Issue monitoring USB drives in Windows using Wazuh
250 views
Skip to first unread message
Marco
Dec 22, 2017, 6:41:41 AM12/22/17
to Wazuh mailing list
Hi every one,
I'm tring to configure usb check in order to match usb devices with a predefined list as described in the blog:
https://blog.wazuh.com/monitoring-usb-drives-in-windows-using-wazuh/
I followed the guide step by steb and when I execute the configuration controll all seems works fine, but I have the following error on the web interface as follow:
"Manager - Status: Wazuh API returned an error message. Error: Error reading decoder files: 0380-windows_decoders.xml. Error: not well-formed (invalid token): line 680, column 26"
xml decoder code in error is:
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>
<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>
</decoder>
I'm do not know where is the problem, someone can help me?
I'm do not know where is the problem, someone can help me?
thanks in advance
Marco
I'm tring to configure usb check in order to match usb devices with a predefined list as described in the blog:
https://blog.wazuh.com/monitoring-usb-drives-in-windows-using-wazuh/
I followed the guide step by steb and when I execute the configuration controll all seems works fine, but I have the following error on the web interface as follow:
"Manager - Status: Wazuh API returned an error message. Error: Error reading decoder files: 0380-windows_decoders.xml. Error: not well-formed (invalid token): line 680, column 26"
xml decoder code in error is:
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>USBSTOR#Disk&Ven_(\S*)&Prod_(\S*)&Rev_(\.*)#(\S*)&0#\S*\s</regex>
<order>usb.vendor, usb.product, usb.rev, usb.serial_number</order>
</decoder>
I'm do not know where is the problem, someone can help me?
I'm do not know where is the problem, someone can help me?
thanks in advance
Marco
Marta Gómez
Dec 22, 2017, 7:14:40 AM12/22/17
to Wazuh mailing list
Hello Marco,
The python library that the API uses to read this decoder doesn't support character &. To fix the decoder please change it like this:
The python library that the API uses to read this decoder doesn't support character &. To fix the decoder please change it like this:
<regex>USBSTOR#Disk\pVen_(\S*)\pProd_(\S*)\pRev_(\.*)#(\S*)\p0#\S*\s</regex>
After that, it should all work OK.
Best regards,
Marta
Marco
Jan 8, 2018, 3:18:18 AM1/8/18
to Wazuh mailing list
Hi Marta,
Thank you very much, now all works fine!
BR
Marco
Thank you very much, now all works fine!
BR
Marco
Reply all
Reply to author
Forward
0 new messages