Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Wazuh version 4.7.4
Describe the issue:
Configuration:
Hi ,
I have created a custom decoder and rule to detect a simple threat.
<decoder name="custom_malicious_decoder">
<program_name>json_program</program_name>
<prematch>"message":</prematch>
<regex>"ts":\s*"([^"]+)","uid":\s*"([^"]+)","id.orig_h":\s*"([^"]+)","id.orig_p":\s*([^,]+),"id.resp_h":\s*"([^"]+)","id.resp_p":\s*([^,]+),"method":\s*"([^"]+)","host":\s*"([^"]+)","uri":\s*"([^"]+)","user_agent":\s*"([^"]+)","status_code":\s*([^,]+),"referrer":\s*"([^"]+)"</regex>
<order>json</order>
</decoder>
Rule
<group name="zeek,attack,web">
<rule id="600300" level="10">
<decoded_as>json</decoded_as>
<field name="host">malicious-site.com</field>
<field name="uri">/exploit</field>
<description>⚠️ Possible Exploit Attempt Detected! Host: malicious-site.com, URI: /exploit</description>
<mitre>
<id>T1189</id>
</mitre>
</rule>
</group>
Log for testing
{ "@timestamp": "2025-02-05T12:20:55.485Z", "@version": "1", "processedAt": "2025-02-05T12:20:55.483Z", "ts": 1737982082.966652, "uid": "test123", "id.orig_h": "192.168.1.50", "id.orig_p": 54321, "id.resp_h": "103.29.70.123", "id.resp_p": 80, "method": "GET", "host": "malicious-site.com", "uri": "/exploit", "user_agent": "Mozilla/5.0", "status_code": 200, "referrer": "http://phishing.com" }
After created, it works fine in logtest as well as in the dashboard (Refer the attached images). but not able to see the alerts triggered in the index.
I have already configured wazuh agents in couple of servers and I’m getting alerts for them. The issue is while testing the same for custom logs. Also there is no data in alerts.json and archieves.json.
I have change the ossec.conf to capture the logs in archieves.json. There were all the alerts available in it except this one. Am I missing anything here.
While testing observed that the fields are not indexed and the alerts index have a format of its own. Is this causing the issue ?
I have also created a new index by defining the fields. But the alerts are not created.
curl -X PUT "https://127.0.0.1:9200/wazuh-zeek-logs-new" -u admin:password -H "Content-Type: application/json" -d '{
"mappings": {
"properties": {
"host": { "type": "text" },
"id.orig_h": { "type": "text" },
"id.orig_p": { "type": "long" },
"id.resp_h": { "type": "text" },
"id.resp_p": { "type": "long" },
"method": { "type": "text" },
"processedAt": { "type": "date" },
"referrer": { "type": "text" },
"status_code": { "type": "long" },
"ts": { "type": "float" },
"uid": { "type": "text" },
"uri": { "type": "text" },
"user_agent": { "type": "text" }
}
}
}'
Relevant Logs or Screenshots:
