Somea alerts are not written to alerts.log
56 views
Skip to first unread message
Nuno Fernandes
Jun 10, 2024, 3:56:34 AMJun 10
to Wazuh | Mailing List
Hello,
I have a wazuh-manager-4.7.5-1.x86_64 and one wazuh-agent-4.7.5-1.x86_64.
When I install a package on the agent's linux server, I get in the manager an entry in /var/log/ossec/alerts/alerts.log with (pls disregard the prefix on the output as it comes from the log pipeline):
ossec-1 | ** Alert 1717766107.7671: - syslog,yum,config_changed,pci_dss_10.6.1,pci_dss_10.2.7,gpg13_4.10,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,tsc_CC8.1,
ossec-1 | 2024 Jun 07 13:15:07 (amazoncontainer) 172.19.0.6->/var/log/messages
ossec-1 | Rule: 2932 (level 7) -> 'New Yum package installed.'
ossec-1 | Jun 7 13:15:06 22144f6fdb18 yum[1268]: Installed: gpm-libs-1.20.7-15.amzn2.0.2.x86_64
ossec-1 | 2024 Jun 07 13:15:07 (amazoncontainer) 172.19.0.6->/var/log/messages
ossec-1 | Rule: 2932 (level 7) -> 'New Yum package installed.'
ossec-1 | Jun 7 13:15:06 22144f6fdb18 yum[1268]: Installed: gpm-libs-1.20.7-15.amzn2.0.2.x86_64
This demonstrates that the agent is registered in the manager and that logs (from /var/log/messages) are being shipped from the agent to the manager and processed correctly.
Now, in the agent I have a custom bash that writes the commands executed also to syslog and to /var/log/messages, so same file being shipped to the manager.
In the manager I have a custom decode and rule that should alert me when commands are executed.
If I execute /var/ossec/bin/wazuh-logtest with that string I get:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.5
Type one log per line
Dec 6 10:43:13 ip-10-2-6-192 -bash: (647) [ec2-user.ec2-user] |.| ps fax
**Phase 1: Completed pre-decoding.
full event: 'Dec 6 10:43:13 ip-10-2-6-192 -bash: (647) [ec2-user.ec2-user] |.| ps fax'
timestamp: 'Dec 6 10:43:13'
hostname: 'ip-10-2-6-192'
program_name: '-bash'
**Phase 2: Completed decoding.
name: 'bash'
**Phase 3: Completed filtering (rules).
id: '100201'
level: '7'
description: 'Shell command executed on system'
groups: '['syslog', 'bash']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Starting wazuh-logtest v4.7.5
Type one log per line
Dec 6 10:43:13 ip-10-2-6-192 -bash: (647) [ec2-user.ec2-user] |.| ps fax
**Phase 1: Completed pre-decoding.
full event: 'Dec 6 10:43:13 ip-10-2-6-192 -bash: (647) [ec2-user.ec2-user] |.| ps fax'
timestamp: 'Dec 6 10:43:13'
hostname: 'ip-10-2-6-192'
program_name: '-bash'
**Phase 2: Completed decoding.
name: 'bash'
**Phase 3: Completed filtering (rules).
id: '100201'
level: '7'
description: 'Shell command executed on system'
groups: '['syslog', 'bash']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
So, I should get the an alert in /var/log/ossec/alerts/alerts.log as well but I don't get any alert. I can see that when I execute a command and the entry is logged to /var/log/messages in the agent, network traffic flows to the manager but I don't get any alert.
Also tried setting analysisd.debug=2 but didn't show any real difference between a yum install triggering an alert and a command being executed not triggering any alert.
I'm somewhat lost on how to debug this further and would appreciate any help.
Best regards,
Nuno Fernandes
Anthony Faruna
Jun 10, 2024, 6:51:53 AMJun 10
to Wazuh | Mailing List
Hello Nuno,
To troubleshoot this issue and confirm that the logs are reaching the Wazuh manager, I will need you to turn on the Wazuh archive on the Wazuh server.
When the archive log is enabled, wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. By default, Wazuh archives are disabled because they store many logs on the Wazuh server.
Please follow the steps below to enable Wazuh archives on the Wazuh server:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation: Wazuh Documentation | log all and Wazuh archive
This option will allow you to see all the events the Wazuh server monitors in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint.
When the archive log is enabled, wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. By default, Wazuh archives are disabled because they store many logs on the Wazuh server.
Please follow the steps below to enable Wazuh archives on the Wazuh server:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation: Wazuh Documentation | log all and Wazuh archive
This option will allow you to see all the events the Wazuh server monitors in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint.
After setting this option, restart the manager and check the archives.log file.
Note: Remember to disable the log of all parameters once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
I will be expecting your feedback
Regards
Note: Remember to disable the log of all parameters once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
I will be expecting your feedback
Regards
Nuno Fernandes
Jun 13, 2024, 8:10:48 AMJun 13
to Wazuh | Mailing List
Hello,
It does reach that file:
```
```
$ tail /var/ossec/logs/archives/archives.log
2024 Jun 13 09:33:10 (amazoncontainer) 172.19.0.6->/var/log/messages Jun 13 09:33:09 f2efd72ec3b1 bash: (562) [root.root] |.| ls
2024 Jun 13 09:33:28 (amazoncontainer) 172.19.0.6->/var/log/messages Jun 13 09:33:27 f2efd72ec3b1 bash: (562) [root.root] |.| whoami
2024 Jun 13 09:33:32 (amazoncontainer) 172.19.0.6->/var/log/messages Jun 13 09:33:32 f2efd72ec3b1 bash: (562) [root.root] |.| ps fax
2024 Jun 13 09:33:36 (amazoncontainer) 172.19.0.6->/var/log/messages Jun 13 09:33:35 f2efd72ec3b1 bash: (562) [root.root] |.| top
2024 Jun 13 09:33:28 (amazoncontainer) 172.19.0.6->/var/log/messages Jun 13 09:33:27 f2efd72ec3b1 bash: (562) [root.root] |.| whoami
2024 Jun 13 09:33:32 (amazoncontainer) 172.19.0.6->/var/log/messages Jun 13 09:33:32 f2efd72ec3b1 bash: (562) [root.root] |.| ps fax
2024 Jun 13 09:33:36 (amazoncontainer) 172.19.0.6->/var/log/messages Jun 13 09:33:35 f2efd72ec3b1 bash: (562) [root.root] |.| top
```
Thank you for any help
Nuno Fernandes
Nuno Fernandes
Jun 18, 2024, 4:12:57 AMJun 18
to Wazuh | Mailing List
Hello,
I upgraded to wazuh-agent-4.8.0-1.x86_64 and wazuh-manager-4.8.0-1.x86_64 and the issue remains. I get the data in /var/ossec/logs/archives/archives.log but I don't get any in /var/log/ossec/alerts/alerts.log even though /var/ossec/bin/wazuh-logtest reports that an alert would be generated.
Thanks for any help here
Nuno Fernandes
Anthony Faruna
Jun 24, 2024, 4:59:22 AM (9 days ago) Jun 24
to Nuno Fernandes, Wazuh | Mailing List
Hello Nuno
Apologies for the delayed response.
Based on the earlier output of the Logtest you provided, I can see the log is not properly decoded.
Apologies for the delayed response.
Based on the earlier output of the Logtest you provided, I can see the log is not properly decoded.
The fields are not decoded from the log, so the alert is not showing in alerts.log.
I'm working on creating a decoder to decode the fields properly.
Thank you for your patience.
Thank you for your patience.
Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f727043f-cfb5-4ad8-98c9-6174eb00c52an%40googlegroups.com.
Nuno Fernandes
Jun 28, 2024, 3:51:27 AM (5 days ago) Jun 28
to Wazuh | Mailing List
Hello,
I'm curious on what the issue is with the decoder.. Because in wazuh-logtest it shows (as per first message on this thread):
```
**Alert to be generated.
**Alert to be generated.
```
So, here is the decoder that I have at /var/ossec/etc/decoders/bash.xml
```xml
```xml
<decoder name="bash">
<program_name>-bash</program_name>
</decoder>
<!-- match
<program_name>-bash</program_name>
</decoder>
<!-- match
Dec 6 10:43:13 ip-10-2-6-192 -bash: (647) [ec2-user.ec2-user] |.| ps fax
-->
<decoder name="bash-command">
<parent>bash</parent>
<prematch>^.\d+. </prematch>
<!-- <prematch>^\(\d+\) \[(\S+)+\.\S+\]</prematch> -->
<regex offset="after_parent">^.\d+. [(\S+)+\.\S+] |.| (.*)</regex>
<!-- <regex offset="after_parent">^\(\d+\) \[(\S+)+\.\S+\] |.| (.*)</regex> -->
<order>user, command</order>
</decoder>
<decoder name="bash-command">
<parent>bash</parent>
<prematch>^.\d+. </prematch>
<!-- <prematch>^\(\d+\) \[(\S+)+\.\S+\]</prematch> -->
<regex offset="after_parent">^.\d+. [(\S+)+\.\S+] |.| (.*)</regex>
<!-- <regex offset="after_parent">^\(\d+\) \[(\S+)+\.\S+\] |.| (.*)</regex> -->
<order>user, command</order>
</decoder>
```
Thank you for any help
Nuno
Anthony Faruna
Jul 1, 2024, 6:51:09 AM (2 days ago) Jul 1
to Nuno Fernandes, Wazuh | Mailing List
Hello Nuno,
Yes, it shows an alert to be generated, but the fields were not decoded.
Please use the decoders below and let me know if you see the alerts.
<decoder name="test_decoder"> <program_name>bash</program_name> </decoder> <decoder name="test_decoder_child"> <parent>test_decoder</parent> <regex type="pcre2">(\d+)\)</regex> <order>id</order> </decoder> <decoder name="test_decoder_child"> <parent>test_decoder</parent> <regex type="pcre2">\[(\S+)\.</regex> <order>user_name</order> </decoder> <decoder name="test_decoder_child"> <parent>test_decoder</parent> <regex type="pcre2">\|\s(.+)</regex> <order>command</order> </decoder>
<decoder name="test_decoder"> <program_name>bash</program_name> </decoder> <decoder name="test_decoder_child"> <parent>test_decoder</parent> <regex type="pcre2">(\d+)\)</regex> <order>id</order> </decoder> <decoder name="test_decoder_child"> <parent>test_decoder</parent> <regex type="pcre2">\[(\S+)\.</regex> <order>user_name</order> </decoder> <decoder name="test_decoder_child"> <parent>test_decoder</parent> <regex type="pcre2">\|\s(.+)</regex> <order>command</order> </decoder>
Hope you find this information helpful.
Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2dfc683e-e037-464d-a286-e648d67ef29cn%40googlegroups.com.
Anthony Faruna
Jul 2, 2024, 12:10:27 PM (16 hours ago) Jul 2
to Nuno Fernandes, Wazuh mailing list
Hello Nuno
I'm glad to know it's working now.
The previous decoder was not working because it was not decoding any fields within the logs.
At phase 2 decoding for the first decoder, you can see that the only information there was the program name, but you can see that the decoder I shared with you decoded the ID, user, and command.
Please let me know if this helps.
At phase 2 decoding for the first decoder, you can see that the only information there was the program name, but you can see that the decoder I shared with you decoded the ID, user, and command.
Please let me know if this helps.
Regards
On Tue, Jul 2, 2024 at 4:01 PM Nuno Fernandes <nuno.fe...@gmail.com> wrote:
Hello Anthony,Hope you are well. That works!! Thank you so much!Would like to know more why the previous decoder was working fine before..Thanks again for everything,Nuno Fernandes
Reply all
Reply to author
Forward
0 new messages