Parse CSV format logs to Wazuh and visualize in Kibana
1,372 views
Skip to first unread message
Supragya Karki
Aug 4, 2021, 9:45:55 AM8/4/21
to Wazuh mailing list
Is it possible to parse the csv file generated from Nessus directly or indirectly to wazuh? I want to send the contents of that csv file to wazuh so that it can decode and check for certain rules and finally visualize via kibana dashboard.
Waiting for the response so eagerly!
Jose Cruz Lopez
Aug 5, 2021, 3:19:45 AM8/5/21
to Wazuh mailing list
Hello Supragy,
We don't have a dedicated decoder for Nessus yet. But as CSV is plain text-based, you can create a custom decoder that extracts the fields that you want to analyze using regex.
Here you can have a bit of information about how to create a custom decoder: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
To me is very useful to see examples of what I'm doing, so here you have our current decoders if you need some inspiration: https://github.com/wazuh/wazuh/tree/master/ruleset/decoders
The process to test a decoder is very simple, once you have created your decoder and save it in /var/ossec/ruleset/decoders/ and restart the manager.
If everything is good, the manager should be running again, now you can use /var/ossec/bin/ossec-logtest, this is your best friend while creating decoders and rules.
You paste your log there and it scans all the fields, adjust the decoder until you see all the desired fields matched. Now you have to repeat the process but aiming to the rules.
Here you can have a look at our current rules: https://github.com/wazuh/wazuh/tree/master/ruleset/rules
By doing this, you will be able to create a decoder and rules for that logs.
If you have any further questions, please do not hesitate to ask us. Best regards.
We don't have a dedicated decoder for Nessus yet. But as CSV is plain text-based, you can create a custom decoder that extracts the fields that you want to analyze using regex.
Here you can have a bit of information about how to create a custom decoder: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
To me is very useful to see examples of what I'm doing, so here you have our current decoders if you need some inspiration: https://github.com/wazuh/wazuh/tree/master/ruleset/decoders
The process to test a decoder is very simple, once you have created your decoder and save it in /var/ossec/ruleset/decoders/ and restart the manager.
If everything is good, the manager should be running again, now you can use /var/ossec/bin/ossec-logtest, this is your best friend while creating decoders and rules.
You paste your log there and it scans all the fields, adjust the decoder until you see all the desired fields matched. Now you have to repeat the process but aiming to the rules.
Here you can have a look at our current rules: https://github.com/wazuh/wazuh/tree/master/ruleset/rules
By doing this, you will be able to create a decoder and rules for that logs.
If you have any further questions, please do not hesitate to ask us. Best regards.
Supragya Karki
Aug 5, 2021, 10:58:25 PM8/5/21
to Wazuh mailing list
Thank you for the response.
Actually I went through the wazuh documentation and followed everything possible for custom decoder and rules.
I thought of converting csv format to txt file and wrote decoder accordingly which is:
<decoder name="custom_csv">
<prematch>^"</prematch>
</decoder>
<decoder name="custom_csv">
<parent>custom_csv</parent>
<regex>^"(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+),"(\.+)"</regex>
<order>PluginID,CVE,CVSSv2.0BaseScore,Risk,Host,Protocol,Port,Name,Synopsis,Description,Solution,SeeAlso,PluginOutput</order>
</decoder>
<prematch>^"</prematch>
</decoder>
<decoder name="custom_csv">
<parent>custom_csv</parent>
<regex>^"(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+)","(\.+),"(\.+)"</regex>
<order>PluginID,CVE,CVSSv2.0BaseScore,Risk,Host,Protocol,Port,Name,Synopsis,Description,Solution,SeeAlso,PluginOutput</order>
</decoder>
It seems like logtest is doing fine as it returns 'decoded successfully' but still doesn't give decoded fields. Only says 'decoded successfully'. Please feel free to help me with any idea you have so that I can parse the csv data to wazuh and visualize in Kibana.
Jose Cruz Lopez
Aug 6, 2021, 2:37:15 AM8/6/21
to Wazuh mailing list
Hello again!
Looks like your parent decoder is too generic, this may run into problems later as it will try to catch everything that starts with ". If you have the chance, try to change to something more specific about your logs.
And for the part of why you don't see the decoded fields, when you have the decoded successfully message, what do you see? They should appear there.
If you want to see them in Kibana, you'll need to add rules first, also remember that the logtest doesn't generate alerts in Kibana, so you'll need to add the logs into a monitored file and add it into the ossec.conf file in the field of localfile.
I hope it helps you, best regards.
Looks like your parent decoder is too generic, this may run into problems later as it will try to catch everything that starts with ". If you have the chance, try to change to something more specific about your logs.
And for the part of why you don't see the decoded fields, when you have the decoded successfully message, what do you see? They should appear there.
If you want to see them in Kibana, you'll need to add rules first, also remember that the logtest doesn't generate alerts in Kibana, so you'll need to add the logs into a monitored file and add it into the ossec.conf file in the field of localfile.
I hope it helps you, best regards.
Reply all
Reply to author
Forward
0 new messages