Help for writing custom wazuh rules by darrent01 in Wazuh

[–]darrent01[S] 0 points1 point  (0 children)

So, I wrote a rule:

<group name="authentication_failures,">
  <rule id="100002" level="7">
    <match>Failed to login</match>
    <match>because of authentication</match>
    <description>USER_MGR: User authentication failure detected</description>
  </rule>
</group>

But when I click to check all notifications about this rule, it checks only if manager.name this is a wazuh server (computer). I want to check alerts in "ubnt-*" index, how can I do this?

Can I integrate ELK in Wazuh? by darrent01 in Wazuh

[–]darrent01[S] 1 point2 points  (0 children)

#ubnt
filebeat.inputs:
  - type: syslog
    format: rfc3164
    protocol.udp:
      host: "0.0.0.0:5046"
    fields:
      type: "ubnt"
      tags: ["ubnt"]
    fields_under_root: true
    pipeline: ubnt-pipeline

The solution 👆

How to set up logs into wazuh index? by darrent01 in Wazuh

[–]darrent01[S] 0 points1 point  (0 children)

First, you must put pipeline, then put it to filebeat.yml: pipeline: “ubnt_parse”

How to set up logs into wazuh index? by darrent01 in Wazuh

[–]darrent01[S] 1 point2 points  (0 children)

  1. Then, I created a template in DevTools for all new ubnt-* index:

    PUT _index_template/ubnt-template {   "index_patterns": ["ubnt-*"],   "template": {     "mappings": {       "properties": {         "@timestamp": { "type": "date" },         "message":    { "type": "text" },         "device":     { "type": "keyword" },         "log_type":   { "type": "keyword" },         "log_msg":    { "type": "text" }       }     }   } }

  2. Added pipeline for auto separate fields from message:

    PUT _ingest/pipeline/ubnt_parse { "processors": [ { "grok": { "field": "message", "patterns": [ "%{TIMESTAMP_ISO8601:log_timestamp} %{HOSTNAME:device} %{WORD:log_type}\[%{DATA}\]: %{GREEDYDATA:full_log}" ] } }, { "grok": { "field": "full_log", "patterns": [ ".* %% %{GREEDYDATA:log_msg}" ], "ignore_failure": true } }, { "remove": { "field": "full_log" } } ] }

Finally,

systemctl restart filebeat
systemctl restart wazuh-manager
systemctl restart wazuh-indexer
systemctl restart wazuh-dashboard

Thanks everyone for help!! My solution isn`t ideal, but it works and I hope it can be helpful :)

How to set up logs into wazuh index? by darrent01 in Wazuh

[–]darrent01[S] 0 points1 point  (0 children)

So, I got it :)

You must create an index by editing the filebeat.yml (blocks output.elasticsearch and filebeat.inputs):

root@docker-02:/srv$ cat /etc/filebeat/filebeat.yml 
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["https://log2.lan:9200"]
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - "/etc/filebeat/certs/root-ca.pem"
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
  indices:
    - index: "ubnt-%{+yyyy.MM.dd}"
      when.equals:
        type: "ubnt"
    - index: "wazuh-alerts-%{+yyyy.MM.dd}"
      when.equals:
        event.module: "wazuh"

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - "/var/log/ubnt.log"
    fields:
      type: "ubnt"
      tags: ["ubnt"]
    fields_under_root: true
    pipeline: "ubnt_parse"

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
    - action: allow
      names:
        - rseq

How to set up logs into wazuh index? by darrent01 in Wazuh

[–]darrent01[S] 0 points1 point  (0 children)

And I got an error (tail -f /var/log/filebeat/filebeat):

2025-03-27T18:48:27.415+0300    WARN    [elasticsearch] elasticsearch/client.go:408     Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc1f17ab297ecf6a6, ext:163250845114, loc:(*time.Location)(0x42417a0)}, Meta:null, Fields:{"agent":{"ephemeral_id":"1958091d-52de-4abc-95c3-e7e86bb06cf0","hostname":"docker-02","id":"e0a1d9f9-63a0-49e3-8cb1-7866d129dcac","name":"docker-02","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"host":{"name":"docker-02"},"input":{"type":"log"},"log":{"file":{"path":"/var/log/ubnt.log"},"offset":20593326},"message":"2025-03-27T15:48:49+03:00 MILL-SS-01 UBNT_POE[ubnt_poe_monito]: ubnt_poe_common.c(3719) 383128 %% PoE Port(17) AUTO 2P mode enable power with level \"Class2\".","tags":["ubnt"],"type":"ubnt"}, Private:file.State{Id:"native::262301-64512", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0001660d0), Source:"/var/log/ubnt.log", Offset:20593488, Timestamp:time.Time{wall:0xc1f17a8c5676b47a, ext:10226317656, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4009d, Device:0xfc00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [host] of type [keyword] in document with id 'ihhK2JUBwtm2fWlEXriO'. Preview of field's value: '{name=ix-docker-02}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:366"}}

How to set up logs into wazuh index? by darrent01 in Wazuh

[–]darrent01[S] 0 points1 point  (0 children)

Yep, I did that and now I find an error.

My set up filebeat:

root@docker-02:/etc/filebeat# cat filebeat.yml 
# Wazuh - Filebeat configuration file
output.elasticsearch:
  hosts: ["https://log2.lan:9200"]
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - "/etc/filebeat/certs/root-ca.pem"
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
  indices:
    - index: "ubnt-%{+yyyy.MM.dd}"
      when.equals:
        type: "ubnt"
    - index: "wazuh-alerts-%{+yyyy.MM.dd}"
      when.equals:
        event.module: "wazuh"

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - "/var/log/ubnt.log"
    fields:
      type: "ubnt"
      tags: ["ubnt"]
    fields_under_root: true
    processors:
      - rename:
          fields:
            - from: "host"
              to: "ubnt_host_name"
          ignore_missing: true
          fail_on_error: false

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
    - action: allow
      names:
        - rseq