Custom decoders
121 views
Skip to first unread message
Daan Fleuren
Nov 23, 2022, 7:47:38 AM11/23/22
to Wazuh mailing list
Best,
I have written a decoder for logs from an extreme-networks switch, however every time I run a test all output is that no decoder match was found.
Could you guys please check what I did wrong?
Thanks in advance
I have written a decoder for logs from an extreme-networks switch, however every time I run a test all output is that no decoder match was found.
Could you guys please check what I did wrong?
Thanks in advance
Example Logs:
Nov 23 08:49:13 THE-SWITCH-NAME TRAPMGR[trapTask]: traputil.c(721) 275164 %% Session 0 of type 3 started for user admin connected from 10.5.3.5
Nov 23 10:02:27 THE-SWITCH-NAME ISDP[dtlTask]: isdp_txrx.c(169) 276110 %% Foreign pdu on interface 1/0/51
-->
<decoder name="ExtremeNetworks">
<prematch>^(\w+\s+\d+) (\d\d:\d\d:\d\d) ([^\s]+) (\w+).\w+.:</prematch>
<!-- <prematch>^TRAPMGR$</prematch> -->
</decoder>
<decoder name="ExtremeNetworks1">
<parent>ExtremeNetworks</parent>
<prematch>traputil</prematch>
<regex>traputil\.c\((\d+)\) (\d+) %% Session (\d) of type (\d) started for user admin connected from (\d+.\d+.\d+.\d+)</regex>
<order>processnmbr,id,ses_out_of,ses_type,srcip</order>
</decoder>
<decoder name="ExtremeNetworks2">
<parent>ExtremeNetworks</parent>
<prematch>isdp_txrx</prematch>
<regex>isdp_txrx\.c\((\d+)\) (\d+) %% Foreign pdu on interface (\d+.\d+.\d+)</regex>
<order>processnmbr,id,srcip</order>
</decoder>
Nov 23 10:02:27 THE-SWITCH-NAME ISDP[dtlTask]: isdp_txrx.c(169) 276110 %% Foreign pdu on interface 1/0/51
-->
<decoder name="ExtremeNetworks">
<prematch>^(\w+\s+\d+) (\d\d:\d\d:\d\d) ([^\s]+) (\w+).\w+.:</prematch>
<!-- <prematch>^TRAPMGR$</prematch> -->
</decoder>
<decoder name="ExtremeNetworks1">
<parent>ExtremeNetworks</parent>
<prematch>traputil</prematch>
<regex>traputil\.c\((\d+)\) (\d+) %% Session (\d) of type (\d) started for user admin connected from (\d+.\d+.\d+.\d+)</regex>
<order>processnmbr,id,ses_out_of,ses_type,srcip</order>
</decoder>
<decoder name="ExtremeNetworks2">
<parent>ExtremeNetworks</parent>
<prematch>isdp_txrx</prematch>
<regex>isdp_txrx\.c\((\d+)\) (\d+) %% Foreign pdu on interface (\d+.\d+.\d+)</regex>
<order>processnmbr,id,srcip</order>
</decoder>
Dario Menten
Nov 23, 2022, 8:48:21 AM11/23/22
to Wazuh mailing list
Hello Daan,
Thank you for posting here in the communities.
Before writing a decoder, you need first to test the log with wazuh-logtest:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Nov 23 08:49:13 THE-SWITCH-NAME TRAPMGR[trapTask]: traputil.c(721) 275164 %% Session 0 of type 3 started for user admin connected from 10.5.3.5
**Phase 1: Completed pre-decoding.
full event: 'Nov 23 08:49:13 THE-SWITCH-NAME TRAPMGR[trapTask]: traputil.c(721) 275164 %% Session 0 of type 3 started for user admin connected from 10.5.3.5'
timestamp: 'Nov 23 08:49:13'
hostname: 'THE-SWITCH-NAME'
**Phase 2: Completed decoding.
No decoder matched.
And as you can see, some fields are being “pre-decoded” so you need to start from the rest of the log. Your parent decoder should look like:
<decoder name="ExtremeNetworks">
<prematch>^\S+[\S+]: </prematch>
</decoder>
As you can see the decoder is being applied:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Nov 23 08:49:13 THE-SWITCH-NAME TRAPMGR[trapTask]: traputil.c(721) 275164 %% Session 0 of type 3 started for user admin connected from 10.5.3.5
**Phase 1: Completed pre-decoding.
full event: 'Nov 23 08:49:13 THE-SWITCH-NAME TRAPMGR[trapTask]: traputil.c(721) 275164 %% Session 0 of type 3 started for user admin connected from 10.5.3.5'
timestamp: 'Nov 23 08:49:13'
hostname: 'THE-SWITCH-NAME'
**Phase 2: Completed decoding.
name: 'ExtremeNetworks'
Having this, you can start writing your child decoders to parse the rest of the fields:
<decoder name="ExtremeNetworks-child">
<parent>ExtremeNetworks</parent>
<regex offset="after_parent">\S+.\w\((\d+)\) </regex>
<order>processnmbr</order>
</decoder>
And you can see how the fields are being parsed:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Nov 23 08:49:13 THE-SWITCH-NAME TRAPMGR[trapTask]: traputil.c(721) 275164 %% Session 0 of type 3 started for user admin connected from 10.5.3.5
**Phase 1: Completed pre-decoding.
full event: 'Nov 23 08:49:13 THE-SWITCH-NAME TRAPMGR[trapTask]: traputil.c(721) 275164 %% Session 0 of type 3 started for user admin connected from 10.5.3.5'
timestamp: 'Nov 23 08:49:13'
hostname: 'THE-SWITCH-NAME'
**Phase 2: Completed decoding.
name: 'ExtremeNetworks'
processnmbr: '721'
I hope this information could be helpful.
Daan Fleuren
Nov 23, 2022, 9:10:54 AM11/23/22
to Wazuh mailing list
Hi,
Thanks for your reply! i was aware of wazuh-logtest, however i didn't know that these fields are removed after they are pre-decoded. Also I did not know that the name of the parent decoder is displayed when matched so I was troubleshooting in the wrong place.
Your explanation was very clear and helped me on my way!
Thanks for your reply! i was aware of wazuh-logtest, however i didn't know that these fields are removed after they are pre-decoded. Also I did not know that the name of the parent decoder is displayed when matched so I was troubleshooting in the wrong place.
Your explanation was very clear and helped me on my way!
Op woensdag 23 november 2022 om 14:48:21 UTC+1 schreef dario....@wazuh.com:
Reply all
Reply to author
Forward
0 new messages