GlassFish7 Logs
40 views
Skip to first unread message
badr afilal
Dec 20, 2024, 5:02:44 AM12/20/24
to Wazuh | Mailing List
Hello team since we missing a decoder for glassfish7 web server logs : i made the following decoder but still some error !
<decoder name="glassfish_7_log">
<!-- Define prematch to filter logs based on the Glassfish pattern -->
<prematch>\[GF \d+\.\d+\.\d+\]</prematch>
<!-- Match the program name (Glassfish) -->
<program_name>GF</program_name>
<!-- Description of the decoder -->
<description>Glassfish 7.0.12 Log Decoder</description>
<!-- Group name for the decoder -->
<group>glassfish</group>
<!-- Fields to extract from the log message -->
<field name="timestamp">timestamp</field> <!-- Extract timestamp -->
<field name="glassfish_version">GF \d+\.\d+\.\d+</field> <!-- Capture the Glassfish version -->
<field name="log_level">levelValue</field> <!-- Capture the log level (INFO, WARN, etc.) -->
<field name="thread_id">_ThreadID</field> <!-- Capture Thread ID -->
<field name="thread_name">_ThreadName</field> <!-- Capture Thread Name -->
<!-- Capture class name (e.g., ma.kw.kls.KlsAppRepository) -->
<field name="class_name">(\S+\.\S+\.\S+)</field>
<!-- Capture the actual log message -->
<field name="log_message">full_log</field> <!-- Capture the actual log message content -->
</decoder>
<!-- Define prematch to filter logs based on the Glassfish pattern -->
<prematch>\[GF \d+\.\d+\.\d+\]</prematch>
<!-- Match the program name (Glassfish) -->
<program_name>GF</program_name>
<!-- Description of the decoder -->
<description>Glassfish 7.0.12 Log Decoder</description>
<!-- Group name for the decoder -->
<group>glassfish</group>
<!-- Fields to extract from the log message -->
<field name="timestamp">timestamp</field> <!-- Extract timestamp -->
<field name="glassfish_version">GF \d+\.\d+\.\d+</field> <!-- Capture the Glassfish version -->
<field name="log_level">levelValue</field> <!-- Capture the log level (INFO, WARN, etc.) -->
<field name="thread_id">_ThreadID</field> <!-- Capture Thread ID -->
<field name="thread_name">_ThreadName</field> <!-- Capture Thread Name -->
<!-- Capture class name (e.g., ma.kw.kls.KlsAppRepository) -->
<field name="class_name">(\S+\.\S+\.\S+)</field>
<!-- Capture the actual log message -->
<field name="log_message">full_log</field> <!-- Capture the actual log message content -->
</decoder>
A log snippet :
[2024-12-20T09:57:29.761659+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
176781679 [http-listener-1(4)] DEBUG ma.kw.PermissionsLoaderFilter - user is already authenthicated using JWT]]
[2024-12-20T09:57:29.761737+01:00] [GF 7.0.12] [WARNING] [] [org.glassfish.jersey.servlet.WebComponent] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 900] [[
A servlet request to the URI http://example.com/endpoint1 contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.]]
[2024-12-20T09:57:29.761885+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
176781679 [http-listener-1(4)] INFO ma.kw.kls.KlsAppRepository - path = klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718]]
[2024-12-20T09:57:29.761953+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
splitAllViewsFiles /home/studio/glassfish7/glassfish/domains/domain1/klsResources/klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718]]
[2024-12-20T09:57:29.762049+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
splitAllViewsFiles /home/studio/glassfish7/glassfish/domains/domain1/klsResources/klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718/.git]]
[2024-12-20T09:57:29.762149+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
splitAllViewsFiles /home/studio/glassfish7/glassfish/domains/domain1/klsResources/klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718/.git/branches]]
176781679 [http-listener-1(4)] DEBUG ma.kw.PermissionsLoaderFilter - user is already authenthicated using JWT]]
[2024-12-20T09:57:29.761737+01:00] [GF 7.0.12] [WARNING] [] [org.glassfish.jersey.servlet.WebComponent] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 900] [[
A servlet request to the URI http://example.com/endpoint1 contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.]]
[2024-12-20T09:57:29.761885+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
176781679 [http-listener-1(4)] INFO ma.kw.kls.KlsAppRepository - path = klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718]]
[2024-12-20T09:57:29.761953+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
splitAllViewsFiles /home/studio/glassfish7/glassfish/domains/domain1/klsResources/klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718]]
[2024-12-20T09:57:29.762049+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
splitAllViewsFiles /home/studio/glassfish7/glassfish/domains/domain1/klsResources/klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718/.git]]
[2024-12-20T09:57:29.762149+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[
splitAllViewsFiles /home/studio/glassfish7/glassfish/domains/domain1/klsResources/klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718/.git/branches]]
Stuti Gupta
Dec 20, 2024, 5:25:14 AM12/20/24
to Wazuh | Mailing List
For the given log
[2024-12-20T09:57:29.761885+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[ 176781679 [http-listener-1(4)] INFO ma.kw.kls.KlsAppRepository - path = klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718]]
You can create the decoder like:
<decoder name="decoder">
<prematch>jakarta.enterprise.logging</prematch>
</decoder>
<decoder name="decoder_child">
<parent>decoder</parent>
<regex>_ThreadID=(\.+) </regex>
<order>_ThreadID</order>
</decoder>
<decoder name="decoder_child">
<parent>decoder</parent>
<regex>_ThreadName=(\.+)] </regex>
<order>_ThreadName</order>
</decoder>
<decoder name="decoder_child">
<parent>decoder</parent>
<regex> path = (\.+)</regex>
<order>path</order>
</decoder>
Modify the decoder as per your requirement. To learn more about custom decoder please refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html.
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold): {"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps
[2024-12-20T09:57:29.761885+01:00] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=73 _ThreadName=http-listener-1(4)] [levelValue: 800] [[ 176781679 [http-listener-1(4)] INFO ma.kw.kls.KlsAppRepository - path = klsapp/993b8aef3b52cb7a8ada53c47c0aa20a/service_acquisition_6807718]]
<decoder name="decoder">
<prematch>jakarta.enterprise.logging</prematch>
</decoder>
<decoder name="decoder_child">
<parent>decoder</parent>
<regex>_ThreadID=(\.+) </regex>
<order>_ThreadID</order>
</decoder>
<decoder name="decoder_child">
<parent>decoder</parent>
<regex>_ThreadName=(\.+)] </regex>
<order>_ThreadName</order>
</decoder>
<decoder name="decoder_child">
<parent>decoder</parent>
<regex> path = (\.+)</regex>
<order>path</order>
</decoder>
Modify the decoder as per your requirement. To learn more about custom decoder please refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html.
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold): {"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps
Stuti Gupta
Dec 20, 2024, 5:28:05 AM12/20/24
to Wazuh | Mailing List
Please refr to the image attached below:
Reply all
Reply to author
Forward
0 new messages