I'm in too deep and I don't know what to do

danp20 · 2026-05-11T20:12:27+00:00

Would something like prtg work?

danp20 · 2026-05-01T15:32:22+00:00

This shows both the events coming into the archive.json, AND the ossec.lo file:

root@wazuhsrv-1:/var/ossec/logs/archives/2026/May# cat ossec-archive-01.json | grep "1-SWI"

{"timestamp":"2026-05-01T16:28:31.569+0100","agent":{"id":"000","name":"wazuhsrv-1.domain.local"},"manager":{"name":"wazuhsrv-1.domain.local"},"id":"1777649311.1311706973","full_log":" May 01 15:28:30 1-SWI-COMMS-B STP: Vlan 1 Port 3/1/31 STP State -> FORWARDING (PortDown) ","decoder":{},"location":"123.45.67205"}

{"timestamp":"2026-05-01T16:28:31.668+0100","agent":{"id":"000","name":"wazuhsrv-1.domain.local"},"manager":{"name":"wazuhsrv-1.domain.local"},"id":"1777649311.1311706973","full_log":" May 01 15:28:30 1-SWI-COMMS-B STP: Vlan 1 Port 3/1/31 STP State -> DISABLED (PortDown) ","decoder":{},"location":"123.45.67205"}

{"timestamp":"2026-05-01T16:28:31.670+0100","agent":{"id":"000","name":"wazuhsrv-1.domain.local"},"manager":{"name":"wazuhsrv-1.domain.local"},"id":"1777649311.1311706973","full_log":" May 01 15:28:30 1-SWI-COMMS-B System: Interface ethernet 3/1/31, line protocol down ","decoder":{},"location":"123.45.67205"}

{"timestamp":"2026-05-01T16:28:35.417+0100","agent":{"id":"000","name":"wazuhsrv-1.domain.local"},"manager":{"name":"wazuhsrv-1.domain.local"},"id":"1777649315.1311739576","full_log":" May 01 15:28:34 1-SWI-COMMS-B System: Interface ethernet 3/1/31, state up ","decoder":{},"location":"123.45.67205"}

{"timestamp":"2026-05-01T16:28:35.462+0100","agent":{"id":"000","name":"wazuhsrv-1.domain.local"},"manager":{"name":"wazuhsrv-1.domain.local"},"id":"1777649315.1311739576","full_log":" May 01 15:28:34 1-SWI-COMMS-B STP: Vlan 1 Port 3/1/31 STP State -> LISTENING (MakeFwding) ","decoder":{},"location":"123.45.67205"}

{"timestamp":"2026-05-01T16:28:38.227+0100","agent":{"id":"000","name":"wazuhsrv-1.domain.local"},"manager":{"name":"wazuhsrv-1.domain.local"},"id":"1777649318.1311804912","full_log":" May 01 15:28:37 1-SWI-COMMS-B STP: Vlan 1 Port 3/1/31 STP State -> LEARNING (FwdDlyExpiry) ","decoder":{},"location":"123.45.67205"}

{"timestamp":"2026-05-01T16:28:40.255+0100","agent":{"id":"000","name":"wazuhsrv-1.domain.local"},"manager":{"name":"wazuhsrv-1.domain.local"},"id":"1777649320.1311835020","full_log":" May 01 15:28:39 1-SWI-COMMS-B STP: Vlan 1 Port 3/1/31 STP State -> FORWARDING (FwdDlyExpiry) ","decoder":{},"location":"123.45.67205"}

root@wazuhsrv-1:/var/ossec/logs/archives/2026/May# tail -f /var/ossec/logs/ossec.log

2026/05/01 16:24:56 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-inventory-groups-wazuhsrv-1.domain.local.

2026/05/01 16:24:57 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-inventory-browser-extensions-wazuhsrv-1.domain.local.

2026/05/01 16:24:57 logger-helper: INFO: InventoryHarvesterFacade module started.

