Wazuh Rule passed logtest but not triggering
90 views
Skip to first unread message
Miran Ul Haq
Dec 30, 2024, 12:00:57 PM12/30/24
to Wazuh | Mailing List
Hi Team,
<localfile>
<location>Microsoft-Windows-TerminalServices-Gateway/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
I wanted to capture logs from our Remote Desktop gateway server of successful connection. The logs were stored under event id 302 on Microsoft-Windows-TerminalServices-Gateway event channel.
I performed the following steps:
1) added localfile in ossec.conf file of agent:
1) added localfile in ossec.conf file of agent:
<localfile>
<location>Microsoft-Windows-TerminalServices-Gateway/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
2) I created a rule in local-rules.xml file:
<rule id="100011" level="6">
<field name="win.system.eventID">^302$</field>
<description>The user $(win.userdata.Username), on client computer $(win.userdata.IpAddress), connected to resource $(win.userdata.Resource)</description>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<field name="win.system.eventID">^302$</field>
<description>The user $(win.userdata.Username), on client computer $(win.userdata.IpAddress), connected to resource $(win.userdata.Resource)</description>
<group>authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Then I tested logs from archives.log multiple times on wazuh-logtest and all were successful.
But I am not getting any log on wazuh dashboard or even in alert.log/alerts.json file.
But I am not getting any log on wazuh dashboard or even in alert.log/alerts.json file.
What am I missing? Kindly assist.
Best Regards,
Miran
Miran
Javier Eduardo Rosas Ibarra
Dec 31, 2024, 11:03:21 PM12/31/24
to Wazuh | Mailing List
Hi,
Let me replicate this and I will get back to you as soon as possible.
Let me replicate this and I will get back to you as soon as possible.
Message has been deleted
Javier Eduardo Rosas Ibarra
Dec 31, 2024, 11:03:41 PM12/31/24
to Wazuh | Mailing List
Hello.
It seems the behavior you are observing occurs because the logs you are testing from the archives.log file in the wazuh-logtest tool are being processed in JSON format, as that is how they are stored in the file. However, the agent sends the logs decoded as an eventchannel.
As a result, the rule you added and tested might not generate an alert when decoded differently.
To address this, I recommend temporarily modifying the Windows base rules in the Wazuh Manager. These rules can be found in the /var/ossec/ruleset/rules directory, specifically in the file 0575-win-base_rules.xml.
Within this file, you can make the following changes to rule 60000:
Comment out the <category> tags.
Modify the <decoded_as> tag from windows_eventchannel to json, so the line appears as follows: <decoded_as>json</decoded_as>.
After making this adjustment, you can retest the logs from the archives.log file in the Wazuh Logtest tool. This will help you identify exactly which rule is being triggered. Based on this information, you can create a custom rule to analyze the log effectively.
Once you confirm that the rule generates the corresponding alert in the tool, you can revert the 0575-win-base_rules.xml file to its original state. Finally, test whether the logs sent by the agent generate the expected alert.
Remember to restart the Wazuh Manager only after completing all tests and restoring the XML file to its initial configuration.
Please let me know if you need any additional information or further assistance. I'm here to help!
Best regards.
It seems the behavior you are observing occurs because the logs you are testing from the archives.log file in the wazuh-logtest tool are being processed in JSON format, as that is how they are stored in the file. However, the agent sends the logs decoded as an eventchannel.
As a result, the rule you added and tested might not generate an alert when decoded differently.
To address this, I recommend temporarily modifying the Windows base rules in the Wazuh Manager. These rules can be found in the /var/ossec/ruleset/rules directory, specifically in the file 0575-win-base_rules.xml.
Within this file, you can make the following changes to rule 60000:
Comment out the <category> tags.
Modify the <decoded_as> tag from windows_eventchannel to json, so the line appears as follows: <decoded_as>json</decoded_as>.
After making this adjustment, you can retest the logs from the archives.log file in the Wazuh Logtest tool. This will help you identify exactly which rule is being triggered. Based on this information, you can create a custom rule to analyze the log effectively.
Once you confirm that the rule generates the corresponding alert in the tool, you can revert the 0575-win-base_rules.xml file to its original state. Finally, test whether the logs sent by the agent generate the expected alert.
Remember to restart the Wazuh Manager only after completing all tests and restoring the XML file to its initial configuration.
Please let me know if you need any additional information or further assistance. I'm here to help!
Best regards.
On Monday, December 30, 2024 at 12:00:57 PM UTC-5 Miran Ul Haq wrote:
Miran Ul Haq
Jan 1, 2025, 6:15:17 AM1/1/25
to Wazuh | Mailing List
Hi Javier,
Thanks for sharing this. Yes, you were correct.
Once, I followed your steps, it was triggering and entirely different rule. With small tweaking in my custom rule, it fixed the issue.
Once, I followed your steps, it was triggering and entirely different rule. With small tweaking in my custom rule, it fixed the issue.
Much appreciate it.
Thanks.
Reply all
Reply to author
Forward
0 new messages