Hello Maxim,
Sorry for the delay in replying. There is a bug in Analysisd that we are investigating. You can track this problem in the following issue: https://github.com/wazuh/wazuh/issues/16524
On the other hand, if you don’t want to wait, you can incorporate a dummy decoder to your ruleset to make it work properly. To do this, you must add the following decoder as indicated in the issue:
<decoder name="auditd-dummy"> <parent>auditd</parent> <prematch>^test</prematch> <regex>(\.+)</regex> <order>test</order> </decoder>if we test it, we can check that it works correctly:
# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.3.10 Type one log per line type=EXECVE msg=audit(1679976881.124:141017): argc=5 a0="/bin/sh" a1="-e" a2="/etc/NetworkManager/dispatcher.d/01-ifupdown" a3="ens33" a4="dhcp4-change" **Phase 1: Completed pre-decoding. full event: 'type=EXECVE msg=audit(1679976881.124:141017): argc=5 a0="/bin/sh" a1="-e" a2="/etc/NetworkManager/dispatcher.d/01-ifupdown" a3="ens33" a4="dhcp4-change"' **Phase 2: Completed decoding. name: 'auditd' audit.execve.a1: '-e' audit.execve.a2: '/etc/NetworkManager/dispatcher.d/01-ifupdown' audit.execve.a3: 'ens33' **Phase 3: Completed filtering (rules). id: '80700' level: '0' description: 'Audit: Messages grouped.' groups: '['audit']' firedtimes: '1' mail: 'False'I hope this is helpful, best regards,
Juan Cabrera
Sorry, to decode that field , the first EXECVE decoder set the following:
<decoder name="auditd-execve"> <parent>auditd</parent> <prematch offset="after_parent">^EXECVE </prematch> <regex offset="after_parent">^(EXECVE) msg=audit\(\d.type:(\d+)\): </regex>. <order>audit.type,audit.id</order>. </decoder>Regards !
Hello Maxim,
We have escalated this issue to our “thread-intel” team for investigation and a prompt resolution.
As you’ve noted, the last field is not being decoded due to an extra space at the end of each field in the decoders. To resolve this, please update the EXECVE decoders to the following:
<!-- EXECVE --> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">type=EXECVE msg=audit\(\S+\): argc=\d+ a0="(\.+)" </regex> <order>audit.execve.a0</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a1="(\.+)"</regex> <order>audit.execve.a1</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a2="(\.+)"</regex> <order>audit.execve.a2</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a3="(\.+)"</regex> <order>audit.execve.a3</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a4="(\.+)"</regex> <order>audit.execve.a4</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a5="(\.+)"</regex> <order>audit.execve.a5</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a6="(\.+)"</regex> <order>audit.execve.a6</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a7="(\.+)"</regex> <order>audit.execve.a7</order> </decoder>Where we can check the following output:
Starting wazuh-logtest v4.3.10 Type one log per line **Phase 1: Completed pre-decoding. full event: 'type=EXECVE msg=audit(1679976881.124:141017): argc=5 a0="/bin/sh" a1="-e" a2="/etc/NetworkManager/dispatcher.d/01-ifupdown" a3="ens33" a4="dhcp4-change"' **Phase 2: Completed decoding. name: 'auditd' audit.execve.a1: '-e' audit.execve.a2: '/etc/NetworkManager/dispatcher.d/01-ifupdown' audit.execve.a3: 'ens33' audit.execve.a4: 'dhcp4-change' **Phase 3: Completed filtering (rules). id: '80700' level: '0' description: 'Audit: Messages grouped.' groups: '['audit']' firedtimes: '1' mail: 'False'We appreciate your report and you can track the progress of this issue using the link provided.
Regards,
Juan Cabrera