audit decoder in wazuh

87 views
Skip to first unread message

Maxim Parpaley

unread,
Mar 28, 2023, 12:42:23 AM3/28/23
to Wazuh mailing list
Hi,

In Wazuh, 0040_auditd_decoders.xml is file for auditd log.
I have log auditd

type=EXECVE msg=audit(1679976881.124:141017): argc=5 a0="/bin/sh" a1="-e" a2="/etc/NetworkManager/dispatcher.d/01-ifupdown" a3="ens33" a4="dhcp4-change"

and when i uses logtest, it's result
Screenshot 2023-03-28 114036.png
I don't see any field decoded such as: a0, a1, a2, a3, ...

How can i solve my situation?

Best Regards,

Juan Cabrera

unread,
Mar 28, 2023, 12:15:30 PM3/28/23
to Wazuh mailing list

Hello Maxim,

Sorry for the delay in replying. There is a bug in Analysisd that we are investigating. You can track this problem in the following issue: https://github.com/wazuh/wazuh/issues/16524

On the other hand, if you don’t want to wait, you can incorporate a dummy decoder to your ruleset to make it work properly. To do this, you must add the following decoder as indicated in the issue:

<decoder name="auditd-dummy"> <parent>auditd</parent> <prematch>^test</prematch> <regex>(\.+)</regex> <order>test</order> </decoder>

if we test it, we can check that it works correctly:

# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.3.10 Type one log per line type=EXECVE msg=audit(1679976881.124:141017): argc=5 a0="/bin/sh" a1="-e" a2="/etc/NetworkManager/dispatcher.d/01-ifupdown" a3="ens33" a4="dhcp4-change" **Phase 1: Completed pre-decoding. full event: 'type=EXECVE msg=audit(1679976881.124:141017): argc=5 a0="/bin/sh" a1="-e" a2="/etc/NetworkManager/dispatcher.d/01-ifupdown" a3="ens33" a4="dhcp4-change"' **Phase 2: Completed decoding. name: 'auditd' audit.execve.a1: '-e' audit.execve.a2: '/etc/NetworkManager/dispatcher.d/01-ifupdown' audit.execve.a3: 'ens33' **Phase 3: Completed filtering (rules). id: '80700' level: '0' description: 'Audit: Messages grouped.' groups: '['audit']' firedtimes: '1' mail: 'False'

I hope this is helpful, best regards,
Juan Cabrera

Maxim Parpaley

unread,
Mar 28, 2023, 11:01:13 PM3/28/23
to Wazuh mailing list
Hi,

I tried and it worked but i wonder that why a4 is not decoded.

Best Regard,

Maxim Parpaley

unread,
Mar 29, 2023, 12:01:07 AM3/29/23
to Wazuh mailing list

Hi,

incorporate a dummy decoder to your ruleset mean i add it to default decoder  0040-auditd_decoders.xml

Screenshot 2023-03-29 105852.png
i fixed that but a4, id and type are not decoded.
Screenshot 2023-03-29 110001.png

Best Regard,

Juan Cabrera

unread,
Mar 29, 2023, 11:01:48 AM3/29/23
to Wazuh mailing list

Sorry, to decode that field , the first EXECVE decoder set the following:

<decoder name="auditd-execve"> <parent>auditd</parent> <prematch offset="after_parent">^EXECVE </prematch> <regex offset="after_parent">^(EXECVE) msg=audit\(\d.type:(\d+)\): </regex>. <order>audit.type,audit.id</order>. </decoder>

Regards !

Maxim Parpaley

unread,
Mar 29, 2023, 10:30:29 PM3/29/23
to Wazuh mailing list
Hi,

can you share your decoder file for auditd?
I tried and not work?

Best Regards,

Maxim Parpaley

unread,
Mar 30, 2023, 3:58:56 AM3/30/23
to Wazuh mailing list
Hi,

i solved audit.type and audit,id  but a4 is not.
I see in link Github you shared and a4 is not decoded.

Best Regard,

Maxim Parpaley

unread,
Mar 30, 2023, 4:15:01 AM3/30/23
to Wazuh mailing list
Hi,

if i do as your link Github. It's wrong with other audit log.
Screenshot 2023-03-30 151433.png

Best Regards,

Juan Cabrera

unread,
Mar 30, 2023, 6:42:20 AM3/30/23
to Wazuh mailing list

Hello Maxim,

We have escalated this issue to our “thread-intel” team for investigation and a prompt resolution.

As you’ve noted, the last field is not being decoded due to an extra space at the end of each field in the decoders. To resolve this, please update the EXECVE decoders to the following:

<!-- EXECVE --> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">type=EXECVE msg=audit\(\S+\): argc=\d+ a0="(\.+)" </regex> <order>audit.execve.a0</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a1="(\.+)"</regex> <order>audit.execve.a1</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a2="(\.+)"</regex> <order>audit.execve.a2</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a3="(\.+)"</regex> <order>audit.execve.a3</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a4="(\.+)"</regex> <order>audit.execve.a4</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a5="(\.+)"</regex> <order>audit.execve.a5</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a6="(\.+)"</regex> <order>audit.execve.a6</order> </decoder> <decoder name="auditd-syscall"> <parent>auditd</parent> <regex offset="after_regex">a7="(\.+)"</regex> <order>audit.execve.a7</order> </decoder>

Where we can check the following output:

Starting wazuh-logtest v4.3.10 Type one log per line **Phase 1: Completed pre-decoding. full event: 'type=EXECVE msg=audit(1679976881.124:141017): argc=5 a0="/bin/sh" a1="-e" a2="/etc/NetworkManager/dispatcher.d/01-ifupdown" a3="ens33" a4="dhcp4-change"' **Phase 2: Completed decoding. name: 'auditd' audit.execve.a1: '-e' audit.execve.a2: '/etc/NetworkManager/dispatcher.d/01-ifupdown' audit.execve.a3: 'ens33' audit.execve.a4: 'dhcp4-change' **Phase 3: Completed filtering (rules). id: '80700' level: '0' description: 'Audit: Messages grouped.' groups: '['audit']' firedtimes: '1' mail: 'False'

We appreciate your report and you can track the progress of this issue using the link provided.

Regards,
Juan Cabrera

Reply all
Reply to author
Forward
0 new messages