wazuh-logtest
wazuh-logtest tool allows the testing and verification of rules against provided log examples inside a sandbox in wazuh-analysisd. Helpful when writing and debugging custom rules and decoders, troubleshooting false positives and negatives.
-d |
Run as a Print debug output to the terminal. |
-h |
Display the help message. |
-U <rule-id:alert-level:decoder-name> |
This option will cause wazuh-logtest to return a zero exit status if the test results for the provided log line match the criteria in the arguments. Only one log line should be supplied for this to be useful. |
-l <location> |
Set custom location. |
-V |
Display the version and license information for Wazuh and wazuh-logtest. |
-q |
Quiet execution. |
-v |
Display the verbose results. |
Note
-v is the key option to troubleshoot a rule or decoder problem.
Example
Test decoding and rule matching for an SSH invalid login attempt:
# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.12.0
Type one log per line
Aug 04 08:07:00 linux-agent sshd[39245]: Invalid user baduser from 25.25.25.25 port 57238
**Phase 1: Completed pre-decoding.
full event: 'Aug 04 08:07:00 linux-agent sshd[39245]: Invalid user baduser from 25.25.25.25 port 57238'
timestamp: 'Aug 04 08:07:00'
hostname: 'linux-agent'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'sshd'
parent: 'sshd'
srcip: '25.25.25.25'
srcport: '57238'
srcuser: 'baduser'
**Phase 3: Completed filtering (rules).
id: '5710'
level: '5'
description: 'sshd: Attempt to login using a non-existent user'
groups: '['syslog', 'sshd', 'authentication_failed', 'invalid_login']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1110.001', 'T1021.004']'
mitre.tactic: '['Credential Access', 'Lateral Movement']'
mitre.technique: '['Password Guessing', 'SSH']'
nist_800_53: '['AU.14', 'AC.7', 'AU.6']'
pci_dss: '['10.2.4', '10.2.5', '10.6.1']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.