To report a found bug,
please, select the text with the bug and click Report a Bug or
CTRL+ENTER.
Help
system 10.5 of 04/10/2024,
©
FORESIGHT
To install and set up Wazuh, and to connect data import from file via rsyslog/Logstash, see the manufacturer documentation.
To parse an event from CEF file, create a decoder. Each event requires an individual decoder.
The example of decoder for parsing the FAP_EV_LOGONS event that is system logon:
Wazuh
<!--
08/10/2022
Log Sample:
CEF:0|Foresight|Foresight Analytical Platform|9.8.10053|FAP_EV_LOGONS|AuditLog|Unknown|act=System logon cs1Label=MetabaseId cs1=MB_DEF rt=Aug 11 2022 11:25:01 outcome=Success shost=WKSTATION suser=name.surname cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=192.168.176.1;172.26.224.1;192.168.141.1;192.168.217.1;172.17.32.1;10.9.43.44 msg=Platform version: 9.8.10053.0 D Master x64 Desktop application
-->
<decoder name= "fap-cef-logon">
<prematch>CEF:0\|Foresight\|Foresight Analytical Platform\|\d+.\d+.\d+\|FAP_EV_LOGONS\|AuditLog\|Unknown\|</prematch>
</decoder>
<decoder name="fap-cef-logon-fields">
<parent>fap-cef-logon</parent>
<regex>act=(\.+) cs1Label=(\.+) cs1=(\.+) rt=(\.+) outcome=(\.+) shost=(\.+) suser=(\.+) cs2Label=(\.+) cs2=(\.+) cs3Label=(\.+) cs3=(\.+) msg=(\.*)</regex>
<order>audit.act, audit.cs1Label, audit.cs1, audit.rt, audit.outcome, audit.shost, audit.suser, audit.cs2Label, audit.cs2, audit.cs3Label, audit.cs3, audit.msg</order>
</decoder>
To parse other events, create decoders similarly to that in the example.
See also:
Support of Work with Security Information and Event Management Systems