Parse logs for wazuh
1,591 views
Skip to first unread message
Atlas Atlas
Mar 8, 2023, 5:10:21 PM3/8/23
to Wazuh mailing list
hello can someone help me to parse this and what i should put on decoder part and in rules part ?
log is :
Mar 8 13:50:43 SW2 USER_MGR[tRpcsrv.00001]: user_mgr_util.c(1650) 495 %% HTTP Session 29 ended for user admin connected from 10.20.30.10
Thanks
Sebastian Dario Bustos
Mar 8, 2023, 11:55:45 PM3/8/23
to Wazuh mailing list
Hello Atlas,
Thank you for using Wazuh!
The best first approach to analyze an event is to run it through a log test, here is the reference for command line log testing tool: https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html
You can also use the Ruleset test tool in your Wazuh Dashboard console (Wazuh app menu -> Tools), just paste the log and execute.
Any of these tools will tell you what's being pre-decoded, which means you can't include those fields in your decoder but you can make reference to fields like program_name to make it easier to identify the logs (if that field contains something, which is not the case here).
Here is the reference for the creation of custom rules and decoders:
Let me attach also, a link to the syntax for each:
Here is your custom decoder for this event, you can catch similar events by changing the regex:
<decoder name="user_mgr">
<prematch>USER_MGR</prematch>
</decoder>
<decoder name="user_mgr_fields">
<parent>user_mgr</parent>
<regex>%% (\.*) (\d+.\d+.\d+.\d+)$</regex>
<order>message,srcip</order>
</decoder>
<prematch>USER_MGR</prematch>
</decoder>
<decoder name="user_mgr_fields">
<parent>user_mgr</parent>
<regex>%% (\.*) (\d+.\d+.\d+.\d+)$</regex>
<order>message,srcip</order>
</decoder>
And your rule can be simple for now until you add more conditions:
<rule id="900000" level="3">
<decoded_as>user_mgr</decoded_as>
<description>$(message) $(srcip)</description>
</rule>
<decoded_as>user_mgr</decoded_as>
<description>$(message) $(srcip)</description>
</rule>
Please let me know if this was helpful.
Regards.
Atlas Atlas
Mar 9, 2023, 2:24:30 PM3/9/23
to Wazuh mailing list
Hello Sebastian,
Thank you a lot for helping me. and your links are very helpful.
i test now with ruleset in dashbord and with logtest it's gives me Phase1/phase2/phase3
but when i try to :
- make a logger test in windows machine terminal TO wazuh.ova VM wich is in same server with rsyslog command : logger.exe -l 192.168.1.250 -a 514 -m tcp "USER_MGR[tRpcsrv.00001]: user_mgr_util.c(1650) 495 %% HTTP Session 29 ended for user admin connected from 10.20.30.10"
- rsyslog receive logger test | it's show me that are received with command : cat /var/log/messages
- but when i search it on wazuh dashbord still can't see the log ???
Sebastian Dario Bustos
Mar 9, 2023, 9:00:16 PM3/9/23
to Wazuh mailing list
Hello Atlas,
The proper ways of receiving syslog are, either configuring a <remote> configuration section on your manager (just in one of them) to receive logs at a specific, non used, port (tcp or udp) and you can specify as well the source ip these logs should be comming from, something like this for example to receive syslog on the port 513 TCP:
<ossec_config>
<remote>
<connection>syslog</connection>
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
</remote>
</ossec_config>
</remote>
</ossec_config>
Here is the reference for this:
And here all the options that you can configure in the remote block (like allowed ips):
Besides this you also can configure, as you have now, a rsyslog in a linux (manager or an agent) to receive the logs and place them in a separate file, after you have configured this you will need to set a <localfile> configuration block to pick up the logs and analyze them (or forward them to the manager if you configure this in an agent). Here is the guide for this and the above method:
For the logs to arrive the manager (or to be analyzed, they need to be ingested with a localfile config block if you are keeping rsyslog config instead of remote config).
Please let me know if this helps.
Regards.
Regards.
Atlas Atlas
Mar 10, 2023, 2:43:31 PM3/10/23
to Wazuh mailing list
Hello Sebastian,
i followed your idea by configuring a remote config :
> i can see that wazuh VM start listenning in UDP:514
> i wrote your decoder and ruleset
> i tested with Wazuh ruleset Tool & Logtest ( it can decode the log )
but i still can not see this log from switch in wazuh. the Only thing that i receive and can see from same switch are: failed authentification
i shared with you the configuration of switch and the logtest.
there are the photo if they will help :
Sebastian Dario Bustos
Mar 10, 2023, 4:23:04 PM3/10/23
to Wazuh mailing list
Hello Atlas,
Can you please share the "<remote>" configuration block you added to your Wazuh manager to receive the syslogs? You may also attempt to configure another non-standard port like 513 UDP to be sure there is no other service using it, once you configure it you need to restart the manager service (systemctl restart wazuh-manager) and Wazuh will start listening to that port.