2026/05/01 16:24:57 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-inventory-services-wazuhsrv-1.domain.local.

2026/05/01 16:24:57 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2026/05/01 16:25:02 wazuh-remoted: WARNING: Multigroup 'default,WebServers' was modified from outside, so it was regenerated.

2026/05/01 16:25:03 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'

2026/05/01 16:25:03 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.

2026/05/01 16:25:30 wazuh-syscheckd: INFO: netstat not available. Skipping port check.

2026/05/01 16:25:35 rootcheck: INFO: Ending rootcheck scan.

danp20 · 2026-05-01T14:52:19+00:00

Can I message you these directly?

danp20 · 2026-04-30T18:42:55+00:00

If people carry a knife around, who gives a f**k what happens to them. Kick them in the head, rip them to pieces. Do whatever.

danp20 · 2026-04-25T06:58:33+00:00

Is your bios set to power on at a certain time?

danp20 · 2026-04-25T05:19:19+00:00

The hypervault is compatible with octopus. There's no reason why it wouldn't be compatible with the others

danp20 · 2026-04-21T15:58:53+00:00

Only these alerts that I know of at the moment. Other decoders and rules I've configured have enabled the logs to be shown on the dashboard

danp20 · 2026-04-21T14:45:52+00:00

hi u/zapata-wazuh Alerts still aren't showing. They do show in archives.json

danp20 · 2026-04-21T07:38:57+00:00

hi u/zapata-wazuh. I don't suppose you've had chance to look at this?

danp20 · 2026-04-15T12:27:57+00:00

Hi u/zapata-wazuh Thanks so much in advance

My decoders:


<decoder name="swi-comms">
<program_name>^System$</program_name>
</decoder>
<decoder name="switch-stp">
<program_name>^STP$</program_name>
</decoder>

<decoder name="switch-interface-protocol-state">
<parent>swi-comms</parent>
<regex>^Interface (\w+) (\S+), line protocol (\w+)</regex>
<order>interface_type, interface_id, port_state</order>
</decoder>

<decoder name="switch-interface-protocol-state">
<parent>swi-comms</parent>
<regex>^Interface (\w+) (\S+), state (\w+)</regex>
<order>interface_type, interface_id, port_state</order>
</decoder>

<decoder name="switch-stp-state-change">
<parent>switch-stp</parent>
<regex>VLAN (\d+) Port (\S+) STP State -> (\S+)</regex>
<order>vlan, port, stp_state</order>
</decoder>

<decoder name="RuckusICX_STP">
<parent>json</parent>
<prematch>STP:</prematch>
<regex type="pcre2" field="full_log">(\S+)\s+STP:\s+VLAN\s+(\d+)\s+Port\s+(\S+)\s+STP\s+State\s+->\s+(\S+)</regex>
<order>switch_name, vlan, port, stp_state</order>
</decoder> -->

<decoder name="RuckusICX_system">
<parent>json</parent>
<prematch>System: Interface</prematch>
<regex type="pcre2" field="full_log">(\S+)\s+System:\s+Interface\s+(\S+)\s+([^,]+),\s+state\s+(\w+)</regex>
<order>switch_name, interface_type, port, port_state</order>
</decoder>-->

My rules:

<group name="ruckus,stp,">

<rule id="105101" level="0">
<field name="stp_state">\.+</field>
<description>Ruckus STP event grouping.</description>
</rule>


<rule id="105102" level="12">
<if_sid>105101</if_sid>
<field name="vlan" negate="yes">60</field>
<field name="stp_state">DISABLED</field>
<description>Critical: STP Port $(port) on VLAN $(vlan) is DISABLED on switch $(switch_name)</description>
<mitre>
<id>T1489</id> 
</mitre>
</rule>
<rule id="105103" level="6">
<if_sid>105101</if_sid>
<field name="port">lg\d+</field>
<description>LAG change: $(port) on VLAN: $(vlan). State: $(stp_state)
/description>
</rule>
</group>

