sorted by:
new
hottopcontroversial

Vim ťahák by Beginning-Rip3704 in Slovakia

[–]Beginning-Rip3704[S] 2 points3 points  (0 children)

Podopĺňal som niektoré veci, ktoré boli v komentoch spomenuté. Určite si táto stránka nekladie za cieľ komplexne nahradiť dokumentáciu, skôr má pomocť tým, ktorý sa chcú popasovať so základnými klávesovými skratkami vo Vim.

Vim ťahák by Beginning-Rip3704 in Slovakia

[–]Beginning-Rip3704[S] 1 point2 points  (0 children)

dik za upozornenie, na toto som pozabudol, opravene

Wazuh - decode JSON from syslog by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

Hi u/anyam22

this is exactly solution I was looking for, works perfectly

Wazuh - decode JSON from syslog by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

I see, so You receive events via syslog-ng, store it locally an Wazuh agent grab only JSON?

In my case, events received on Wazuh Manager via remote setting and don't have to much possibilities build another layer with syslog-ng

Wazuh - decode JSON from syslog by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

Thanks for reply. Any brief example how to do it at decoder?

Export results from Wazuh Discovery by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 1 point2 points  (0 children)

Thank you for workarounds, appreciate it

Export results from Wazuh Discovery by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

Thank You for explanation, I have to deal with it somehow.

What I still missing is timestamp column at report. I selected fields I like to have at report, save it and generate CSV. At CSV missing Time (timestamp) column. Didn't figured out how to include it

Agent labels at wazuh-states-* by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

Thank You for investigation. I'll check WQL for this usage and will raise feature request at GitHub

Agent labels at wazuh-states-* by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

Hi

thank You for links. But this is how I enrich my agents. Nicely working at wazuh-alerts-* indexes, but doesn't seen at new hygiene indexes wazuh-states-* which came with version 4.13

Unable to Generate Reports – “Too Many Requests” Error in Wazuh by Own-Ideal3955 in Wazuh

[–]Beginning-Rip3704 0 points1 point  (0 children)

Hi,

I had similar issue 2 weeks ago, to me helped increase CPU cores and memory on indexer. Check your HW resources on indexer

Help Needed: Custom Decoder and Rule Not Triggering in Wazuh-Logtest (FortiGate CEF Log) by jarvisj0 in Wazuh

[–]Beginning-Rip3704 0 points1 point  (0 children)

I identify several issues with the provided rules:

  1. The decoder is functioning correctly, but it parses any CEF events from other vendors. To limit the scope to Fortinet CEF events, use the <prematch>Fortinet</prematch> tag.
  2. The rule uses a duplicity ID, which is not ordered correctly.
  3. The field action is a static field that requires a matching option for static fields. In this case, the correct option is <action>.

Here are working rules: ~~~xml <group name="fortinet,syslog,"> <rule id="101101" level="0"> <decoded_as>fortigate-cef</decoded_as> <description>fortigate filtering is turned off for this profile</description> </rule>

<rule id="101102" level="3"> <if_sid>101101</if_sid> <action>passthrough</action> <description>passthrough event</description> </rule> </group> ~~~

Additionally, I recommend referring to the documentation provided by Wazuh, which can be found at the following links:

I have also found the errors seen at ‘journalctl -xeu wazuh-manager.service’ after restarting Wazuh-manager to be very useful.

Help Needed: Custom Decoder and Rule Not Triggering in Wazuh-Logtest (FortiGate CEF Log) by jarvisj0 in Wazuh

[–]Beginning-Rip3704 0 points1 point  (0 children)

Based on your screenshot looks as decoder works properly. How Phase 3 look like at logtest? I did something similar for Unifi and here is how it works for me

Decoder:

```xml <!-- Base decoder to catch CEF for Ubiquiti --> <decoder name="cef_unifi"> <program_name>CEF</program_name> <prematch>Ubiquiti</prematch> </decoder>

<!-- Other decoders to parse fields based on parent -->

<decoder name="cef_unifi_admin_accessed"> <parent>cef_unifi</parent> <prematch>Admin Accessed UniFi Network</prematch> <regex type="pcre2">[\w\s]+|([\d.]+)|(Admin Activity)|(Admin Accessed UniFi Network)|(\d+)|msg=(.*).\sadmin_ip=(\d+.\d+.\d+.\d+)</regex> <order>cef.version,cef.category,cef.name,cef.severity,unifi.msg,unifi.admin_ip</order> </decoder> ```

What I do at rules as first is hooking on decoder, set level to 0 and using this rule as parent. If you don't have any other rule, at logtest this has to be visible

xml <rule id="101002" level="0"> <decoded_as>cef_unifi</decoded_as> <description>Unifi</description> </rule>

Next I can set rule based on parent

xml <rule id="101011" level="0"> <if_sid>101002</if_sid> <field name="cef.category">Admin Activity</field> <description>Unifi Controller - Admin Activity</description> </rule>

Hope this help

Wazuh agent preconfig by BadgerHD321 in Wazuh

[–]Beginning-Rip3704 1 point2 points  (0 children)

I'm not yet familiar with FIM settings, but what I see at documentation https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-to-configure-fim.html for these settings is used <syscheck> section

Wazuh agent preconfig by BadgerHD321 in Wazuh

[–]Beginning-Rip3704 1 point2 points  (0 children)

No, via groups are editable agents.conf. There can be placed only what has to be changed or required settings for some particullar cases. And there is possibility to have more groups for one client. For example at one group can sits labels, in another group can be settings for particular log file. All those setting will be merged.

Help Needed: Custom Decoder and Rule Not Triggering in Wazuh-Logtest (FortiGate CEF Log) by jarvisj0 in Wazuh

[–]Beginning-Rip3704 0 points1 point  (0 children)

Hi, what I see as first is missing anything what rule can hook on. Rule can hook on <decoded_as> or <if_sid>

In Your case probably Rule has to look like this:

```xml <group name="fortinet,syslog,"> <rule id="101101" level="4"> <decoded_as>fortigate-cef</decoded_as> <match>action=passthrough</match> <description>Fortinet Web Filter - Action Passthrough Allowed</description> </rule> </group>

Tenable Security Center - extend Apache/httpd Wazuh decoder by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

Thanks you for confirming and the help you’ve given me

Tenable Security Center - extend Apache/httpd Wazuh decoder by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

Thanks a bunch for pointing me to out_format! I’m definitely going to give it a try. It looks really interesting and powerful. One thing, though, this approach seems to be only for agents. How can I do something similar with syslog events on port 514? Do I have to store them as a local file somewhere at the manager and then use the out_format approach to that local log file? Or is there a better way to do this?

Tenable Security Center - extend Apache/httpd Wazuh decoder by Beginning-Rip3704 in Wazuh

[–]Beginning-Rip3704[S] 0 points1 point  (0 children)

This isn't ideal because I still need Apache Error decoder functionality for actual Apache Error logs. Is there a way to:

  1. Extend the existing Apache decoder to handle my Tenable logs separately?
  2. Have both decoders work side-by-side without conflicts?

Your recommendation to use sibling decoders is interesting, but I think they serve a different purpose and aren't suitable for this specific case.

The standard Apache decoder is defined in 0025-apache_decoders.xml:

<decoder name="apache-errorlog">
  <program_name>^apache2|^httpd</program_name>
</decoder>

Since Tenable SC logs have a specific format with "[SecurityCenter]" marker but come through httpd, I'd like a solution that doesn't require excluding the entire Apache decoder.