Let me know.
Regards.
Atlas Atlas
Mar 10, 2023, 5:12:32 PM3/10/23
to Wazuh mailing list
Hello Sebastian,
after a lot of tyring and your help also Finally i can see this log in wazuh dashbord :
the steps :
> i made a remote config like this :
<remote>
<connection>syslog</connection>
<port>10514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/0</allowed-ips>
<local_ip>192.168.1.198</local_ip>
</remote>
<connection>syslog</connection>
<port>10514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/0</allowed-ips>
<local_ip>192.168.1.198</local_ip>
</remote>
> i decoded the log like this :
<decoder name="USER_MGR">
<program_name>USER_MGR</program_name>
</decoder>
<decoder name="USER_MGR">
<parent>USER_MGR</parent>
<regex type="pcre">^USER_MGR\D\w+.\d+\D: user_mgr_util.c\D\d+\D (\d+) %% HTTP Session (\d+) ended for user (\w+) connected from (\d+.\d+.\d+.\d+)$</regex>
<order>extra_data,extra_data,srcuser, srcip</order>
</decoder>
<program_name>USER_MGR</program_name>
</decoder>
<decoder name="USER_MGR">
<parent>USER_MGR</parent>
<regex type="pcre">^USER_MGR\D\w+.\d+\D: user_mgr_util.c\D\d+\D (\d+) %% HTTP Session (\d+) ended for user (\w+) connected from (\d+.\d+.\d+.\d+)$</regex>
<order>extra_data,extra_data,srcuser, srcip</order>
</decoder>
> Ruleset like this :
<rule id="900000" level="3">
<decoded_as>USER_MGR</decoded_as>
<description>$(srcuser) connected to switch from $(srcip)</description>
</rule>
<description>$(srcuser) connected to switch from $(srcip)</description>
</rule>
Only issue i have right now it's how to count this authentification_succes log with the other authentification_succes ?
Message has been deleted
Atlas Atlas
Mar 11, 2023, 10:59:12 AM3/11/23
to Wazuh mailing list
Hello Sebastian,
i want to inform you that all it's work finally.
Thank you a lot for your help
Sebastian Dario Bustos
Mar 13, 2023, 11:12:44 PM3/13/23
to Wazuh mailing list
Hello Atlas,
A couple things to have in mind about your configuration:
<remote>
<connection>syslog</connection>
<port>10514</port>
<protocol>udp</protocol>
<connection>syslog</connection>
<port>10514</port>
<protocol>udp</protocol>
<allowed-ips>0.0.0.0/0</allowed-ips> <---- If you don't need a specific address to allow, then you can omit this field completely, no need for it.
<local_ip>192.168.1.198</local_ip> <---- This is to force Wazuh to listen to the port 10514 (in this case) only in this interface of your manager, if you want to listen all the interfaces (NICs)
<local_ip>192.168.1.198</local_ip> <---- This is to force Wazuh to listen to the port 10514 (in this case) only in this interface of your manager, if you want to listen all the interfaces (NICs)
for this port you can omit this (just FYI, you can leave it in this case).
</remote>
In your decoders I see you have 2 variables with the same name, you should put different names in the <order> section for each of the enclosed field.
<decoder name="USER_MGR">
<parent>USER_MGR</parent>
<regex type="pcre">^USER_MGR\D\w+.\d+\D: user_mgr_util.c\D\d+\D (\d+) %% HTTP Session (\d+) ended for user (\w+) connected from (\d+.\d+.\d+.\d+)$</regex>
<parent>USER_MGR</parent>
<regex type="pcre">^USER_MGR\D\w+.\d+\D: user_mgr_util.c\D\d+\D (\d+) %% HTTP Session (\d+) ended for user (\w+) connected from (\d+.\d+.\d+.\d+)$</regex>
<order>extra_data,extra_data,srcuser, srcip</order> <---- You should change the second extra_data to something else like extra_data1 or anything meaningful to you to use on your rules.
</decoder>
</decoder>
(maybe you changed this for sharing purposes, but just in case)
To see your custom rules on the pre-defined dashboards and benchmarkings you should include your rules to the proper pre-defined groups, in this case you may include this:
<rule id="900000" level="3">
<decoded_as>USER_MGR</decoded_as>
<description>$(srcuser) connected to switch from $(srcip)</description>
<description>$(srcuser) connected to switch from $(srcip)</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_32.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
(Please note that this is besides the custom group you create to enclose your rule, you can think of this line as "tags")
Here is the same rule within a group (they should always be enclosed in a group block):
<group name="sw2,">
<rule id="900000" level="3">
<decoded_as>USER_MGR</decoded_as>
<description>$(srcuser) connected to switch from $(srcip)</description>
<description>$(srcuser) connected to switch from $(srcip)</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_32.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
</group>
Hope this helps. Glad it all worked!!!
Hope this helps. Glad it all worked!!!
Reply all
Reply to author
Forward
0 new messages