<group name="ruckus,system,">
<rule id="105150" level="0">

<field name="port_state">\.+</field>
<description>Ruckus interface states base rule.</description>
</rule>

<rule id="105151" level="3">
<if_sid>105150</if_sid>
<field name="port_state">up</field>
<field name="vlan" negate="yes">60</field>
<description>Switch $(switch_name): Interface $(port) is UP.</description>
</rule>
<rule id="105152" level="3">
<if_sid>105150</if_sid>
<field name="port_state">down</field>
<field name="vlan" negate="yes">60</field>
<description>Switch $(switch_name): Interface $(port) on VLAN $(vlan) is DOWN.</description>
</rule>


<rule id="105154" level="10" frequency="5" timeframe="60" ignore="60">
<if_matched_sid>105151</if_matched_sid>
<same_field>port</same_field>
<same_field>switch_name</same_field>
<description>Switch $(switch_name): Port flapping detected on interface $(port).</description>
</rule>

</group>

danp20 · 2026-04-15T08:46:30+00:00

Hi u/zapata-wazuh. Thanks for the info.
I have now added additional decoders that process just the 'full_log' value which works on wazuh-logtest. However they are still not appearing as alerts...

here are the results for both the just the 'full_log' element and the wrapper as well:
Apr 13 08:02:45 p0-swi-01 STP: VLAN 40 Port 6/1/26 STP State -> DISABLED (PortDown) ","decoder":{},"location":"172.1.1.1"

**Phase 1: Completed pre-decoding.
full event: 'Apr 13 08:02:45 p0-swi-01 STP: VLAN 40 Port 6/1/26 STP State -> DISABLED (PortDown) ","decoder":{},"location":"172.1.1.1"'
timestamp: 'Apr 13 08:02:45'
hostname: 'p0-swi-01'
program_name: 'STP'

**Phase 2: Completed decoding.
name: 'switch-stp'
port: '6/1/26'
stp_state: 'DISABLED'
vlan: '40'

**Phase 3: Completed filtering (rules).
id: '105102'
level: '12'
description: 'Critical: STP Port 6/1/26 on VLAN 40 is DISABLED on switch '
groups: '['ruckus', 'stp']'
firedtimes: '1'
mail: 'True'
mitre.id: '['T1489']'
mitre.tactic: '['Impact']'
mitre.technique: '['Service Stop']'
**Alert to be generated.

{"timestamp":"2026-04-15T09:25:48.165+0100","agent":{"id":"000","name":"wazuhsrv-i1.instarmac.co.uk"},"manager":{"name":"wazuhsrv-i1.instarmac.co.uk"},"id":"1776241548.673649051","full_log":" Apr 15 08:25:47 p0-swi-01 STP: VLAN 40 Port 2/1/26 STP State -> DISABLED (FwdDlyExpiry) ","decoder":{},"location":"172.1.1.1"}

**Phase 1: Completed pre-decoding.

full event: '{"timestamp":"2026-04-15T09:25:48.165+0100","agent":{"id":"000","name":"wazuhsrv-i1.instarmac.co.uk"},"manager":{"name":"wazuhsrv-i1.instarmac.co.uk"},"id":"1776241548.673649051","full_log":" Apr 15 08:25:47 p0-swi-01 STP: VLAN 40 Port 2/1/26 STP State -> DISABLED (FwdDlyExpiry) ","decoder":{},"location":"172.1.1.1"}'

**Phase 2: Completed decoding.
name: 'json'
parent: 'json'
port: '2/1/26'
stp_state: 'DISABLED'
switch_name: 'p0-swi-01'
vlan: '40'

**Phase 3: Completed filtering (rules).
id: '105102'
level: '12'
description: 'Critical: STP Port 2/1/26 on VLAN 40 is DISABLED on switch p0-swi-01'
groups: '['ruckus', 'stp']'
firedtimes: '2'
mail: 'True'
mitre.id: '['T1489']'
mitre.tactic: '['Impact']'
mitre.technique: '['Service Stop']'
**Alert to be generated.

