Rule for CEF format
385 views
Skip to first unread message
Ibrahim
Apr 30, 2021, 9:29:06 AM4/30/21
to Wazuh mailing list
Hello,
Iam trying to generate a rule of syslog with CEF format, and getting the endpointCEF as a dynamic description for the rule.
here is a sample of the log:
<!--
2021 Apr 11 03:54:42 ->192.168.1.3 2021-04-29 08:54:42,537 endpoint - CEF:0|endpoint|Mgmt|20311|New Update Available|1|suser=admin cat=SystemEvent rt=#arcsightDate(Thu, 29 Apr 2021, 08:54:23 UTC) activityID=03890459334323 activityType=9403 siteId=None siteName=None accountId=123080349034 accountName=None notificationScope=None
2021 Apr 11 03:54:42 ->192.168.1.3 2021-04-29 08:54:42,537 endpoint - CEF:0|endpoint|Mgmt|Windows 10 Enterprise|48|Machine SP3W10PF18P46A recommissioned|1|duid=12302013asfffjgjqj cat=SystemEvent rt=#arcsightDate(Thu, 29 Apr 2021, 12:07:28 UTC) activityID=03890459334323 activityType=9403 siteId=None siteName=None accountId=123080349034 accountName=None notificationScope=None
-->
Decoder
<decoder name="endpoint">
<prematch>CEF:0|endpoint|Mgmt</prematch>
<regex>CEF:0|endpoint|Mgmt|(\.+)\scat=(\w+)\s(\.+)\s(\d+)\s(d+)\s(\w+)\s(\w+)\s(\d+)\s(\w+)\s(\w+)</regex>
<order>endpointCEF,cat,rt,activityID,activityType,siteId,siteName,accountId,accountName,notificationScope</order>
</decoder>
Rule
<group name="endpoint,">
<rule id="100070" level="7">
<decoded_as>endpoint</decoded_as>
<field name="endpointCEF">\.+</field>
<description>endpoint $(endpointCEF)</description>
</rule>
</group>
But when it comes to test the logs using ossec-logtest, it doesn pass the second phase, just it detect the decoder and cant generate the rule.
any help please?
Regards.
Matias Pereyra
Apr 30, 2021, 5:28:15 PM4/30/21
to Wazuh mailing list
Hello !
The problem here is that the decoder is not extracting any field, so the rule can not read the endpointCEF field.
The problem here is that the decoder is not extracting any field, so the rule can not read the endpointCEF field.
In the regex expressions, the '|' character must be escaped like this: '\|' . Take a look at Regex (OS_Regex) syntax for more information.
Also, when you try to extract many fields, it's really difficult to read the expression and debug it.
I propose you to use one child decoder per field, as you can see in Sibling Decoders.
The custom decoders I wrote are included in the local_decoder.xml file, but this is the structure I'm following:
<decoder name="endpoint">
<prematch>CEF:0\|endpoint\|Mgmt</prematch>
</decoder>
<decoder name="endpoint_child">
<parent>endpoint</parent>
<regex>\|Mgmt\|(\.+)\scat=</regex>
<order>endpointCEF</order>
</decoder>
<decoder name="endpoint_child">
<parent>endpoint</parent>
<regex>cat=(\w+)\s+</regex>
<order>cat</order>
</decoder>
<decoder name="endpoint_child">
<parent>endpoint</parent>
<regex>rt=(\.+)\sactivityID=</regex>
<order>rt</order>
</decoder>
...
The main decoder looks for "CEF:0\|endpoint\|Mgmt" and then every child has its own field. They start with "=" and end with the first space.
The only exception is rt, because it also contains spaces, so it saves everything until the next field.
Also, you could change the endpointCEF field regex if it isn't exactly what you are looking for.
Here you have the result with this configuration
Also, you could change the endpointCEF field regex if it isn't exactly what you are looking for.
Here you have the result with this configuration
Don't hesitate in writing us again if you have any doubt.
Regards.
Regards.
Ibrahim
May 3, 2021, 11:51:44 AM5/3/21
to Wazuh mailing list
Hi Matias,
thank you for your help, its working perfectly.
Regards.
Matias Pereyra
May 3, 2021, 3:12:33 PM5/3/21
to Wazuh mailing list
Great news!
Thanks to you for the update.
Thanks to you for the update.
Regards.
Reply all
Reply to author
Forward
0 new messages