Hi 請教各位,我在設定Wazuh的Decoder和rule,有點疑問,想要請教大家。
目前我有兩種Log,欄位不太相同。1 2024-04-10T04:53:16.322Z TP99ESET ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.99.12","hostname":"TP99ESET","source_uuid":"89d9e6a0-aa2f-45ac-bdae-36788f45c996","occured":"10-Apr-2024 04:53:16","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'rrrrrr'.","user":"","result":"Access denied"}
這是第二組。1 2024-04-09T01:45:44.86Z TP99ESET ERAServer 3348 - - {"event_type":"FilteredWebsites_Event","ipv4":"192.168.179.79","hostname":"tp999v.new-xxx.local","source_uuid":"2c9f99c6-3a99-4997-a992-4996e3994d4f","occured":"09-Apr-2024 01:31:58","severity":"Warning","event":"An attempt to connect to URL","target_address":"8.2.110.97","target_address_type":"IPv4","scanner_id":"HTTP filter","action_taken":"Blocked","handled":true,"object_uri":"us.ck-ie.com.cc.idv","hash":"9ZC1100Cgg56D992BA94F49AA489384EA16y912F","username":"NEWxxDouix.Zttg","processname":"C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe","rule_id":"Website certificate revoked"}
這是我的Decode設定檔,他對第一個Log是可以匹配的,但我加入第二組的時候他無法成功被Decode也無法有rule出現,目前我是配置在同一個xml檔案,我不卻這樣是否可以?
<decoder name="ESETnew">
<prematch> TPE10VESET ERAServer </prematch>
</decoder>
<decoder name="ESETnew-child">
<parent>ESETnew</parent>
<regex>\d (\d+-\d+-\.+:\d+:\d+.\.+) ERAServer (\.+ \.+) - - </regex>
<order>timestamp,hostname</order>
</decoder>
<decoder name="ESETnew-child">
<parent>ESETnew</parent>
<regex>{"event_type":"(\w+)","ipv4":"(\.+)","hostname":"(\.+)","source_uuid":"(\.+),"occured":"(\.+)","severity":"(\.+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+).","user":"(\.*)","result":"(\.+)"}</regex>
<order>event_type,ipv4,hostname,source_uuid,occured,severity,domain,action,detail,user,result</order>
</decoder>
<decoder name="ESETnew-child">
<parent>ESETnew</parent>
<regex>"occured":"(\.+)","severity":"(\w+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+)","user":"(\.+)","result":"(\.+)"}</regex>
<order>occured,severity,domain,action,detail,user,result</order>
</decoder>
<decoder name="ESETnew-child">
<parent>ESETnew</parent>
<regex>{"event_type":"(\w+)","ipv4":"(\.+)","hostname":"(\.+)","source_uuid":"(\.+)","occured":"(\.+)","severity":"(\.+)","event":"(\.+)","target_address":"(\.+)","target_address_type":"(\.+)","scanner_id":"(\.+)","action_taken":"(\.+)","handled":"(\w+)","object_uri":"(\.+)","hash":"(\.+)","username":"(\.+)","processname":"(\.+)","rule_id":"(\.+)"}"}</regex>
<order>event_type,ipv4,hostname,source_uuid,occured,severity,event,target_address,target_address_type,scanner_id,action_taken,handled,object_uri,hash,username,processname,rule_id</order>
</decoder>