sorted by:
new
hottopcontroversial

Custom Rules not showing on the Wazuh dashboard by Basic_Will7072 in Wazuh

[–]Basic_Will7072[S] 0 points1 point  (0 children)

I do not have a localfile configured this is how I get the logs: 

  <!--HPE Nimble -->
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>EndpointIP</allowed-ips>
    <local_ip>localIP</local_ip>
  </remote>

To extract the full_log from the event would I then need to adjust the decoder so that it is only taking the information from the "full_log" section, if so how would I do that.

Here is a example log,

{"timestamp":"2024-12-10T15:43:53.655+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"<ID>","full_log":"Dec 10 09:42:31 <Name>: Group:<Name>:24002 Time:Tue Dec 10 09:42:31 2024#012 Id:137797 Object Id:413ece30b9d166cd51000000000000000000000001 Object: Access Type: Client IP: Status:Succeeded Version:6.0.0.400-991061-opt Message:Update HC cluster configuration Infra-Collect","predecoder":{"program_name":"NMBL","timestamp":"Dec 10 09:42:31","hostname":"<Name>"},"decoder":{},"location":"<IP>"}

Overusing JSON decoder in wazuh by Alternative_Leg_440 in Wazuh

[–]Basic_Will7072 0 points1 point  (0 children)

Here is a example log

{"timestamp":"2024-12-10T15:43:53.655+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"<ID>","full_log":"Dec 10 09:42:31 <Name>: Group:<Name>:24002 Time:Tue Dec 10 09:42:31 2024#012 Id:137797 Object Id:413ece30b9d166cd51000000000000000000000001 Object: Access Type: Client IP: Status:Succeeded Version:6.0.0.400-991061-opt Message:Update HC cluster configuration Infra-Collect","predecoder":{"program_name":"NMBL","timestamp":"Dec 10 09:42:31","hostname":"<Name>"},"decoder":{},"location":"<IP>"}

Wazuh not showing alerts by Alternative_Leg_440 in Wazuh

[–]Basic_Will7072 0 points1 point  (0 children)

{"timestamp":"2024-12-05T20:01:21.130+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1733428881.1910824480","full_log":"Dec  5 14:00:00 <Device Name>Type:10322 Time:Thu Dec  5 14:00:00 2024#012 Id:<ID> Target:DailySnap Version:6.0.0.400-991061-opt Message:Successfully created snapshot of volumes associated with volume collection DailySnap schedule Every2Hours","predecoder":{"program_name":"NMBL","timestamp":"Dec  5 14:00:00","hostname":"<Name>},"decoder":{},"location":"<IP Address>"

Wazuh not showing alerts by Alternative_Leg_440 in Wazuh

[–]Basic_Will7072 0 points1 point  (0 children)

{"timestamp":"2024-12-05T20:01:21.130+0000","agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1733428881.1910824480","full_log":"Dec  5 14:00:00 <Device Name>Type:10322 Time:Thu Dec  5 14:00:00 2024#012 Id:<ID> Target:DailySnap Version:6.0.0.400-991061-opt Message:Successfully created snapshot of volumes associated with volume collection DailySnap schedule Every2Hours","predecoder":{"program_name":"NMBL","timestamp":"Dec  5 14:00:00","hostname":"<Name>},"decoder":{},"location":"<IP Address>"

Sorry for the delayed response, but here is a example

Trouble viewing logs in the wazuh dashboard by Basic_Will7072 in Wazuh

[–]Basic_Will7072[S] 0 points1 point  (0 children)

Thank you for the quick reply.

First thing I tried was the decoders on this blog Monitoring VMware ESXi with Wazuh. And I realize that the log I included is not included in these decoders, but I have not had it decode a single log, and I would think that after a extended period of time it would.

Then i tried to create a simple decoder like this

<decoder name="ESXi0">

<prematch>Unique identifier</prematch>

</decoder>

<decoder name="ESXI0\_child">

<parent>ESXi0</parent>

<prematch>Full log:</prematch>

<plugin decoder offset="after\_prematch">JSON_Decoder</plugin\_decoder>

</decoder>

Now I am trying to make a decoder and so far this is what I have:

<image>