VMesxi decoder and rule
Aung Pyae
09:48:48.171110 IP 172.xx.xx.xxx > wazuh-manager.syslog: SYSLOG user.info, length: 391
09:48:48.860201 IP 172.xx.xx.xxx > wazuh-manager.syslog: SYSLOG user.info, length: 336
09:48:48.860430 IP 172.xx.xx.xxx > wazuh-manager.syslog: SYSLOG user.info, length: 201
09:48:49.866161 IP 172.xx.xx.xxx > wazuh-manager.syslog: SYSLOG user.info, length: 336
09:48:49.866379 IP 172. 172.xx.xx.xxx > wazuh-manager.syslog: SYSLOG user.info, length: 201
Jonathan Martín Valera
Hi,
First of all, I am going to share with you some useful references for the creation of decoders and rules:
- Creating decoders and rules from scratch: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- Sibling decoders: flexible extraction of information: https://wazuh.com/blog/sibling-decoders-flexible-extraction-of-information/
- Custom rules and decoders: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- Testing decoders and rules: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
To create the decoders you have to see if the log has a fixed structure or can be variable, in which case you will probably have to create several decoders for those cases.
I am going to give you an example with the following log:
1 2022-04-05T10:08:30.949693+00:00 photon-machine vpxd 3963 - - --> startVClockTime = (vim.vslm.VClockInfo)
If we try this log in the /var/ossec/bin/wazuh-logtest tool, we see that there is no decoder for it:
1 2022-04-05T10:08:30.949693+00:00 photon-machine vpxd 3963 - - --> startVClockTime = (vim.vslm.VClockInfo)
**Phase 1: Completed pre-decoding.
full event: '1 2022-04-05T10:08:30.949693+00:00 photon-machine vpxd 3963 - - --> startVClockTime = (vim.vslm.VClockInfo)'
**Phase 2: Completed decoding.
No decoder matched.
I am going to assume that to identify this type of logs, the header will be the following:
1 2022-04-05T10:08:30.949693+00:00 photon-machine vpxd 3963 - - -->
and the content:
startVClockTime = (vim.vslm.VClockInfo)
Therefore, I am going to create and add the following decoder to /var/ossec/etc/decoders/local_decoder.xml.
<decoder name="esxi-generic">
<prematch type="pcre2">\d \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+.\d{2}:\d{2} photon-machine vpxd \d+ - - --\>\s*</prematch>
</decoder>
<decoder name="esxi-start">
<parent>esxi-generic</parent>
<regex>startVClockTime = \((\.*)\)</regex>
<order>start_v_clock_time</order>
</decoder>
If I wanted to generate an alert when such decoded field has value vim.vslm.VClockInfo, then I would create and add the following rule in /var/ossec/etc/rules/local_rules.xml:
<rule id="100050" level="3">
<decoded_as>esxi-generic</decoded_as>
<field name="start_v_clock_time">vim.vslm.VClockInfo</field>
<description>vim.vslm.VClockInfo started!</description>
</rule>
If we try to test again the same log in the /var/ossec/bin/wazuh-logtest tool, we can see as it is now decoded and the alert would be generated for the mentioned use case:
**Phase 1: Completed pre-decoding.
full event: '1 2022-04-05T10:08:30.949693+00:00 photon-machine vpxd 3963 - - --> startVClockTime = (vim.vslm.VClockInfo)'
**Phase 2: Completed decoding.
name: 'esxi-generic'
start_v_clock_time: 'vim.vslm.VClockInfo'
**Phase 3: Completed filtering (rules).
id: '100050'
level: '3'
description: 'vim.vslm.VClockInfo started!'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
If we want to apply these changes, we must restart the wazuh-manager:
systemctl restart wazuh-manager
I hope you find this information useful.
Best regards.