Mariadb Logs not matching with the wazuh ruleset from wazuh github repository
185 views
Skip to first unread message
Aravind Raja
Apr 20, 2023, 3:09:49 AM4/20/23
to Wazuh mailing list
{"timestamp":"2023-04-20T10:12:35.853+0530","agent":{"id":"001","name":"ubuntu-mariadb","ip":"192.168.40.62"},"manager":{"name":"wazuh-ML"},"id":"1681965755.78761","full_log":"20230420 10:12:35,ubuntu-mariadb,root,localhost,33,60,QUERY,mysql,'DROP DATABASE Desvelao',0","decoder":{},"location":"/var/log/mysql/mariadb-audit.log"}
I have been trying to get Mariadb DML DDL command logs to be indexed to wazuh dashboard but it doesnot matching any of the ruleset given in the wazuh repository. So it fails at the log test using /var/ossec/bin/wazuh-logtest
Help me sort out this.
Help me sort out this.
Ujunwa Okonkwo
Apr 20, 2023, 4:21:41 AM4/20/23
to Wazuh mailing list
Thank you for reaching out to us.
We understand that you are having trouble getting Mariadb DML DDL command logs indexed to the Wazuh dashboard.
To troubleshoot this, you can follow these steps:
Check if the log messages are being generated correctly by Mariadb. You can check this by reviewing the contents of the Mariadb audit log file located at /var/log/mysql/mariadb-audit.log. Ensure that the log messages contain the necessary information such as timestamp, user, IP address.....
We recommend checking if the log format matches any of the existing decoders in the Wazuh repository.
Run the Wazuh logtest utility to verify if the log messages can be successfully parsed and indexed by Wazuh.
If the logtest succeeds, the Mariadb logs should now be indexed and visible in the Wazuh dashboard.
You would need to sort the failing log test first, please refer to the below:
https://github.com/wazuh/wazuh/blob/v4.4.0/ruleset/decoders/0378-mariadb_decoders.xml
https://github.com/wazuh/wazuh/blob/v4.4.0/ruleset/rules/0535-mariadb_rules.xml
If the logs don't match with the decoders or rules that you need in your environment, then you will have to create them. Please refer to this blog:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
here is also a similar issue that was solved: https://github.com/wazuh/wazuh-kibana-app/issues/5378
I hope this is helpful.
Regards,
We understand that you are having trouble getting Mariadb DML DDL command logs indexed to the Wazuh dashboard.
To troubleshoot this, you can follow these steps:
Check if the log messages are being generated correctly by Mariadb. You can check this by reviewing the contents of the Mariadb audit log file located at /var/log/mysql/mariadb-audit.log. Ensure that the log messages contain the necessary information such as timestamp, user, IP address.....
We recommend checking if the log format matches any of the existing decoders in the Wazuh repository.
Run the Wazuh logtest utility to verify if the log messages can be successfully parsed and indexed by Wazuh.
If the logtest succeeds, the Mariadb logs should now be indexed and visible in the Wazuh dashboard.
You would need to sort the failing log test first, please refer to the below:
https://github.com/wazuh/wazuh/blob/v4.4.0/ruleset/decoders/0378-mariadb_decoders.xml
https://github.com/wazuh/wazuh/blob/v4.4.0/ruleset/rules/0535-mariadb_rules.xml
If the logs don't match with the decoders or rules that you need in your environment, then you will have to create them. Please refer to this blog:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
here is also a similar issue that was solved: https://github.com/wazuh/wazuh-kibana-app/issues/5378
I hope this is helpful.
Regards,
Reply all
Reply to author
Forward
0 new messages