Wazuh配置解码器

一、解码器与规则库目录

1.decoders目录

获取到日志后，Wazuh首先通过解码器确定日志类型

2.rules目录

确定了日志类型后，再进入rules目录下寻找同类型规则进行匹配

3.sca目录

定义了常规的安全配置项的要求，如操作系统、MYSQL数据库、PHP配置项

4.自定义解码器

/etc/rules，并确保ossec.conf全局配置文件中包含该目录

二、语法

1.语法

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

There are many options to configure in decoders:

Option	Values	Description
decoder	Name of the decoder	This attribute defines the decoder.
parent	Any decoder’s name	It will reference a parent decoder and the current one will become a child decoder.
accumulate	None	It allows tracking events over multiple log messages.
program_name	Any regex, sregex or pcre2 expression.	Sets a program name as a condition for applying the decoder. The log header must have a program name matching the regular expression.
prematch	Any regex or pcre2 expression.	Sets a regular expression as a condition for applying the decoder. The log must match the regular expression without considering any Syslog-like header.
regex	Any regex or pcre2 expression.	The decoder will use this option to find fields of interest and extract them.
order	See order table	The values that regex will extract will be stored in these groups.
fts	See fts table	First time seen.
ftscomment	Any String	Adds a comment to fts.
plugin_decoder	See below	Specifies a plugin that will do the decoding. Useful when extraction with regex is not feasible.
use_own_name	True	Only for child decoders.
json_null_field	String	Adds the option of deciding how a null value from a JSON will be stored.
json_array_structure	String	Adds the option of deciding how an array structure from a JSON will be stored.
var	Name for the variable.	Defines variables that can be reused inside the same file.
type	See type table	It will set the type of log that the decoder is going to match.

order

It defines what the parenthesis groups contain and the order in which they were received. It requires a regex label defined on the same decoder.

Default Value	n/a
Static fields	srcuser	Extracts the source username
dstuser	Extracts the destination (target) username
user	An alias to dstuser (only one of the two can be used)
srcip	Source IP address
dstip	Destination IP address
srcport	Source port
dstport	Destination port
protocol	Protocol
system_name	System name
id	Event id
url	Url of the event
action	Event action (deny, drop, accept, etc.)
status	Event status (success, failure, etc.)
data	Data
extra_data	Any extra data
Dynamic fields	Any string not included in the previous list

2.wazuh-logtest使用

cat /opt/lampp/logs/mysql.log |grep denied

复制其中一条日志

/var/ossec/bin下，./wazuh-logtest

启动后粘贴内容，出现

json Decoders测试

用wazuh-logtest去分析json日志也是一样的

{"timestamp":"2019-11-19T03:12:29.231083+0000","flow_id":2047777552751061,"in_iface":"ens33","event_type":"alert","src_ip":"217.160.0.187","src_port":80,"dest_ip":"192.168.1.45","dest_port":50512,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2}}
————————————————
版权声明：本文为CSDN博主「guoguangwu」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/guoguangwu/article/details/103137640

同级Sibing解码器

非结构化日志，严格按照<order>的顺序，如果顺序乱了，用正则去提取可能有问题

自定义解码器

3.实例

对mysql_decoders进行order提取字段

<decoder name="mysql_log">
    <prematch>\d+ Connect</prematch>
    <regex offset="after_prematch">Access denied for user '(\S+)'@'(\S+)'</regex>
    <order>user,scrip</order>
</decoder>