Decoder for Huawei router
576 views
Skip to first unread message
randa sabbagh
Apr 12, 2022, 6:30:24 AM4/12/22
to Wazuh mailing list
Hello Team,
<decoder name="Huawei_Details">
<regex>(\w+\s+\d+ \d+) (\S+) DST (\S+) %%01(\S+)/(\d)/(SSHS_IP_BLOCK_CLIENT)\.+;(SSH client IP blocked due to authentication failure in last 1 hour).\.+IpAddress=(\S+),\.+VpnName=(\S+),\.+BlockCount=(\d+)\.+</regex>
<order>Date,time,HostName,ModuleName,Severity,Brief,desc,srcip,VpnName,BlockCount</order>
</decoder>
Please if you can help me to create the appropriate decoder for the following Huawei log:
Mar 26 2022 17:06:48+03:00 DST IGW-HU-Test %%01SSH/4/SSHS_IP_BLOCK_CLIENT(s):CID=0x8093043a;SSH client IP blocked due to authentication failure in last 1 hour. (IpAddress=192.168.20.5, VpnName=_public_, BlockCount=1).
I need to extract some fields, but the important fields for me are: date, time and ipAddress
I've created the following decoder but is not working:
<decoder name="Huawei_Details">
<regex>(\w+\s+\d+ \d+) (\S+) DST (\S+) %%01(\S+)/(\d)/(SSHS_IP_BLOCK_CLIENT)\.+;(SSH client IP blocked due to authentication failure in last 1 hour).\.+IpAddress=(\S+),\.+VpnName=(\S+),\.+BlockCount=(\d+)\.+</regex>
<order>Date,time,HostName,ModuleName,Severity,Brief,desc,srcip,VpnName,BlockCount</order>
</decoder>
Wazuh version: 4.2.5
please your help
Luis González Romero
Apr 12, 2022, 10:22:32 AM4/12/22
to Wazuh mailing list
Hello! Hope you are doing great.
I have replicated your issue and noticed that the timestamp from your router logs format does not allow Wazuh to decode them.
You can follow this workaround:
Store the logs in a plaintext file. I simulated this step but you can follow this guide about forwarding syslog events to a file.
Monitor that file using a
localfileblock in yourossec.conffile. I added the timestamp, so now it has the syslogtimestamp,IGW_HU_Testashostname, andhostdasprogram_name.<localfile> <log_format>syslog</log_format> <location>/var/log/example.log</location> <out_format>$(timestamp) IGW_HU_Test hostd: $(log)</out_format> </localfile>The decoder I used:
<decoder name="Huawei_details"> <program_name>hostd</program_name> <regex offset="after_prematch">IpAddress=(\S+), VpnName=(\S+), BlockCount=(\d+)\)</regex> <order>srcip, VpnName, BlockCount</order> </decoder>After doing this, I was able to filter the log
**Phase 1: Completed pre-decoding.
full event: 'Apr 12 12:26:40 IGW-HU-Test hostd: Mar 26 2022 17:06:48+03:00 DST IGW-HU-Test %%01SSH/4/SSHS_IP_BLOCK_CLIENT(s):CID=0x8093043a;SSH client IP blocked due to authentication failure in last 1 hour. (IpAddress=192.168.20.5, VpnName=_public_, BlockCount=1).'
timestamp: 'Apr 12 12:26:40'
hostname: 'IGW-HU-Test'
program_name: 'hostd'
**Phase 2: Completed decoding.
name: 'Huawei_details'
BlockCount: '1'
VpnName: '_public_'
srcip: '192.168.20.5'
Do not hesitate to ask for help or any doubt.
Hope this helps you,
Luis.
Reply all
Reply to author
Forward
0 new messages