-24 16:59:38\" fw=XXXXXXXX pri=4 c=16 m=200 msg=\"CLI administrator login denied due to bad credentials\" n=4183 usr=\"XXXXXX" src=XXXXXX fw_action=\"NA\"'
timestamp: '(null)'
hostname: 'wazuh4'
program_name: '(null)'
log: 'id=SonicWall sn=XXXXXXXXXX time=\"2021-02-24 16:59:38\" fw=XXXXXXXX pri=4 c=16 m=200 msg=\"CLI administrator login denied due to bad credentials\" n=4183 usr=\"XXXXXX" src=XXXXXX fw_action=\"NA\"'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Phase 1: Completed pre-decoding.
full event: 'id=SonicWall sn=XXXXXXXXXX time="2021-02-24 16:59:38" fw=XXXXXXXX pri=4 c=16 m=200 msg="CLI administrator login denied due to bad credentials" n=4183 usr="XXXXXX" src=XXXXXX fw_action="NA"'
timestamp: '(null)'
hostname: 'wazuh4'
program_name: '(null)'
log: 'id=SonicWall sn=XXXXXXXXXX time="2021-02-24 16:59:38" fw=XXXXXXXX pri=4 c=16 m=200 msg="CLI administrator login denied due to bad credentials" n=4183 usr="XXXXXX" src=XXXXXX fw_action="NA"'
**Phase 2: Completed decoding.
decoder: 'sonicwall'
status: '4'
action: 'CLI administrator login denied due to bad credentials'
**Phase 3: Completed filtering (rules).
Rule id: '4804'
Level: '3'
Description: 'SonicWall warning message.'
Wazuh adds the escape characters for better visualization of the full log in Kibana. So removing it, you could simulate the original log and you can test it in the logtest utility.
What I am seeing, is that in the full log an escape character is missing in this part (red):
id=SonicWall sn=XXXXXXXXXX time=\"2021-02-24 16:59:38\" fw=XXXXXXXX pri=4 c=16 m=200 msg=\"CLI administrator login denied due to bad credentials\" n=4183 usr=\"XXXXXX" src=XXXXXX fw_action=\"NA\"
So, I suggest, to get the right logs, please enable the archives.json file by changing the logall_json option in the ossec.conf to yes and look for the logs in there. And please make a tcpdump of the connection and share the logs from there also.
You can obfuscate the information you need.
I hope it could be helpful to troubleshoot your issue.
Kind Regards.
Brian Trethaway
Feb 24, 2021, 10:50:15 PM2/24/21
to Wazuh mailing list
HI Dario,
I have enabled the archives.json file and this is the output:
2021 Feb 25 03:28:16 manager->192.168.1.1 id=firewall sn=XXXXXX time="2021-02-24 19:28:16" fw=XXXXXXX pri=4 c=16 m=200 msg="CLI administrator login denied due to bad credentials" n=5314 usr="XXXX" src=XXXXXXX fw_action="NA"
Below is the TCP dump:
03:28:16.509081 IP (tos 0x0, ttl 64, id 39585, offset 0, flags [DF], proto UDP (17), length 242)
gateway.syslog > manager.syslog: SYSLOG, length: 214
Facility local0 (16), Severity warning (4)
Msg: id=firewall sn=XXXXXX time="2021-02-24 19:28:16" fw=XXXXXXX pri=4 c=16 m=200 msg="CLI administrator login denied due to bad credentials" n=5314 usr="XXXX" src=XXXXXXX fw_action="NA"
When I run a log test using the above message it decodes it correctly, but it still shows up in Wazuh Security events as a "Unknown problem somewhere in the system." Am I looking in the correct spot to see these logs?
Thank you,
Brian
Dario Menten
Oct 13, 2021, 5:36:42 PM10/13/21
to Brian Trethaway, Wazuh mailing list
Hello Brian,
First of all, my apologies for the late response.
If you are still struggling with this, I recommend moving to the current version of Wazuh Manager (4.2.3) because I tested this and it is decoded and generates the alerts without any issues:
Starting wazuh-logtest v4.2.2
Type one log per line
id=firewall sn=XXXXXX time="2021-02-24 19:28:16" fw=XXXXXXX pri=4 c=16 m=200 msg="CLI administrator login denied due to bad credentials" n=5314 usr="XXXX" src=XXXXXXX fw_action="NA"
**Phase 1: Completed pre-decoding.
full event: 'id=firewall sn=XXXXXX time="2021-02-24 19:28:16" fw=XXXXXXX pri=4 c=16 m=200 msg="CLI administrator login denied due to bad credentials" n=5314 usr="XXXX" src=XXXXXXX fw_action="NA"'
**Phase 2: Completed decoding.
name: 'sonicwall'
action: 'CLI administrator login denied due to bad credentials'
status: '4'
**Phase 3: Completed filtering (rules).
id: '4804'
level: '3'
description: 'SonicWall warning message.'
groups: '['syslog', 'sonicwall']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
If you have configured your ossec.conf file to generate alert in level 3 events, you will get the same alert you are seeing in the above test.
I hope this could be helpful for you.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/rjj4lQKwbvM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/676729b3-af2e-4854-b6af-15b54983db4bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages