Wazuh Decoder for Log(Syslog)
897 views
Skip to first unread message
Haziq Mt Roslan
Nov 2, 2023, 4:28:53 AM11/2/23
to Wazuh | Mailing List
Hi team, I face a problem when i try to decode this log below where if i set the prematch i can get the value out of the regex item(order) but if i set to program_name, i cannot get the regex value as u see the result below:
**Phase 1: Completed pre-decoding.
full event: 'Nov 2 12:50:48 firewall-1 Firewall: Allowed CONN=vpn MAC= SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=xx TOS=0x00 PREC=0x00 TTL=xxx ID=xxx DF PROTO=TCP SPT=xxx DPT=xxx WINDOW=xxx RES=0x00 SYN URGP=0 MARK=0x10'
timestamp: 'Nov 2 12:50:48'
hostname: 'firewall-1'
program_name: 'Firewall'
**Phase 2: Completed decoding.
name: 'firewall'
It only stop at name: firewall where i should have a lot more value that supposedly to be filled. Below is my decoder:
<decoder name="firewall">
<program_name>Firewall</program_name>
</decoder>
<decoder name="firewall_child">
<parent>firewall</parent>
<regex>^ (\.+) CONN=(\.+) MAC= SRC=(\d+.\d+.\d+.\d+) DST=(\d+.\d+.\d+.\d+) LEN=(\d+) TOS=0x00 PREC=0x00 TTL=(\d+) ID=(\d+) DF PROTO=(\.+) SPT=(\d+) DPT=(\d+) WINDOW=(\d+) RES=0x0$ SYN URGP=(\d+) MARK=0x10</regex>
<order>status,connection,source,destination,packet_length,ttl,id,protocol,source_port,destination_port,window_field,urgent_pointer</order>
</decoder>
</decoder>
any help and suggestion would be really helpful. Thanks in advance.
Stuti Gupta
Nov 2, 2023, 4:58:47 AM11/2/23
to Wazuh | Mailing List
Hi haziq
Hope you are doing well today and thank you for using wazuh.
There is syntax error in regex. You can use the below-mentioned decoder for example.
<decoder name="firewalltest">
<program_name>Firewall</program_name>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>(\.+) CONN=(\.+) </regex>
<order>status,connection</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>MAC= SRC=(\.+) </regex>
<order>source</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>DST=(\.+) </regex>
<order>dest</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>LEN=(\.+) </regex>
<order>len</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>TOS=(\.+) </regex>
<order>Tos</order>
</decoder>
Output will be :
Nov 2 12:50:48 firewall-1 Firewall: Allowed CONN=vpn MAC= SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=xx TOS=0x00 PREC=0x00 TTL=xxx ID=xxx DF PROTO=TCP SPT=xxx DPT=xxx W
INDOW=xxx RES=0x00 SYN URGP=0 MARK=0x10
**Phase 1: Completed pre-decoding.
full event: 'Nov 2 12:50:48 firewall-1 Firewall: Allowed CONN=vpn MAC= SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=xx TOS=0x00 PREC=0x00 TTL=xxx ID=xxx DF PROTO=
TCP SPT=xxx DPT=xxx WINDOW=xxx RES=0x00 SYN URGP=0 MARK=0x10'
timestamp: 'Nov 2 12:50:48'
hostname: 'firewall-1'
program_name: 'Firewall'
**Phase 2: Completed decoding.
name: 'firewalltest'
Tos: '0x00'
connection: 'vpn'
dest: 'xx.xx.xx.xx'
len: 'xx'
source: 'xx.xx.xx.xx'
status: 'Allowed'
Hope this helps
Regrads,
Hope you are doing well today and thank you for using wazuh.
There is syntax error in regex. You can use the below-mentioned decoder for example.
<decoder name="firewalltest">
<program_name>Firewall</program_name>
</decoder>
<decoder name="firewall_child">
<regex>(\.+) CONN=(\.+) </regex>
<order>status,connection</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>MAC= SRC=(\.+) </regex>
<order>source</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>DST=(\.+) </regex>
<order>dest</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>LEN=(\.+) </regex>
<order>len</order>
</decoder>
<decoder name="firewall_child">
<parent>firewalltest</parent>
<regex>TOS=(\.+) </regex>
<order>Tos</order>
</decoder>
Output will be :
Nov 2 12:50:48 firewall-1 Firewall: Allowed CONN=vpn MAC= SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=xx TOS=0x00 PREC=0x00 TTL=xxx ID=xxx DF PROTO=TCP SPT=xxx DPT=xxx W
