Help for decoder and adjust syslog nas thecus
66 views
Skip to first unread message
Daniele Cepparulo
Oct 5, 2022, 10:41:49 AM10/5/22
to Wazuh mailing list
Hi, I started using wazuh as a created log point in my network infrastructure.
I configured Wazuh as a syslog server listening on port 514, then I configured my thecus NAS to send logs to wazuh and verified that the logs are written to both /var/ossec/logs/archives/archives.json and archives.log but events on discovery wazuh are not displayed.
From what I understand is that there is no set up a decoder and rule to analyze the type of log, so I tried to follow some tutorials to try to write them but I am missing something.
The log sent to me by the NAS is the following:
2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137
This is the decoder:
<decoder name = "thecus-custom">
<prematch> ^ NAS3-> </prematch>
<type> syslog </type>
</decoder>
<decoder name = "thecus-nas">
<parent> thecus-custom </parent>
<regex> offset = "after_parent"> (\ d +. \ d +. \ d +. \ d +) \ w \ w \ w \ d \ d \ d: \ d \ d: \ d \ d \ w \ w \ w root: (\ S +): (\ S +) from (\ d +. \ d +. \ d +. \ d +) </regex>
<order> dstip, time, type, srcuser, srcip </order>
</decoder>
This is the rule:
<group name = "syslog">
<rule id = "100023" level = "5">
<decoded_as> thecus-custom </decoded_as>
<description> Thecus rule </description>
</rule>
</group>
The test output gives me the following result
** Phase 1: Completed pre-decoding.
full event: '2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137'
timestamp: '2022 Oct 05 09:33:19'
** Phase 2: Completed decoding.
name: 'thecus-custom'
** Phase 3: Completed filtering (rules).
id: '100023'
level: '5'
description: 'Thecus rule'
groups: '["syslog"]'
firedtimes: '2'
mail: 'false'
** Alert to be generated.
When I go to discovery nothing is displayed.
Can you please help me understand where the problem is and how to write both decoder and rule?
A thousand thanks.
I configured Wazuh as a syslog server listening on port 514, then I configured my thecus NAS to send logs to wazuh and verified that the logs are written to both /var/ossec/logs/archives/archives.json and archives.log but events on discovery wazuh are not displayed.
From what I understand is that there is no set up a decoder and rule to analyze the type of log, so I tried to follow some tutorials to try to write them but I am missing something.
The log sent to me by the NAS is the following:
2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137
This is the decoder:
<decoder name = "thecus-custom">
<prematch> ^ NAS3-> </prematch>
<type> syslog </type>
</decoder>
<decoder name = "thecus-nas">
<parent> thecus-custom </parent>
<regex> offset = "after_parent"> (\ d +. \ d +. \ d +. \ d +) \ w \ w \ w \ d \ d \ d: \ d \ d: \ d \ d \ w \ w \ w root: (\ S +): (\ S +) from (\ d +. \ d +. \ d +. \ d +) </regex>
<order> dstip, time, type, srcuser, srcip </order>
</decoder>
This is the rule:
<group name = "syslog">
<rule id = "100023" level = "5">
<decoded_as> thecus-custom </decoded_as>
<description> Thecus rule </description>
</rule>
</group>
The test output gives me the following result
** Phase 1: Completed pre-decoding.
full event: '2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137'
timestamp: '2022 Oct 05 09:33:19'
** Phase 2: Completed decoding.
name: 'thecus-custom'
** Phase 3: Completed filtering (rules).
id: '100023'
level: '5'
description: 'Thecus rule'
groups: '["syslog"]'
firedtimes: '2'
mail: 'false'
** Alert to be generated.
When I go to discovery nothing is displayed.
Can you please help me understand where the problem is and how to write both decoder and rule?
A thousand thanks.
Jose Camargo
Oct 5, 2022, 6:15:24 PM10/5/22
to Wazuh mailing list
Hi, thank you for using Wazuh
<decoded_as>thecus-custom</decoded_as>
<description>Thecus rule</description>
</rule>
</group>
2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137
full event: '2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137'
timestamp: '2022 Oct 05 09:33:19'
I've done some testing and you can use the following rules and decoders:
-- Decoders --
<decoder name="thecus-custom">
<prematch>^NAS3-></prematch>
<type>syslog</type>
</decoder>
<decoder name="thecus-nas">
<parent>thecus-custom</parent>
<regex offset="after_parent">\.*(\d+.\d+.\d+.\d+)\s+(\.*)\s+NAS3\s+root:\s+(\w+):\s+User\s+(\w+)\s+\.*(\d+.\d+.\d+.\d+)</regex>
<order>dstip,time,type,srcusr,srcip</order>
</decoder>
<prematch>^NAS3-></prematch>
<type>syslog</type>
</decoder>
<decoder name="thecus-nas">
<parent>thecus-custom</parent>
<regex offset="after_parent">\.*(\d+.\d+.\d+.\d+)\s+(\.*)\s+NAS3\s+root:\s+(\w+):\s+User\s+(\w+)\s+\.*(\d+.\d+.\d+.\d+)</regex>
<order>dstip,time,type,srcusr,srcip</order>
</decoder>
-- Rule --
<group name="syslog">
<rule id="100023" level="5">
<rule id="100023" level="5">
<decoded_as>thecus-custom</decoded_as>
<description>Thecus rule</description>
</rule>
</group>
-- Results --
wazuh-testrule: Type one log per line.
wazuh-testrule: Type one log per line.
2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137
**Phase 1: Completed pre-decoding.
full event: '2022 Oct 05 09:33:19 NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137'
timestamp: '2022 Oct 05 09:33:19'
hostname: 'wazuhaoi-srv'
program_name: '(null)'
log: 'NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137'
**Phase 2: Completed decoding.
decoder: 'thecus-custom'
dstip: '192.168.15.24'
time: 'Oct 5 11:33:19'
type: 'error'
srcusr: 'admin'
srcip: '192.168.200.137'
**Phase 3: Completed filtering (rules).
Rule id: '100023'
Level: '5'
Description: 'Thecus rule'
**Alert to be generated.
program_name: '(null)'
log: 'NAS3-> 192.168.15.24 Oct 5 11:33:19 NAS3 root: error: User admin logged in fail from 192.168.200.137'
**Phase 2: Completed decoding.
decoder: 'thecus-custom'
dstip: '192.168.15.24'
time: 'Oct 5 11:33:19'
type: 'error'
srcusr: 'admin'
srcip: '192.168.200.137'
**Phase 3: Completed filtering (rules).
Rule id: '100023'
Level: '5'
Description: 'Thecus rule'
**Alert to be generated.
Please let me know if you have any issues, I'll be glad to help.
Regards,
Jose Camargo
Reply all
Reply to author
Forward
0 new messages