背景:
使用wazuh对接安全系统日志,根据定义的敏感日志规则,触发告警,并在wazuh dashboard上展示
wazuh版本:4.4
天擎版本:v6
步骤:
1. 开启天擎syslog功能
##在测试过程中,感觉天擎支持TCP、UDP两种协议,可以抓包看下是哪种协议。
##我在设置514端口时,是TCP协议;513端口时,是UDP协议。
2. wazuh上开通syslog的监听服务:
[devuser@localhost ~]$ sudo vim /var/ossec/etc/ossec.conf
...
<remote> <connection>syslog</connection> <port>513</port> <protocol>udp</protocol> <allowed-ips>10.0.0.0/8</allowed-ips> <local_ip>101.32.164.22</local_ip> </remote> ...
3. 重启wazuh-manager, 检查端口是否监听:
sudo systemctl restart wazuh-manager
netstat -an|grep 513
4. 查看日志是否推送到了wazuh
sudo tailf /var/ossec/logs/archives/archives.json
理论上也应该有一堆日志。
5.1 编辑wazuh的规则(rule):
##这里有个坑,就是天擎传来的日志是unicode编码,虽然wazuh在4.4版本处理了docoder的中文unicode编码,但好像没有处理rule里的unicode。
##最后在github看到,需要选择field的正则方式为“pcre2”,然后在正则表达式前,添加“(*UTF)”标记,才能处理json中的中文。
##百度、bing、google、Stack Overflow了几圈,发现都没有实际样例。所以这也是写这篇文档的出发点,记录下实际配置案例:
sudo vim /var/ossec/etc/rules/local_rules.xml
<group name="天擎">
<rule id="100020" level="5">
<decoded_as>json</decoded_as>
<description>TianQing</description>
<field name="log_name">\.+</field>
</rule>
<rule id="100021" level="6">
<if_sid>100020</if_sid>
<field name="log_name" type="pcre2">(*UTF)安全检查</field>
<description>content: $(log_name)</description>
</rule>
<rule id="100022" level="7">
<if_sid>100021</if_sid>
<field name="content.check_rst" type="pcre2">(*UTF)不通过</field>
<description>content: $(content.check_rst)</description>
</rule>
</group>
5.2 天擎日志样本如下:
{"version":"\u5929\u64ce6.7.0.4900","log_name":"\u5b89\u5168\u68c0\u67e5","log_id":"eadcf8be3ece47939fa678f04066b4b3","create_time":"2023-04-11 19:32:09","ip":"10.32.56.143","report_ip":"10.32.56.143","mac":"","gid":14027484,"work_group":"","content":{"check_time":"2023-04-11 19:39:05","templet_name":"","check_rst":"\u4e0d\u901a\u8fc7","insulate_rst":"\u672a\u9694\u79bb","failed_item":"","detail":""}}
5.3 用wazuh-logtest测试下是否能解析出来:
##修改rule.xml后,要重新执行下wazuh-logtest,才能按最新的rule执行匹配。
##样例中的json部分字段做了脱敏
sudo /var/ossec/bin/wazuh-logtest
[devuser@localhost ~]$ sudo /var/ossec/bin/wazuh-logtest
[sudo] password for devuser:
Starting wazuh-logtest v4.4.0
Type one log per line
{"version":"\u5929\u64ce6.7.0.4900","log_name":"\u5b89\u5168\u68c0\u67e5","log_id":"eadcf8be3ece47939fa678f04066b4b3","create_time":"2023-04-11 19:32:09","ip":"10.32.56.143","report_ip":"10.32.56.143","mac":"","gid":14027484,"work_group":"","content":{"check_time":"2023-04-11 19:39:05","templet_name":"","check_rst":"\u4e0d\u901a\u8fc7","insulate_rst":"\u672a\u9694\u79bb","failed_item":"","detail":""}}
**Phase 1: Completed pre-decoding.
full event: '{"version":"\u5929\u64ce6.7.0.4900","log_name":"\u5b89\u5168\u68c0\u67e5","log_id":"eadcf8be3ece47939fa678f04066b4b3","create_time":"2023-04-11 19:32:09","ip":"10.32.56.143","report_ip":"10.32.56.143","mac":"","gid":14027484,"work_group":"","content":{"check_time":"2023-04-11 19:39:05","templet_name":"","check_rst":"\u4e0d\u901a\u8fc7","insulate_rst":"\u672a\u9694\u79bb","failed_item":"","detail":""}}'
**Phase 2: Completed decoding.
name: 'json'
content.check_rst: '不通过'
content.check_time: '2023-04-11 19:39:05'
content.insulate_rst: '未隔离'
content.templet_name: ''
create_time: '2023-04-11 19:32:09'
gid: '14027484'
ip: '10.32.56.143'
log_id: 'eadcf8be3ece47939fa678f04066b4b3'
log_name: '安全检查'
mac: ''
report_ip: '10.32.56.143'
version: '天擎6.7.0.4900'
work_group: ''
**Phase 3: Completed filtering (rules).
id: '100022'
level: '7'
description: 'content: 不通过'
groups: '['天擎']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
6. 在wazuh的dashboard上查看是否可以看到各种天擎日志:
标签:log,wazuh,content,unicode,天擎,rst,name From: https://www.cnblogs.com/bonjov1/p/17318437.html