Wazuh: How do i use ossec-logtest ?

Created on 30 Jun 2018  路  3Comments  路  Source: wazuh/wazuh

Maybe this is a dumb question, but i am not quite understand with the ossec-logtest documentation. For example, i want to debug the rule id 11210 , alert level 10 and decoder name proftpd i debug this using this command

/var/ossec/bin/ossec-logtest -U 11210:10:proftpd

In my Wazuh manager kibana dashboard, wazuh were produce these log with id 11210, but ossec-logtest still looks like this.

root@debian:/home/debian# /var/ossec/bin/ossec-logtest -U 11210:10:proftpd
2018/07/01 03:01:41 ossec-testrule: INFO: Started (pid: 25385).
ossec-testrule: Type one log per line.

How's exactly do i use ossec-logtest?
Regards
Fathin

question

Most helpful comment

Hi @gagantous,

The ossec-logtest tool helps debugging decoders and rules by accepting input strings just like the manager would receive from the agent.

This is an example for the rule 11210: ProFTPD may write a log like this:

May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded

So, if you want to test this log in the manager, you can either run ossec-logtest and type the input string just like it appears in the log, or use an input file or pipe. For instance:

echo May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded | /var/ossec/bin/ossec-logtest

This is a running example for the log above, that would produce an alert of rule 11210:

# /var/ossec/bin/ossec-logtest
2018/07/01 12:56:08 ossec-testrule: INFO: Started (pid: 5366).
ossec-testrule: Type one log per line.

May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded


**Phase 1: Completed pre-decoding.
       full event: 'May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded'
       timestamp: 'May 31 10:53:25'
       hostname: 'mail'
       program_name: 'proftpd'
       log: 'xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded'

**Phase 2: Completed decoding.
       decoder: 'proftpd'
       srcip: '::ffff:192.168.0.213'

**Phase 3: Completed filtering (rules).
       Rule id: '11210'
       Level: '10'
       Description: 'proftpd: Multiple failed login attempts.'
**Alert to be generated.

Hope it help.

Best regards.

All 3 comments

Hi @gagantous,

The ossec-logtest tool helps debugging decoders and rules by accepting input strings just like the manager would receive from the agent.

This is an example for the rule 11210: ProFTPD may write a log like this:

May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded

So, if you want to test this log in the manager, you can either run ossec-logtest and type the input string just like it appears in the log, or use an input file or pipe. For instance:

echo May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded | /var/ossec/bin/ossec-logtest

This is a running example for the log above, that would produce an alert of rule 11210:

# /var/ossec/bin/ossec-logtest
2018/07/01 12:56:08 ossec-testrule: INFO: Started (pid: 5366).
ossec-testrule: Type one log per line.

May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded


**Phase 1: Completed pre-decoding.
       full event: 'May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded'
       timestamp: 'May 31 10:53:25'
       hostname: 'mail'
       program_name: 'proftpd'
       log: 'xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded'

**Phase 2: Completed decoding.
       decoder: 'proftpd'
       srcip: '::ffff:192.168.0.213'

**Phase 3: Completed filtering (rules).
       Rule id: '11210'
       Level: '10'
       Description: 'proftpd: Multiple failed login attempts.'
**Alert to be generated.

Hope it help.

Best regards.

Hi @vikman90
Thanks for the replies!
Where could i find such as these lines ?

May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded

i have checked my "alerts.log" and couldnt find it like those logs. these are my logs data.

** Alert 1530374436.0: - pam,syslog,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,
2018 Jul 01 00:00:36 (Debian004) 192.168.56.204->/var/log/auth.log
Rule: 5503 (level 5) -> 'PAM: User login failed.'
Src IP: 112.85.42.146
User: root
Jun 30 23:58:37 debian sshd[13444]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.146  user=root
uid: 0
euid: 0
tty: ssh

** Alert 1530374438.423: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,
2018 Jul 01 00:00:38 (Debian004) 192.168.56.204->/var/log/auth.log
Rule: 5716 (level 5) -> 'sshd: authentication failed.'
Src IP: 112.85.42.146
Src Port: 56969
User: root
Jun 30 23:58:38 debian sshd[13444]: Failed password for root from 112.85.42.146 port 56969 ssh2

** Alert 1530374438.793: - pam,syslog,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,
2018 Jul 01 00:00:38 (Debian004) 192.168.56.204->/var/log/auth.log
Rule: 5503 (level 5) -> 'PAM: User login failed.'
Src IP: 112.85.42.146
User: root
Jun 30 23:58:39 debian sshd[13446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.146  user=root
uid: 0
euid: 0
tty: ssh

** Alert 1530374439.1218: - syslog,sshd,invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,
2018 Jul 01 00:00:39 (Ubuntu002) 192.168.56.202->/var/log/auth.log
Rule: 5710 (level 5) -> 'sshd: Attempt to login using a non-existent user'
Src IP: 177.53.41.199
Jun 30 23:59:18 ubuntu sshd[26734]: Invalid user jessica from 177.53.41.199

which log string that you used ?

Oh i got it! this is what i am looking for

Jun 30 23:58:38 debian sshd[13444]: Failed password for root from 112.85.42.146 port 56969 ssh2

Thanks @vikman90
Best regards
Fathin

Was this page helpful?
0 / 5 - 0 ratings