I cannot see local rules

Giovanni_Memoli · September 12, 2022, 8:12pm

Hi,
an old colleague created a local rule on an old Wazuh server and it worked.
Now I created a new wazuh server and copy & paste the rule, under local rule, but I cannot see it under discovery session.
Rule is:

<rule id="100020" level="3">
   <decoded_as>json</decoded_as>
   <field name="timestamp">\.+</field>
   <field name="gdprflag">^GDPR$</field>
   <field name="platform">\.+</field>
   <field name="module">\.+</field>
   <description>GDPR - $(platform), User: $(user), $(function), Result: $(result)</description>
</rule>

There is something wrong, missing to work?
Thanks

warkolm · September 12, 2022, 10:18pm

Welcome to our community!

You may need to ask the wazuh community this, as it's not something we support.

Giovanni_Memoli · September 14, 2022, 4:53pm

Hi,
I tried the rule tester and it works fine.
Problem is this:
Sep 14 18:51:57 localhost filebeat: 2022-09-14T18:51:57.157+0200#011WARN#011[elasticsearch]#011elasticsearch/client.go:414#011Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.September, 14, 18, 51, 56, 147634100, time.Local), Meta:{"pipeline":"filebeat-7.17.5-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"d1c7328f-82bd-4cbf-878a-503090c0c2e8","hostname":"localhost.localdomain","id":"a6618dd7-9f7a-4166-97ae-07331fec1b33","name":"localhost.localdomain","type":"filebeat","version":"7.17.5"},"ecs":{"version":"1.12.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"localhost.localdomain"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":2378538485},"message":"{"timestamp":"2022-09-14T18:51:55.226+0200","rule":{"level":3,"description":" GDPR - Service Manager, User: 4175, Campaign Popup, Result: OK ","id":"100020","firedtimes":2010,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"046","name":"SRV-CTI-RM","ip":"192.168.64.124"},"manager":{"name":"localhost.localdomain"},"id":"1663174315.2716828213","full_log":"{\"campaignname\":\"Telepass_PayX\",\"anagraphicid\":71621,\"fields\":[{\"FieldName\":\"ID_CLIENTE\",\"FieldValue\":\"A2Z7V110213I6A13\"},{\"FieldName\":\"phone1\",\"FieldValue\":\"3473202252\"}],\"timestamp\":\"14/09/2022 18:51:53.613\",\"gdprflag\":\"GDPR\",\"platform\":\"Service Manager\",\"module\":\"SmCampaignWS\",\"local_hostname\":\"SRV-CTI-RM\",\"local_ip\":\"192.168.52.10\",\"remote_ip\":\"\",\"function\":\"Campaign Popup\",\"user\":\"4175\",\"userType\":null,\"result\":\"OK\",\"information\":\"\"}","decoder":{"name":"json"},"data":{"campaignname":"Telepass_PayX","anagraphicid":"71621","fields":[{"FieldName":"ID_CLIENTE","FieldValue":"A2Z7V110213I6A13"},{"FieldName":"phone1","FieldValue":"3473202252"}],"timestamp":"14/09/2022 18:51:53.613","gdprflag":"GDPR","platform":"Service Manager","module":"SmCampaignWS","local_hostname":"SRV-CTI-RM","local_ip":"192.168.52.10","function":"Campaign Popup","user":"4175","userType":"null","result":"OK"},"location":"\\Firstel\\ServiceManager\\SmLogs\\WAZUH\\WAZUH.Service Manager_SmCampaignWS.20220914.log"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::102861655-64768", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000d73110), Source:"/var/ossec/logs/alerts/alerts.json", Offset:2378539922, Timestamp:time.Date(2022, time.September, 14, 0, 0, 7, 655172627, time.Local), TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x6218b57, Device:0xfd00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.timestamp] of type [date] in document with id 'EXLqPIMBDgA2g_0SFFhf'. Preview of field's value: '14/09/2022 18:51:53.613'","caused_by":{"type":"illegal_argument_exception","reason":"failed to parse date field [14/09/2022 18:51:53.613] with format [strict_date_optional_time||epoch_millis]","caused_by":{"type":"date_time_parse_exception","reason":"Failed to parse with all enclosed parsers"}}}, dropping event!

system · October 12, 2022, 4:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.