Wazuh ingest any log

# Wazuh ingest any log ###### tags: `Wazuh` :::info OS environment: Debian 11 ::: :::success **Docker Environment install** Reference: <https://documentation.wazuh.com/current/deployment-options/docker/docker-installation.html> ::: ## Wazuh Docker deployment Reference: <https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html> ## Remote Service Section ### modify `ossec.conf` modify `ossec.conf` which is in `/var/lib/docker/volumes/single-node_wazuh_etc/_data/` directory modify `logall` and `logall_json` value from `no` to `yes` ```xml <ossec_config> <global> ..... <logall>no</logall> <logall_json>no</logall_json> ... ... </global> ... ``` to ```xml <ossec_config> <global> ..... <logall>yes</logall> <logall_json>yes</logall_json> ... ... </global> ... ``` and add `remote` section ([reference link](https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#reference-ossec-remote)) ```xml <remote> <connection>syslog</connection> <port>514</port> <protocol>udp</protocol> <allowed-ips>192.168.47.0/24</allowed-ips> </remote> ``` 或是 ```xml <remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>0.0.0.0/0</allowed-ips> </remote> ``` then save the file #### 另一個方法 ![image](https://hackmd.io/_uploads/ryM6gAgGC.png) ![image](https://hackmd.io/_uploads/SyHQfRxfR.png) ![image](https://hackmd.io/_uploads/SybdGyWGC.png) * `allowed-ips`可先設成`0.0.0.0/0`方便進行測試 ![image](https://hackmd.io/_uploads/rkC1X1bfR.png) ### restart wazuh manager - don't use `docker-compose down` or `docker restart` to restart manager ``` docker exec -it single-node_wazuh.manager_1 /var/ossec/active-response/bin/restart.sh manager ``` ## Test recieve log ### pythone script test ```python import logging import logging.handlers my_logger = logging.getLogger('MyLogger') my_logger.setLevel(logging.DEBUG) handler = logging.handlers.SysLogHandler(address = ('192.168.47.216',514)) my_logger.addHandler(handler) my_logger.debug('++++++++++++++++++++++++++++++++++') my_logger.critical('778899987987897897897897897897897897897897897897897897897897897897897') ``` ### check `archives.log` check `archives.log` in `/var/lib/docker/volumes/single-node_wazuh_logs/_data/archives` ![](https://i.imgur.com/TaxJfLN.png) ------------------- ## CyberBean Decoders ### Cyberbean log foramt ```text CyberBean:<prodcut_name>:<module_name> data:<json> ``` ```text CyberBean:Lachesis:subdomainFinder data:{"domain":"%s","subdomains":"%s"} ``` ### Decoder.xml save below xml to the directory`/var/lib/docker/volumes/single-node_wazuh_etc/_data/decoders` with the file name `CyberBean.xml` ```xml <decoder name="CyberBean"> <prematch>CyberBean:</prematch> </decoder> <decoder name="data"> <parent>CyberBean</parent> <prematch>data:</prematch> <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder> </decoder> <decoder name="data"> <parent>CyberBean</parent> <regex offset="after_parent">(\w+):(\w+) data:</regex> <order>product,module</order> </decoder> ``` ## CyberBean Another Decoder use default `json` decoder ### pythone test script ```python import logging import logging.handlers import time import datetime import json Wazuh_logger = logging.getLogger('WazuhLogger') Wazuh_logger.setLevel(logging.DEBUG) handler = logging.handlers.SysLogHandler(address=('192.168.47.216', 514)) Wazuh_logger.addHandler(handler) def sendLog_to_Wazuh(Wazuh_logger, raw_log, domain, subdomains): time.sleep(1) raw_log['data']['domain'] = domain raw_log['data']['subdomain'] = subdomains print("logging....") j = json.dumps(raw_log) Wazuh_logger.debug(j) if __name__ == '__main__': fileName = 'anpec.com.tw_all_domains.csv' domain = fileName.split('_')[0] log = { "maintainer": "CyberBean", "product": "Lachesis", "module": "subdomain_finder", "data": { "name": "Subdomain Finder", "description": "Find subdomains of a domain", "version": "1.0", "date": "2019-03-01", } } with open(fileName, 'r') as f: subdomains = f.read().splitlines() for sub in subdomains: sendLog_to_Wazuh(Wazuh_logger, log, domain, sub) ``` - all the json from `log` variable you send would decode to `data` field ### check `archives.json` ![](https://i.imgur.com/HvlZmtF.png) ### ruleset test ![](https://i.imgur.com/xRLnXQu.png) ### Rule ```xml <group name="CyberBean,"> <rule id="300000" level="3"> <decoded_as>json</decoded_as> <field name="data.maintainer">CyberBean</field> <description>Lachesis scan is active</description> </rule> <rule id="310000" level="3"> <if_sid>300000</if_sid> <decoded_as>json</decoded_as> <field name="data.product">Lachesis</field> <description>subdomainFinder module of $(product) is active</description> </rule> <rule id="310001" level="4"> <if_sid>310000</if_sid> <decoded_as>json</decoded_as> <field name="data.data.domain">anpec.com.tw</field> <description>the subdomain $(data.data.subdomain) for domain $(data.data.domain) was detected</description> </rule> </group> ``` -------------------- ## CyberBean Rule continue developing... ### CyberBeanRule.xml ```xml <group name="CyberBean,"> <rule id="300000" level="3"> <decoded_as>CyberBean</decoded_as> <field name="product">Lachesis</field> <description>Lachesis scan is running</description> </rule> <rule id="310000" level="3"> <if_sid>300000</if_sid> <decoded_as>CyberBean</decoded_as> <field name="module">subdomainFinder</field> <description>module $(module) of $(product) is running</description> </rule> </group> ```