INDOW=xxx RES=0x00 SYN URGP=0 MARK=0x10
**Phase 1: Completed pre-decoding.
full event: 'Nov 2 12:50:48 firewall-1 Firewall: Allowed CONN=vpn MAC= SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=xx TOS=0x00 PREC=0x00 TTL=xxx ID=xxx DF PROTO=
TCP SPT=xxx DPT=xxx WINDOW=xxx RES=0x00 SYN URGP=0 MARK=0x10'
timestamp: 'Nov 2 12:50:48'
hostname: 'firewall-1'
program_name: 'Firewall'
**Phase 2: Completed decoding.
Tos: '0x00'
connection: 'vpn'
dest: 'xx.xx.xx.xx'
len: 'xx'
source: 'xx.xx.xx.xx'
status: 'Allowed'
Hope this helps
Regrads,
Haziq Mt Roslan
Nov 2, 2023, 5:19:59 AM11/2/23
to Wazuh | Mailing List
what is the differences and what is the syntax error from my method which i put all in one line and urs which is one by one. I use prematch before by setting it to <prematch>Firewall:</prematch> and it give me all the detail but when i use the <program_name>Firewall</program_name> it cause like my output above?
Haziq Mt Roslan
Nov 3, 2023, 5:10:07 AM11/3/23
to Wazuh | Mailing List
I also wanted to ask if i can add this new decoder in /var/ossec/ruleset/decoder directory instead of local_decoder.xml file? Does it still works and if there is new update on the ruleset direcotry, does my custom decoder might be lost due to the update? Thanks in advance
Stuti Gupta
Nov 5, 2023, 11:43:20 PM11/5/23
to Wazuh | Mailing List
Hi Haziq
Sorry for the late response
Yes, you can add a new decoder in /var/ossec/ruleset/decoders but that will lost in the update process. Use the following procedure to preserve your changes.
To change a default decoder, you can rewrite its file in the /var/ossec/etc/decoders directory, make the changes, and exclude the original decoder file from the loading list.
For example, if you want to customize decoders in the 0310-ssh_decoders.xml file, follow these steps:
1. Copy the decoder file /var/ossec/ruleset/decoders/0310-ssh_decoders.xml to the user folder /var/ossec/etc/decoders. This keeps the changes you make when updating to a newer version.
2. Edit the /var/ossec/etc/ossec.conf configuration file. Set the <decoder_exclude> tag to exclude the original ruleset/decoders/0310-ssh_decoders.xml decoder file from the loading list. With this configuration, Wazuh loads the decoder file located in the user folder and not the file in the default folder.
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude>
</ruleset>
3. Make changes to /var/ossec/etc/decoders/0310-ssh_decoders.xml.
4. Restart the Wazuh manager so the changes take effect: systemctl restart wazuh-manager
Warning: Since you're excluding the original decoder file, you don't benefit from any updates it might get. Your custom file remains unchanged during upgrades so consider applying relevant changes manually.
Reference: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder
Hope this will help.
Sorry for the late response
Yes, you can add a new decoder in /var/ossec/ruleset/decoders but that will lost in the update process. Use the following procedure to preserve your changes.
To change a default decoder, you can rewrite its file in the /var/ossec/etc/decoders directory, make the changes, and exclude the original decoder file from the loading list.
For example, if you want to customize decoders in the 0310-ssh_decoders.xml file, follow these steps:
1. Copy the decoder file /var/ossec/ruleset/decoders/0310-ssh_decoders.xml to the user folder /var/ossec/etc/decoders. This keeps the changes you make when updating to a newer version.
2. Edit the /var/ossec/etc/ossec.conf configuration file. Set the <decoder_exclude> tag to exclude the original ruleset/decoders/0310-ssh_decoders.xml decoder file from the loading list. With this configuration, Wazuh loads the decoder file located in the user folder and not the file in the default folder.
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude>
</ruleset>
3. Make changes to /var/ossec/etc/decoders/0310-ssh_decoders.xml.
4. Restart the Wazuh manager so the changes take effect: systemctl restart wazuh-manager
Warning: Since you're excluding the original decoder file, you don't benefit from any updates it might get. Your custom file remains unchanged during upgrades so consider applying relevant changes manually.
Reference: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder
Hope this will help.
Best regards,
Reply all
Reply to author
Forward
0 new messages