Creating ruleset proxmox?
farzadha2 opened this issue · 5 comments
Hi,
I was wondering if someone else could shed some light. Currently want to create a rule set for proxmox was reading
https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
but didnt really get how the logs are redirected.
I need wazuh to read the logs from
/var/log/pveproxy/access.log
and filter out
192.168.3.44 - root@pam [27/12/2020:21:06:24 -0500] "GET /api2/extjs/version?_dc=1609121093257 HTTP/1.1" 200 128
what i noticed is to filter the part of
HTTP/1.1" 200 128
as the login default of the rule set shows the alert when i login but does not show the IP or the user that logs in
Hi @farzadha2
First of all, this repository (wazuh-ruleset) will be deprecated soon so it would be great to open new issues in the wazuh repository.
To recollect the logs from /var/log/pveproxy/access.log you need to include a new localfile section in the ossec.conf:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/pveproxy/access.log</location>
</localfile>The logs are sent from the Wazuh agent to the Wazuh Manager that decode the event and to try to match some rules. You can get more information about the log data collection in the documentation.
You can verify the Wazuh manager are receiving the events looking at /var/ossec/logs/archive/archives.log. For that, you need to enable the logall option in the ossec.conf of Manager and then restart Wazuh:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>We recommend disabling logall option after verifying Manager is recollecting the events.
Also, you can test the log with /var/ossec/bin/ossec-logtest:
192.168.3.44 - root@pam [27/12/2020:21:06:24 -0500] "GET /api2/extjs/version?_dc=1609121093257 HTTP/1.1" 200 128
**Phase 1: Completed pre-decoding.
full event: '192.168.3.44 - root@pam [27/12/2020:21:06:24 -0500] "GET /api2/extjs/version?_dc=1609121093257 HTTP/1.1" 200 128'
timestamp: '(null)'
hostname: 'host'
program_name: '(null)'
log: '192.168.3.44 - root@pam [27/12/2020:21:06:24 -0500] "GET /api2/extjs/version?_dc=1609121093257 HTTP/1.1" 200 128'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '192.168.3.44'
protocol: 'GET'
url: '/api2/extjs/version?_dc=1609121093257'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31100'
Level: '0'
Description: 'Access log messages grouped.'
According to this output, there is a decoder for this type of event (web-accesslog). Furthermore, you can see the data extracted from the log in Phase 2: srcip, protocol, url and id. If you need more fields, you should modify the decoder.
You can find the rules for web-accesslog here. Add custom rules to /var/ossec/etc/rules/local_rules.xml like this:
<group name="local,web,accesslog,">
<rule id="100002" level="3">
<if_sid>31100</if_sid>
<id>^2</id>
<description>Request was successfully received</description>
</rule>
</group>thanks for the reply, sorry for the late reply this week was crazy, i will keep in mind to do so to open on the new repo, will give it try this week and post back
@danimegar so got it working only issue getting lots of alerts from that so i tried adding the match rule but not sure if this sections should be regex instead
<group name="local,web,accesslog,">
<rule id="100002" level="3">
<if_sid>31100</if_sid>
<id>^2</id>
<match>^GET /api2/extjs/nodes/localhost/subscription.$</match>
<description>Request was successfully received</description>
</rule>
</group>
Hello @farzadha2
I think you can use match option. It uses regex too, according to the documentation.
However, ^ simbols means the beggining of the log whereas $ simbol means the end of the log. I do not sure if the log starts with GET... I think the log contains more data. For example:
192.168.3.44 - root@pam [27/12/2020:21:06:24 -0500] "GET /api2/extjs/version?_dc=1609121093257 HTTP/1.1" 200 128
In that case, you only need to match that part of the log:
<match>GET /api2/extjs/nodes/localhost/subscription</match>
Maybe that works.
Regards,
Daniel
thank you so much that did the trick