How it works
Wazuh-Logtest is a powerful feature for working with rules. This solution allows the testing and verification of rules and decoders before putting them into production. Wazuh-Logtest is based on the use of unique sessions. Each session stores its own rules and decoders loaded. There are two use cases to evaluate rules through Wazuh-Logtest:
Note
For more information about rules and decoders, see the Wazuh Ruleset
Use cases: Test log from Wazuh-Logtest Tool
First request for logtest
Wazuh-Logtest tool is backward compatible with ossec-logtest and hides the handling of sessions from the user. The first time a processing request is sent, a session is initialized that will be used during the entire execution of the tool.
Run the tool /var/ossec/bin/wazuh-logtest
and paste the following log:
Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928
The output of Wazuh-logtest from the above record is as follows:
**Phase 1: Completed pre-decoding. full event: 'Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928' timestamp: 'Oct 15 21:07:00' hostname: 'linux-agent' program_name: 'sshd' **Phase 2: Completed decoding. name: 'sshd' parent: 'sshd' srcip: '18.18.18.18' srcport: '48928' srcuser: 'blimey' **Phase 3: Completed filtering (rules). id: '5710' level: '5' description: 'sshd: Attempt to login using a non-existent user' groups: '['syslog', 'sshd', 'invalid_login', 'authentication_failed']' firedtimes: '1' gdpr: '['IV_35.7.d', 'IV_32.2']' gpg13: '['7.1']' hipaa: '['164.312.b']' mail: 'False' mitre: '{'id': ['T1110'], 'tactic': ['Credential Access'], 'technique': ['Brute Force']}' nist_800_53: '['AU.14', 'AC.7', 'AU.6']' pci_dss: '['10.2.4', '10.2.5', '10.6.1']' tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated.
As in Ossec-Logtest this indicates that rule 5710 level 5 matches and an alert is generated. If the log is pasted 8 times, in the filtering phase (rules) the 'firedtime' counter will increase until it reaches 8. Then rule 5712 matches level 10 is triggered by the frequency of rule 5710 and an alert is generated:
**Phase 1: Completed pre-decoding. full event: 'Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928' timestamp: 'Oct 15 21:07:00' hostname: 'linux-agent' program_name: 'sshd' **Phase 2: Completed decoding. name: 'sshd' parent: 'sshd' srcip: '18.18.18.18' srcport: '48928' srcuser: 'blimey' **Phase 3: Completed filtering (rules). id: '5712' level: '10' description: 'sshd: brute force trying to get access to the system.' groups: '['syslog', 'sshd', 'authentication_failures']' firedtimes: '1' frequency: '8' gdpr: '['IV_35.7.d', 'IV_32.2']' hipaa: '['164.312.b']' mail: 'False' mitre: '{'id': ['T1110'], 'tactic': ['Credential Access'], 'technique': ['Brute Force']}' nist_800_53: '['SI.4', 'AU.14', 'AC.7']' pci_dss: '['11.4', '10.2.4', '10.2.5']' tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated.
Use cases: Test log from RESTful API
For the use of Wazuh-Logtest from the API there are 2 endpoints detailed below:
Endpoint
Method
Description
/logtest
PUT
Check if a specified log raises any alert among other information.
/logtest/sessions/{token}
DELETE
Delete the saved session corresponding to {token}
PUT /logtest
accept the following list of parameters as a RequestBody:
token: alphanumeric string.
log_format: syslog or json.
location: path string.
event: string
1. Logging into the Wazuh API
Wazuh API endpoints require authentication in order to be used. Therefore, all calls must include a JSON Web Token. Use the cURL command to log in, the Wazuh API will provide a JWT token upon success.
Replace <user> and <password> with yours. By default, the user is wazuh and the password is wazuh.
TOKEN=$(curl -u <user>:<password> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
Check that everything works correctly
curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer $TOKEN"{ "data": { "title": "Wazuh API REST", "api_version": "4.1.0", "revision": 40100, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.1/LICENSE", "hostname": "wazuh-manager", "timestamp": "2020-11-10T15:15:31+0000" }, "error": 0 }
2. First request for Logtest
The first time a processing request is sent it has no token, since there is no active session, then a processing log request is sent to Logtest in Analysisd.
The following sample data is used for request
Field
Description
Example
log_format
Type of log, syslog or json
syslog
event
Log to be processed
Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928
location
The origin of the log
master->/var/log/syslog
token
Logtest Session id (optional)
The data sent to Logtest endpoint must be in JSON format and the request can be stored in a variable.
LOGTEST_REQ=$(echo '{'\ '"event": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928",'\ '"log_format": "syslog",'\ '"location": "master->/var/log/syslog"'\ '}')
Then the request is send to logtest
curl -k -X PUT "https://localhost:55000/logtest" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d "$LOGTEST_REQ"{ "error": 0, "data": { "token": "95375d4c", "messages": [ "INFO: (7202): Session initialized with token '95375d4c'" ], "output": { "timestamp": "2020-11-10T17:46:23.289+0000", "rule": { "level": 5, "description": "sshd: Attempt to login using a non-existent user", "id": "5710", "mitre": { "id": [ "T1110" ], "tactic": [ "Credential Access" ], "technique": [ "Brute Force" ] }, "firedtimes": 1, "mail": false, "groups": [ "syslog", "sshd", "invalid_login", "authentication_failed" ], "pci_dss": [ "10.2.4", "10.2.5", "10.6.1" ], "gpg13": [ "7.1" ], "gdpr": [ "IV_35.7.d", "IV_32.2" ], "hipaa": [ "164.312.b" ], "nist_800_53": [ "AU.14", "AC.7", "AU.6" ], "tsc": [ "CC6.1", "CC6.8", "CC7.2", "CC7.3" ] }, "agent": { "id": "000", "name": "wazuh-master" }, "manager": { "name": "wazuh-master" }, "id": "1605030383.185271", "full_log": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "predecoder": { "program_name": "sshd", "timestamp": "Oct 15 21:07:00", "hostname": "linux-agent" }, "decoder": { "parent": "sshd", "name": "sshd" }, "data": { "srcip": "18.18.18.18", "srcport": "48928", "srcuser": "blimey" }, "location": "master->/var/log/syslog" }, "alert": true, "codemsg": 1 } }
As in wazuh-logtest tool this indicates that rule 5710 level 5 matches and an alert is generated.
The messages field gives information that a session was initialized with the 95375d4c
token.
This token should be added to the next requests to keep the session, including its event history, rules and
decoders loaded. If the token field is not added to the next request, a new session will be initialized,
reloading the rules and decoders.
2. Repeat the request with the same session
If the session token is added to the request and it is sent 7 more times, in the rule
object inside
the output field, the 'firedtime' counter will increase until it reaches 8.
Then rule 5712 matches level 10 is triggered by the frequency of rule 5710 and an alert is generated:
LOGTEST_REQ=$(echo '{'\ '"token": "95375d4c",'\ '"event": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928",'\ '"log_format": "syslog",'\ '"location": "master->/var/log/syslog"'\ '}')Then the request is send to logtest 8 times
curl -k -X PUT "https://localhost:55000/logtest" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d "$LOGTEST_REQ"{ "error": 0, "data": { "token": "95375d4c", "output": { "timestamp": "2020-11-10T18:04:42.440+0000", "rule": { "level": 10, "description": "sshd: brute force trying to get access to the system.", "id": "5712", "mitre": { "id": [ "T1110" ], "tactic": [ "Credential Access" ], "technique": [ "Brute Force" ] }, "frequency": 8, "firedtimes": 1, "mail": false, "groups": [ "syslog", "sshd", "authentication_failures" ], "pci_dss": [ "11.4", "10.2.4", "10.2.5" ], "gdpr": [ "IV_35.7.d", "IV_32.2" ], "hipaa": [ "164.312.b" ], "nist_800_53": [ "SI.4", "AU.14", "AC.7" ], "tsc": [ "CC6.1", "CC6.8", "CC7.2", "CC7.3" ] }, "agent": { "id": "000", "name": "wazuh-master" }, "manager": { "name": "wazuh-master" }, "id": "1605031482.185271", "previous_output": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928\nOct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "full_log": "Oct 15 21:07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "predecoder": { "program_name": "sshd", "timestamp": "Oct 15 21:07:00", "hostname": "linux-agent" }, "decoder": { "parent": "sshd", "name": "sshd" }, "data": { "srcip": "18.18.18.18", "srcport": "48928", "srcuser": "blimey" }, "location": "master->/var/log/syslog" }, "alert": true, "codemsg": 0 } }
3. Close session
Once the session is not used, it is possible to close the session to release the history of events, rules and decoders loaded.
curl -k -X DELETE "https://localhost:55000/logtest/sessions/95375d4c" -H "Authorization: Bearer $TOKEN"{ "error": 0, "data": { "messages": [ "INFO: (7206): The session '95375d4c' was closed successfully" ], "codemsg": 0 } }