parse log file in wazuh

[Родион Наумов]

Hi!
Recently started using wazuh. After reading the documentation, I did not quite understand.
I have a specific log file. From this log file I want to get the last state. For example: status code = 0. Is it possible to parse the log in the wasuh and show the status of the code in the dashboard. I will be very grateful for the examples.

[Jesus Linares]

Hi,

Just create your own decoders and rules.

/var/ossec/etc/decoders/local_decoder.xml 

<decoder name="example">
    <prematch>^text </prematch>
</decoder>


<decoder name="example-fields">
    <parent>example</parent>
    <prematch>status</prematch>
    <regex offset="after_prematch">code = (\d+).</regex>
    <order>status</order>
</decoder>

/var/ossec/etc/rules/local_rules.xml

<group name="local,example,">

  <rule id="100002" level="3">
    <decoded_as>example</decoded_as>
    <description>Example status</description>
    <group>example,</group>
  </rule>

</group>

You can check them with the logtest tool:

2020/04/03 11:20:36 ossec-testrule: INFO: Started (pid: 1499).
ossec-testrule: Type one log per line.

text status code = 1.   <------------------- Log sample

**Phase 1: Completed pre-decoding.
       full event: 'text status code = 1.'
       timestamp: '(null)'
       hostname: 'ubuntu'
       program_name: '(null)'
       log: 'text status code = 1.'


**Phase 2: Completed decoding.
       decoder: 'example'
       status: '1'      <------------------- Field extracted, you can use it in kibana


**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '3'
       Description: 'Example status'
**Alert to be generated.

Since the status field is extracted in the decoder, you can use it in kibana (data.status).

Do not forget to add the corresponding localfile setting to monitor your log file, and restart the manager to apply the changes.

I hope it helps.