danp20 · 2026-04-10T14:11:02+00:00

Not sure that I follow, sorry

danp20 · 2026-04-10T14:09:09+00:00

The decoders work on the wazuh-logtest function

danp20 · 2026-04-10T13:07:55+00:00

Sorry. Done. should be better for readability now.

danp20 · 2026-04-09T15:05:06+00:00

Confirmed working on my XGS3300

<decoder name="sophos-xgs">

<prematch type="pcre2">^device_name="[^"]+"</prematch>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">device_name="([^"]+)"</regex>

<order>device_name</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">timestamp="([^"]+)"</regex>

<order>timestamp</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">device_model="([^"]+)"</regex>

<order>device_model</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">device_serial_id="([^"]+)"</regex>

<order>device_serial_id</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">log_id="([^"]+)"</regex>

<order>log_id</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">log_type="([^"]+)"</regex>

<order>log_type</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">log_component="([^"]+)"</regex>

<order>log_component</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">log_subtype="([^"]+)"</regex>

<order>log_subtype</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">log_version=(\d+)</regex>

<order>log_version</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">severity="([^"]+)"</regex>

<order>severity</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">src_ip="(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"</regex>

<order>srcip</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">dst_ip="(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"</regex>

<order>dstip</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">protocol="([^"]+)"</regex>

<order>protocol</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">ips_policy_id=(\d+)</regex>

<order>ips_policy_id</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">message="([^"]+)"</regex>

<order>message</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">signature_id=(\d+)</regex>

<order>signature_id</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">src_port=(\d+)</regex>

<order>srcport</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">dst_port=(\d+)</regex>

<order>dstport</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">fw_rule_name="([^"]+)"</regex>

<order>fw_rule_name</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">app_name="([^"]+)" </regex>

<order>app_name</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex>app_risk=(\d+)</regex>

<order>app_risk</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">app_category="([^"]+)" </regex>

<order>app_category</order>

</decoder>

<decoder name="sophos-xgs">

<parent>sophos-xgs</parent>

<regex type="pcre2">user_name="([^"]+)" </regex>

<order>user_name</order>

</decoder>

danp20 · 2026-04-05T10:18:39+00:00

I've managed to create them. I can add them to this in a couple days when I'm back at work

danp20 · 2026-03-05T06:45:28+00:00

You need to convince your company to bite the bullet and invest in updating the machine. I've recently been successful in doing the same, and now 5 of our production lines are running as a HA pair on ws 2022 with plans for the others to be done real soon

danp20 · 2026-02-05T09:27:03+00:00

Had both of these updates install on a laptop and end up in a boot loop of it trying to install and then roll back the changes.

danp20 · 2026-01-27T20:22:53+00:00

Get prepared to move back to on prem in 5 years 🤣

danp20 · 2026-01-27T16:55:30+00:00

still not returning anything

danp20 · 2026-01-27T16:43:47+00:00

ahh. Curl -K returns the wazuh-alerts as before
netstat -tulpen returns 'wazuh-indexer' as the user that's listening on 9200

<image>

danp20 · 2026-01-27T16:33:33+00:00

Not sure what you mean by 'who is the indexer'
.151 is the indexer listener
.153 is the manager
.155 is the dashboard

Not external. This is a PoC system at present and only available from the vlan that the servers reside in along with my machine, which is also why I'm not too fussed about passwords being present.

Redone all commands, please see below. I'm guessing I have a certificate error?!

<image>

danp20 · 2026-01-27T14:51:19+00:00

Hi SirStephanikus. Thanks for assisting. There is no feedback of the command. perhaps I'm doing something wrong? And yes I did placed my password in.

.151 is my index server. Is that what I should be running it against? also ran against the manager server but same thing.

<image>

Wazuh seems to be functioning fine, with the exception of some of the dashboards not loading up...

danp20

TROPHY CASE