JZTXT

将天擎日志(unicode)推送到wazuh,识别关键字段,触发告警

发布时间 2023-04-14 15:28:57作者: bonjov1

背景:

使用wazuh对接安全系统日志,根据定义的敏感日志规则,触发告警,并在wazuh dashboard上展示

wazuh版本:4.4

天擎版本:v6

 

步骤:

1. 开启天擎syslog功能

##在测试过程中,感觉天擎支持TCP、UDP两种协议,可以抓包看下是哪种协议。

##我在设置514端口时,是TCP协议;513端口时,是UDP协议。

 

 

 

2. wazuh上开通syslog的监听服务:

[devuser@localhost ~]$ sudo vim /var/ossec/etc/ossec.conf
 ...
  <remote>
      <connection>syslog</connection>
      <port>513</port>
      <protocol>udp</protocol>
      <allowed-ips>10.0.0.0/8</allowed-ips>
      <local_ip>101.32.164.22</local_ip>
   </remote>
 ...

3. 重启wazuh-manager,  检查端口是否监听:

sudo systemctl restart wazuh-manager

netstat -an|grep 513

 

 

 4.  查看日志是否推送到了wazuh

sudo tailf /var/ossec/logs/archives/archives.json

理论上也应该有一堆日志。

5.1 编辑wazuh的规则(rule):

##这里有个坑,就是天擎传来的日志是unicode编码,虽然wazuh在4.4版本处理了docoder的中文unicode编码,但好像没有处理rule里的unicode。

##最后在github看到,需要选择field的正则方式为“pcre2”,然后在正则表达式前,添加“(*UTF)”标记,才能处理json中的中文。

##百度、bing、google、Stack Overflow了几圈,发现都没有实际样例。所以这也是写这篇文档的出发点,记录下实际配置案例:

sudo vim /var/ossec/etc/rules/local_rules.xml

 <group name="天擎">
   <rule id="100020" level="5">
      <decoded_as>json</decoded_as>
      <description>TianQing</description>
      <field name="log_name">\.+</field>
 </rule>
 
   <rule id="100021" level="6">
      <if_sid>100020</if_sid>
      <field name="log_name" type="pcre2">(*UTF)安全检查</field>
      <description>content: $(log_name)</description>
   </rule>
 
   <rule id="100022" level="7">
      <if_sid>100021</if_sid>
      <field name="content.check_rst" type="pcre2">(*UTF)不通过</field>
      <description>content: $(content.check_rst)</description>
   </rule>
 </group>

 

5.2 天擎日志样本如下:

{"version":"\u5929\u64ce6.7.0.4900","log_name":"\u5b89\u5168\u68c0\u67e5","log_id":"eadcf8be3ece47939fa678f04066b4b3","create_time":"2023-04-11 19:32:09","ip":"10.32.56.143","report_ip":"10.32.56.143","mac":"","gid":14027484,"work_group":"","content":{"check_time":"2023-04-11  19:39:05","templet_name":"","check_rst":"\u4e0d\u901a\u8fc7","insulate_rst":"\u672a\u9694\u79bb","failed_item":"","detail":""}}

5.3 用wazuh-logtest测试下是否能解析出来:

##修改rule.xml后,要重新执行下wazuh-logtest,才能按最新的rule执行匹配。

##样例中的json部分字段做了脱敏

 

sudo  /var/ossec/bin/wazuh-logtest

 

[devuser@localhost ~]$  sudo  /var/ossec/bin/wazuh-logtest
[sudo] password for devuser: 
Starting wazuh-logtest v4.4.0
Type one log per line


{"version":"\u5929\u64ce6.7.0.4900","log_name":"\u5b89\u5168\u68c0\u67e5","log_id":"eadcf8be3ece47939fa678f04066b4b3","create_time":"2023-04-11 19:32:09","ip":"10.32.56.143","report_ip":"10.32.56.143","mac":"","gid":14027484,"work_group":"","content":{"check_time":"2023-04-11  19:39:05","templet_name":"","check_rst":"\u4e0d\u901a\u8fc7","insulate_rst":"\u672a\u9694\u79bb","failed_item":"","detail":""}}

**Phase 1: Completed pre-decoding.
        full event: '{"version":"\u5929\u64ce6.7.0.4900","log_name":"\u5b89\u5168\u68c0\u67e5","log_id":"eadcf8be3ece47939fa678f04066b4b3","create_time":"2023-04-11 19:32:09","ip":"10.32.56.143","report_ip":"10.32.56.143","mac":"","gid":14027484,"work_group":"","content":{"check_time":"2023-04-11  19:39:05","templet_name":"","check_rst":"\u4e0d\u901a\u8fc7","insulate_rst":"\u672a\u9694\u79bb","failed_item":"","detail":""}}'

**Phase 2: Completed decoding.
        name: 'json'
        content.check_rst: '不通过'
        content.check_time: '2023-04-11  19:39:05'
        content.insulate_rst: '未隔离'
        content.templet_name: ''
        create_time: '2023-04-11 19:32:09'
        gid: '14027484'
        ip: '10.32.56.143'
        log_id: 'eadcf8be3ece47939fa678f04066b4b3'
        log_name: '安全检查'
        mac: ''
        report_ip: '10.32.56.143'
        version: '天擎6.7.0.4900'
        work_group: ''

**Phase 3: Completed filtering (rules).
        id: '100022'
        level: '7'
        description: 'content: 不通过'
        groups: '['天擎']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

 

6. 在wazuh的dashboard上查看是否可以看到各种天擎日志: