decoder for Untangle log

124 views
Skip to first unread message

G Gao

unread,
Aug 29, 2023, 10:27:20 AM8/29/23
to Wazuh | Mailing List
Been reading through all different topics and tutorials about setting up decoder and rules. I guess mine is a big "different" to the examples that I have found.

Would appreciate if I can get a little help here.

This is the log I receive from the untangle firewall:

2023 Aug 25 13:17:08 INFO->10.50.0.8 Aug 25 13:17:08 INFO  uvm[0]:  {"timeStamp":"2023-08-25 13:17:08.085","s2pBytes":1422,"p2sBytes":3349,"sessionId":110942518609498,"endTime":1692983828085,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"10.50.10.29","CServerPort":49155,"protocolName":"TCP","localAddr":"10.50.10.29","SServerAddr":"10.50.0.235","serverIntf":1,"remoteAddr":"10.50.0.235","CClientAddr":"10.50.10.29","serverCountry":"XU","sessionId":110942518609498,"SClientAddr":"10.50.0.8","clientCountry":"XL","policyRuleId":0,"CClientPort":52678,"timeStamp":"2023-08-25 13:16:34.513","clientIntf":100,"policyId":1,"SClientPort":48295,"bypassed":false,"SServerPort":49155,"CServerAddr":"10.50.0.235","tagsString":""},"c2pBytes":3349,"p2cBytes":1422}

here is my decoder:

<decoder name="uvm">
    <prematch>INFO  uvm[\d]</prematch>

</decoder>

<decoder name="uvm_01">
  <parent>uvm</parent>
  <regex>"hostname":"d+.\d+.\d+.\d+"</regex>
  <order>hostname</order>
</decoder>


The output from logtest is:

Starting wazuh-logtest v4.5.0
Type one log per line

2023 Aug 25 14:11:17 INFO->10.50.0.8 Aug 25 14:11:17 INFO  uvm[0]:  {"timeStamp":"2023-08-25 14:11:17.269","s2pBytes":0,"p2sBytes":0,"sessionId":110942518647497,"endTime":1692987077269,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"10.50.10.66","CServerPort":445,"protocolName":"TCP","localAddr":"10.50.10.66","SServerAddr":"10.50.4.235","serverIntf":1,"remoteAddr":"10.50.4.235","CClientAddr":"10.50.10.66","serverCountry":"XU","sessionId":110942518647497,"SClientAddr":"10.50.0.8","clientCountry":"XL","policyRuleId":0,"CClientPort":55464,"timeStamp":"2023-08-25 14:10:47.239","clientIntf":100,"policyId":1,"SClientPort":21875,"bypassed":false,"SServerPort":445,"CServerAddr":"10.50.4.235","tagsString":""},"c2pBytes":0,"p2cBytes":0}

**Phase 1: Completed pre-decoding.
full event: '2023 Aug 25 14:11:17 INFO->10.50.0.8 Aug 25 14:11:17 INFO  uvm[0]:  {"timeStamp":"2023-08-25 14:11:17.269","s2pBytes":0,"p2sBytes":0,"sessionId":110942518647497,"endTime":1692987077269,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"10.50.10.66","CServerPort":445,"protocolName":"TCP","localAddr":"10.50.10.66","SServerAddr":"10.50.4.235","serverIntf":1,"remoteAddr":"10.50.4.235","CClientAddr":"10.50.10.66","serverCountry":"XU","sessionId":110942518647497,"SClientAddr":"10.50.0.8","clientCountry":"XL","policyRuleId":0,"CClientPort":55464,"timeStamp":"2023-08-25 14:10:47.239","clientIntf":100,"policyId":1,"SClientPort":21875,"bypassed":false,"SServerPort":445,"CServerAddr":"10.50.4.235","tagsString":""},"c2pBytes":0,"p2cBytes":0}'
timestamp: '2023 Aug 25 14:11:17'

**Phase 2: Completed decoding.
name: 'uvm'

**Phase 3: Completed filtering (rules).
id: '100010'
level: '10'
description: 'Raw JSON event'
groups: '['custom_rules_uvm']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.



If I can get some help on how to get hostname working, I can work on others.


Thank you in advance.

Nicolas Alejandro Bertoldo

unread,
Aug 29, 2023, 1:45:37 PM8/29/23
to Wazuh | Mailing List
Hi G Gao,

I hope you are well. In this case, you can simplify the parsing by using the JSON decoder. For example:

Decoder:

<decoder name="uvm">
    <prematch>INFO  uvm[\d]:  </prematch>
    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

Logtest output:

Starting wazuh-logtest v4.6.0

Type one log per line

{"timeStamp":"2023-08-25 13:17:08.085","s2pBytes":1422,"p2sBytes":3349,"sessionId":110942518609498,"endTime":1692983828085,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"10.50.10.29","CServerPort":49155,"protocolName":"TCP","localAddr":"10.50.10.29","SServerAddr":"10.50.0.235","serverIntf":1,"remoteAddr":"10.50.0.235","CClientAddr":"10.50.10.29","serverCountry":"XU","sessionId":110942518609498,"SClientAddr":"10.50.0.8","clientCountry":"XL","policyRuleId":0,"CClientPort":52678,"timeStamp":"2023-08-25 13:16:34.513","clientIntf":100,"policyId":1,"SClientPort":48295,"bypassed":false,"SServerPort":49155,"CServerAddr":"10.50.0.235","tagsString":""},"c2pBytes":3349,"p2cBytes":1422}

