Examples for log testing
595 views
Skip to first unread message
Gonçalo Antunes
Jun 16, 2023, 7:12:38 PM6/16/23
to Wazuh mailing list
Hello everyone!
Ok, so I'm currently doing a bachelors in computer science and I'm doing a project with a colleague, where we are using Wazuh.
I was searching on GitHub and on Wzuh documentation to find some ways to test our Wazuh solution, but I don't seem to find useful information on that subject. I found the funcionality Logtest, but I also can't find some Logs I can test
If it's possible, I'd be really thankful if someone could help me on configurations I could implement, either on Wazuh Manager or on an agent.
I'm really sorry if this are really simple things but unfortunatelly we didn't have any formation on Wazuh and I'm just stuck with the Internet.
Thank you all!
Nicolas Osvaldo Fernandez
Jun 18, 2023, 7:59:39 PM6/18/23
to Wazuh mailing list
Hello, nice to greet you.
I tell you, to obtain test events, you could review the alert log file, and take the one that is most convenient for your tests.
To see the file, you can go to: /var/ossec/logs/alerts/alerts.json or /var/ossec/logs/alerts/alerts.log to see the events in plain text.
On the other hand, you can effectively use logtest to simulate events and simulate the execution of decoders and rules. You can see how logtest works here.
On the other hand, it could be useful to use the localfile function, in the ossec.conf configuration. This allows you to feed events to the Wazuh server via a text file. You can get the info about it here.
Let me know if the information I provided helped you.
Greetings
Nicolas
To see the file, you can go to: /var/ossec/logs/alerts/alerts.json or /var/ossec/logs/alerts/alerts.log to see the events in plain text.
On the other hand, you can effectively use logtest to simulate events and simulate the execution of decoders and rules. You can see how logtest works here.
On the other hand, it could be useful to use the localfile function, in the ossec.conf configuration. This allows you to feed events to the Wazuh server via a text file. You can get the info about it here.
Let me know if the information I provided helped you.
Greetings
Nicolas
Manuel Alejandro Roldan Mella
Jun 20, 2023, 11:32:23 AM6/20/23
to Wazuh mailing list
Hi
Gonçalo Antunes
In addition to what Osvaldo says, I recommend you these URLs where you can find samples of web attack logs, Powershell or malware samples if you want to test the integration with full viruses:
- Windows logs (EVTX)
- https://github.com/Yamato-Security/hayabusa-sample-evtx
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
- http attacks (Apache logs)
- https://github.com/ocatak/apache-http-logs/blob/master/netsparker.txt
- https://github.com/ocatak/apache-http-logs/blob/master/acunetix.txt
- Other attacks logs https://ossec-docs.readthedocs.io/en/latest/docs/log_samples/misc/attacks.html
- https://www.ipspamlist.com/sample-logs/
I hope you find these links useful
Regards
In addition to what Osvaldo says, I recommend you these URLs where you can find samples of web attack logs, Powershell or malware samples if you want to test the integration with full viruses:
- Windows logs (EVTX)
- https://github.com/Yamato-Security/hayabusa-sample-evtx
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
- http attacks (Apache logs)
- https://github.com/ocatak/apache-http-logs/blob/master/netsparker.txt
- https://github.com/ocatak/apache-http-logs/blob/master/acunetix.txt
- Other attacks logs https://ossec-docs.readthedocs.io/en/latest/docs/log_samples/misc/attacks.html
- https://www.ipspamlist.com/sample-logs/
I hope you find these links useful
Regards
Gonçalo Antunes
Jun 21, 2023, 6:24:21 PM6/21/23
to Wazuh mailing list
Yeah Manueal helped me a lot with some examples!
What we needed was some tests we could run and basically how to run it so we could show results on our report!
What we needed was some tests we could run and basically how to run it so we could show results on our report!
Manuel Alejandro Roldan Mella
Jun 26, 2023, 10:00:08 AM6/26/23
to Wazuh mailing list
Hi Goncalo,
These community videos may be useful to you:
- https://www.youtube.com/watch?v=2HMo4h7elAA (minute 28:00 talk about log test)
- https://www.youtube.com/watch?v=SZaUgxq-j9c
-https://www.youtube.com/watch?v=iWOzDs4euG4 (how to monitor Powershell events)
Also, you could read this official post about rules and decoders where explain how to test sample events
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Regards!
These community videos may be useful to you:
- https://www.youtube.com/watch?v=2HMo4h7elAA (minute 28:00 talk about log test)
- https://www.youtube.com/watch?v=SZaUgxq-j9c
-https://www.youtube.com/watch?v=iWOzDs4euG4 (how to monitor Powershell events)
Also, you could read this official post about rules and decoders where explain how to test sample events
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Regards!
Reply all
Reply to author
Forward
0 new messages