Wazuh的Decoder和rule問題

wazuh decoder syslog

julian 2024-04-12 11:19:48 ‧ 614 瀏覽

分享至

Hi 請教各位，我在設定Wazuh的Decoder和rule，有點疑問，想要請教大家。

目前我有兩種Log，欄位不太相同。
1 2024-04-10T04:53:16.322Z TP99ESET ERAServer 3348 - - {"event_type":"Audit_Event","ipv4":"192.168.99.12","hostname":"TP99ESET","source_uuid":"89d9e6a0-aa2f-45ac-bdae-36788f45c996","occured":"10-Apr-2024 04:53:16","severity":"Error","domain":"Native user","action":"Login attempt","detail":"Authenticating native user 'rrrrrr'.","user":"","result":"Access denied"}

這是第二組。
1 2024-04-09T01:45:44.86Z TP99ESET ERAServer 3348 - - {"event_type":"FilteredWebsites_Event","ipv4":"192.168.179.79","hostname":"tp999v.new-xxx.local","source_uuid":"2c9f99c6-3a99-4997-a992-4996e3994d4f","occured":"09-Apr-2024 01:31:58","severity":"Warning","event":"An attempt to connect to URL","target_address":"8.2.110.97","target_address_type":"IPv4","scanner_id":"HTTP filter","action_taken":"Blocked","handled":true,"object_uri":"us.ck-ie.com.cc.idv","hash":"9ZC1100Cgg56D992BA94F49AA489384EA16y912F","username":"NEWxxDouix.Zttg","processname":"C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe","rule_id":"Website certificate revoked"}

這是我的Decode設定檔，他對第一個Log是可以匹配的，但我加入第二組的時候他無法成功被Decode也無法有rule出現，目前我是配置在同一個xml檔案，我不卻這樣是否可以？

<decoder name="ESETnew">

  <prematch> TPE10VESET ERAServer </prematch>
</decoder>
<decoder name="ESETnew-child">
  <parent>ESETnew</parent>
  <regex>\d (\d+-\d+-\.+:\d+:\d+.\.+) ERAServer (\.+ \.+) - - </regex>
  <order>timestamp,hostname</order>
</decoder>
<decoder name="ESETnew-child">
  <parent>ESETnew</parent>

  <regex>{"event_type":"(\w+)","ipv4":"(\.+)","hostname":"(\.+)","source_uuid":"(\.+),"occured":"(\.+)","severity":"(\.+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+).","user":"(\.*)","result":"(\.+)"}</regex>
  <order>event_type,ipv4,hostname,source_uuid,occured,severity,domain,action,detail,user,result</order>
</decoder>
<decoder name="ESETnew-child">
  <parent>ESETnew</parent>

  <regex>"occured":"(\.+)","severity":"(\w+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+)","user":"(\.+)","result":"(\.+)"}</regex>
  <order>occured,severity,domain,action,detail,user,result</order>
</decoder>
<decoder name="ESETnew-child">
  <parent>ESETnew</parent>
  <regex>{"event_type":"(\w+)","ipv4":"(\.+)","hostname":"(\.+)","source_uuid":"(\.+)","occured":"(\.+)","severity":"(\.+)","event":"(\.+)","target_address":"(\.+)","target_address_type":"(\.+)","scanner_id":"(\.+)","action_taken":"(\.+)","handled":"(\w+)","object_uri":"(\.+)","hash":"(\.+)","username":"(\.+)","processname":"(\.+)","rule_id":"(\.+)"}"}</regex>
  <order>event_type,ipv4,hostname,source_uuid,occured,severity,event,target_address,target_address_type,scanner_id,action_taken,handled,object_uri,hash,username,processname,rule_id</order>
</decoder>