**Phase 1: Completed pre-decoding.
full event: '{"timeStamp":"2023-08-25 13:17:08.085","s2pBytes":1422,"p2sBytes":3349,"sessionId":110942518609498,"endTime":1692983828085,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"10.50.10.29","CServerPort":49155,"protocolName":"TCP","localAddr":"10.50.10.29","SServerAddr":"10.50.0.235","serverIntf":1,"remoteAddr":"10.50.0.235","CClientAddr":"10.50.10.29","serverCountry":"XU","sessionId":110942518609498,"SClientAddr":"10.50.0.8","clientCountry":"XL","policyRuleId":0,"CClientPort":52678,"timeStamp":"2023-08-25 13:16:34.513","clientIntf":100,"policyId":1,"SClientPort":48295,"bypassed":false,"SServerPort":49155,"CServerAddr":"10.50.0.235","tagsString":""},"c2pBytes":3349,"p2cBytes":1422}'

**Phase 2: Completed decoding.
name: 'json'
c2pBytes: '3349'
class: 'class com.untangle.uvm.app.SessionStatsEvent'
endTime: '1692983828085.000000'
p2cBytes: '1422'
p2sBytes: '3349'
s2pBytes: '1422'
sessionEvent.CClientAddr: '10.50.10.29'
sessionEvent.CClientPort: '52678'
sessionEvent.CServerAddr: '10.50.0.235'
sessionEvent.CServerPort: '49155'
sessionEvent.SClientAddr: '10.50.0.8'
sessionEvent.SClientPort: '48295'
sessionEvent.SServerAddr: '10.50.0.235'
sessionEvent.SServerPort: '49155'
sessionEvent.bypassed: 'false'
sessionEvent.clientCountry: 'XL'
sessionEvent.clientIntf: '100'
sessionEvent.entitled: 'true'
sessionEvent.hostname: '10.50.10.29'
sessionEvent.localAddr: '10.50.10.29'
sessionEvent.policyId: '1'
sessionEvent.policyRuleId: '0'
sessionEvent.protocol: '6'
sessionEvent.protocolName: 'TCP'
sessionEvent.remoteAddr: '10.50.0.235'
sessionEvent.serverCountry: 'XU'
sessionEvent.serverIntf: '1'
sessionEvent.sessionId: '110942518609498.000000'
sessionEvent.timeStamp: '2023-08-25 13:16:34.513'
sessionId: '110942518609498.000000'
timeStamp: '2023-08-25 13:17:08.085'

I hope this helps. Let me know if you have any further question.
Regards

G Gao

unread,
Aug 29, 2023, 5:53:40 PM8/29/23
to Wazuh | Mailing List
thank you so much! that worked out perfectly!

This helps me to understand how the system and rulesets work very well.

Thank you again!

G Gao

unread,
Dec 29, 2024, 11:56:21 AM12/29/24
to Wazuh | Mailing List
coming back to this thread...I am trying to use "mixed decoder with regular expressions", so that I can pass the data to static fields, like srcip, dstip, etc., however this does not seem to work. This is how I set it up:


<decoder name="uvm">

    <program_name>uvm-to-192.168.0.80 </program_name>

</decoder>


<decoder name="uvm2">

    <parent>uvm</parent>

    <plugin_decoder offset="after_parent">JSON_Decoder</plugin_decoder>

</decoder>


<decoder name="uvm2">

    <parent>uvm</parent>

        <regex>"localAddr":"(\S+)"</regex>

    <order>scrip</order>

</decoder>


<decoder name="uvm2">

    <parent>uvm</parent>

        <regex>"remoteAddr":"(\S+)"</regex>

    <order>dstip</order>

</decoder>


my incoming message is this:


Dec 28 22:30:15 INFO  uvm-to-192.168.0.80 {"timeStamp":"2024-12-28 22:30:15.22","s2pBytes":0,"p2sBytes":0,"endTime":1735443015220,"sessionId":113513477894668,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"wlan0","CServerPort":8886,"protocolName":"TCP","serverLatitude":45.8491,"localAddr":"192.168.0.87","SServerAddr":"34.210.19.179","remoteAddr":"34.210.19.179","serverIntf":1,"CClientAddr":"192.168.0.87","serverCountry":"US","sessionId":113513477894668,"SClientAddr":"216.8.131.69","clientCountry":"XL","policyRuleId":0,"CClientPort":40016,"timeStamp":"2024-12-28 22:30:15.219","serverLongitude":-119.7143,"clientIntf":2,"policyId":1,"SClientPort":40016,"bypassed":false,"SServerPort":8886,"CServerAddr":"34.210.19.179","tagsString":""},"c2pBytes":0,"p2cBytes":0}



logtest shows it is not being decoded at all. Can you please point to me where I am not doing right? 


Thank you.


--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/uTQBgg87mok/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c6e58318-0f15-4f3a-9c25-8f39f1f281a0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages