How to filter out specific user from ssh log

619 views
Skip to first unread message

Peutre

unread,
Jun 7, 2023, 3:03:59 AM6/7/23
to Wazuh mailing list
Hello everyone,

I got about 200 servers under my wazuh and recently i got a new user that spam a lot /var/log/messages.

This kind of message :
systemd: Created slice User Slice of bewing.
systemd-logind: New session 129987 of user bewing.
systemd: Started Session 129987 of user bewing.
systemd-logind: Removed session 129987.

How can i filter out everything from this user into my wazuh's elk ?

Many thanks,

Jean-Marie

Sandra Ocando

unread,
Jun 7, 2023, 5:02:06 AM6/7/23
to Peutre, Wazuh mailing list
Hi Jean-Marie,

After testing the messages you shared, I noticed that by default, only the "Created slice User Slice of bewing" and "Started Session 129987 of user bewing" events trigger an alert (40700 - Systemd rules). However, this alert is level '0', so it is not logged by default.

To assist you further, could you please specify which alerts you would like to silence? Additionally, it would be helpful to know your log_alert_level and whether you are receiving all the events using wazuh-archives.

A common approach for silencing alerts for a given user, is to create a custom child rule of the original rule. In this custom rule, you can silence alerts for said user by setting its level as 0. Check the custom rules and decoders section to learn more. 

Best regards,
Sandra

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6d664290-3a98-493a-9806-cb8b8ac62ab9n%40googlegroups.com.

Peutre

unread,
Jun 8, 2023, 3:08:27 AM6/8/23
to Wazuh mailing list
Thanks for the help Sandra, i mainly have that kind of message into my wazuh :

Jun 8 01:01:06 hotsname sshd[20312]: Accepted publickey for bewing from 10.1.20.27 port 41398 ssh2: RSA SHA256:EviFma2QunaCbWyvPT05QNPG95F2u/R1i5y+RDQJun 8 01:01:06 hostname sshd[20312]: pam_unix(sshd:session): session opened for user bewing by (uid=0)

2023-06-08_09h04_05.png

My log level on the ossec.conf is the default : <log_alert_level>3</log_alert_level>
I need to check "custom rules and decoders" , i will try to understand it :)

Jean-Marie

Sandra Ocando

unread,
Jun 9, 2023, 6:22:08 AM6/9/23
to Peutre, Wazuh mailing list

Hello Jean-Marie,

To silence rules 5501 and 5715 for user bewing, you can use the following rule:

<group name="sshd,">


  <rule id="100002" level="0">

<if_sid>5501,5715</if_sid>

<user>bewing</user>

<description>Silence alerts for user bewing</description>

  </rule>


</group>


Add it to the customs rules file:  /var/ossec/etc/rules/local_rules.xml and customize it according to your needs. 

As this rule is level 0, no alerts will be logged. To test the rule, you can use /var/ossec/bin/wazuh-logtest:

# /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest v4.4.3

Type one log per line


Jun  8 01:01:06 hostname sshd[20312]: pam_unix(sshd:session): session opened for user bewing by (uid=0)


**Phase 1: Completed pre-decoding.

    full event: 'Jun  8 01:01:06 hostname sshd[20312]: pam_unix(sshd:session): session opened for user bewing by (uid=0)'

    timestamp: 'Jun  8 01:01:06'

    hostname: 'hostname'

    program_name: 'sshd'


**Phase 2: Completed decoding.

    name: 'pam'

    parent: 'pam'

    dstuser: 'bewing'

    uid: '0'


**Phase 3: Completed filtering (rules).

    id: '100002'

    level: '0'

    description: 'Silence alerts for user bewing'

    groups: '['sshd']'
    firedtimes: '1'
    mail: 'False'


Remember to restart your Wazuh manager systemctl restart wazuh-manager to load the new rule.

Let us know if you have any questions.

Best regards,
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/37f3c2b7-757a-45a8-8615-eb990ce914ffn%40googlegroups.com.

Peutre

unread,
Jun 15, 2023, 4:20:04 AM6/15/23
to Wazuh mailing list
Many thanks Sandra for your answer, i am trying to add this :

cat /var/ossec/etc/rules/local_rules.xml

<!-- Example --> <group name="local,syslog,sshd,"> <!-- Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2 --> <rule id="100001" level="5"> <if_sid>5716</if_sid> <srcip>1.1.1.1</srcip> <description>sshd: authentication failed from IP 1.1.1.1.</description> <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> </rule> </group> <group name="sshd,"> <rule id="100002" level="0"> <if_sid>5501,5715</if_sid> <user>bewing</user> <description>Silence alerts for user bewing</description> </rule> </group>
This have no result after one systemctl restart wazuh-manager
And wazuh doesn't filter out the user bewing. Is it necessary to create one local_decoder.xml to make that works ? or i made an mistake maybe ?

Starting wazuh-logtest v4.1.5 Type one log per line user bewing **Phase 1: Completed pre-decoding. full event: 'user bewing' **Phase 2: Completed decoding. No decoder matched.

Sandra Ocando

unread,
Jun 15, 2023, 6:55:11 AM6/15/23
to Peutre, Wazuh mailing list

Hello Jean-Marie,

The custom rule filters rules 5501 "PAM: Login session opened" and 5715 "sshd: authentication success" for user bewing. Besides these two rules, are there other alerts that you want to filter for this user?

Note that this change will only affect future events, not the old alerts.

To test the new rule, you should paste the corresponding ssh log in /var/ossec/bin/wazuh-logtest . For example,

Jun  8 01:01:06 hostname sshd[20312]: pam_unix(sshd:session): session opened for user bewing by (uid=0)

Gives the following result: 

**Phase 1: Completed pre-decoding.

full event: 'Jun  8 01:01:06 hostname sshd[20312]: pam_unix(sshd:session): session opened for user bewing by (uid=0)'

timestamp: 'Jun  8 01:01:06'

hostname: 'hostname'

program_name: 'sshd'


**Phase 2: Completed decoding.

name: 'pam'

parent: 'pam'

dstuser: 'bewing'

uid: '0'


**Phase 3: Completed filtering (rules).

id: '100002'

level: '0'

description: 'Silence alerts for user bewing'

groups: '['sshd']'

firedtimes: '1'

mail: 'False'

If you want to see the path that the analysis engine takes to analyze the log you can use the verbose option /var/ossec/bin/wazuh-logtest-legacy -v . In this case, you can see how the log first matches rule 5501 and then it matches our custom rule 100002. 

...

    Trying rule: 5500 - Grouping of the pam_unix rules.

   *Rule 5500 matched.

   *Trying child rules.

    Trying rule: 5552 - PAM and gdm are not playing nicely.

    Trying rule: 5503 - PAM: User login failed.

    Trying rule: 5504 - PAM: Attempt to login with an invalid user.

    Trying rule: 5501 - PAM: Login session opened.

   *Rule 5501 matched.

   *Trying child rules.

    Trying rule: 5521 - PAM: Ignoring Annoying Ubuntu/debian cron login events.

    Trying rule: 100002 - Silence alerts for user bewing

   *Rule 100002 matched.

Let us know if you have any questions.

Cheers, Sandra


To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5a70b19d-fd77-41f4-9ef7-2034c68d2165n%40googlegroups.com.

Peutre

unread,
Jun 15, 2023, 9:07:22 AM6/15/23
to Wazuh mailing list
Thank you Sandra,

Now it works with the "/var/ossec/bin/wazuh-logtest"

For exemple : 

2023-06-15_15h02_52.png

When i restart wazuh-manager and then if i check for new alert, i still got them and they are new messages.
Rule.id is well 5715 and should be filtered out.

2023-06-15_15h00_26.png

Peutre

unread,
Jun 15, 2023, 9:28:18 AM6/15/23
to Wazuh mailing list
Ahhh i understand that all the 5501 alert are good now.

<group name="sshd,">
  <rule id="100002" level="0">
    <if_sid>5501,5502,5715,80730</if_sid>

    <user>bewing</user>
    <description>Silence alerts for user bewing</description>
  </rule>
</group>

About the 5715 alert and the new message to filter out : 

full event: 'Jun 15 15:13:21 slpl-ocs-app1 sshd[1719700]: Accepted key RSA SHA256:EviFma2QuDqZMnaCbWyvPT05QNPG95F2u/R1i5y+RDQ found at /home/sup/bewing/.ssh/authorized_keys:1'

I just try to find a way to do it, "<user>bewing</user>" seems ok for "session opened for user bewing" but not enough about the 5715 alert

Peutre

unread,
Jun 15, 2023, 9:47:07 AM6/15/23
to Wazuh mailing list
Thank you so much for your help Sandra, i got them filter out now, what i did is :

<group name="sshd,"> <rule id="100002" level="0"> <if_sid>5501,5502,5715,80730</if_sid> <user>bewing|traficon</user> <description>Silence alerts for user bewing and traficon</description> </rule> <rule id="100003" level="0"> <if_sid>5715,80730</if_sid> <match>bewing</match> <description>Silence alerts for user bewing authorizedkeys</description> </rule> </group>
I do <user>bewing|traficon</user>  with "|" for adding a new user and <match>bewing</match>  to apply like a grep

Sandra Ocando

unread,
Jun 16, 2023, 5:27:42 AM6/16/23
to Peutre, Wazuh mailing list

Hi Jean-Marie,

I am very glad it's working as expected now.

I had tested filtering rule 5715 using this log which includes the user: "Jun 8 01:01:06 hostname sshd[20312]: Accepted publickey for bewing from 10.1.20.27 port 41398 ssh2: RSA SHA256:EviFma2QunaCbWyvPT05QNPG95F2u/R1i5y+RDQ".
Glad you made the new rule using <match> to filter more cases.

Let us know if you have any other questions.

Cheers,
Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d106435c-2d12-4108-a076-14bfcef5a503n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages