feat: wazuh bf

[bouddha-fr]

successful test

[LaurenceJJones]

Hey 👋🏻

Thank you for opening a pull request!

There a few areas I see some improvement, we can use the UnmarshalJSON helper function https://docs.crowdsec.net/docs/next/expr/json_helpers/#unmarshaljsonjsonblob-string-out-mapstringinterface-targetkey-string

To parse the json string into a defined json object, you can see Caddy parser on how you can also use it within this parser.

Then once we unmarshal the json to the object we can then parse the message property to get the defined information from the CLF. If you want to do this great!, if not I can take a look sometime in the near future and would be useful if you can give us some example log lines so we can add them to the testing suite.

note please redact any PII from the log lines such as IP address or User information, you can use place holders to reflect this information and we will fill it with fake data such as <ip address> or <user_name> for example

[bouddha-fr]

Can you take a look, what do you think about it? Does it seem better to you?
successful test

[LaurenceJJones]

Can you take a look, what do you think about it? Does it seem better to you? successful test

Nearly there! Since we need to know if it "failing auth" we could do this:

  - meta: log_type
    expression: |
        evt.Unmarshaled.wazuh.type == 'response' && evt.Unmarshaled.wazuh.method == 'post' && evt.Unmarshaled.wazuh.statusCode in [401,'401'] && evt.Unmarshaled.wazuh.req.url == '/auth/login' ? 'wazuh_failed_auth' : ''

Try it you may need to wrap all the && statements in a () such as (...) ? 'wazuh_failed_auth' : ''

[bouddha-fr]

like this ?

successful test

[LaurenceJJones]

like this ?

Maybe if we can add some tests we can ensure if it works or not, I can add those if you add them here.

[bouddha-fr]

Maybe if we can add some tests we can ensure if it works or not, I can add those if you add them here.

You may need two logs? One with a 200 code and another with a 401 code?

[bouddha-fr]

{"type":"response","@timestamp":"2025-01-09T12:31:30Z","tags":[],"pid":60937,"method":"post","statusCode":401,"req":{"url":"/auth/login","method":"post","headers":{"host":"test.auk.net","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br, zstd","referer":"https://test.auk.net/app/login?nextUrl=%2F","content-type":"application/json","osd-version":"2.13.0","osd-xsrf":"osd-fetch","content-length":"41","origin":"https://test.auk.net","sec-gpc":"1","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","priority":"u=0"},"remoteAddress":"1.2.3.4","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0","referer":"https://test.auk.net/app/login?nextUrl=%2F"},"res":{"statusCode":401,"responseTime":151,"contentLength":9},"message":"POST /auth/login 401 151ms - 9.0B"}

[bouddha-fr]

Is it all good? Or do I need to revise the PR?

[LaurenceJJones]

Is it all good? Or do I need to revise the PR?

Apologies been a manic week, I need to add the tests the only question is do we rename it from wazuh to opensearch-dashboards as that technically is the actual program?

[bouddha-fr]

the only question is do we rename it from wazuh to opensearch-dashboards as that technically is the actual program?

Very well. Regarding opensearch-dashboards, actually I named it this way because in the Wazuh logs that's how it's labeled, they don't use wazuh or even wazuh-dashboards. But I can modify it according to your preference.

[LaurenceJJones]

Apologies in the delay, could we rename all elements of wazuh to opensearch or opensearchDashboard maybe, reason as opensearch is the underlying application it can be used by other services than wazuh and keeping it tied to the application can help users find it without thinking it only for wazuh.

I will wait for the changes, then proceed to add the tests.

[bouddha-fr]

Hello, after some tests, if I change opensearch-dashboards, the parser stops working. Maybe you know why? I’m providing the full log, it works on my side, I’ll let you do your tests.

full log :

2025-01-22T13:09:20.606136+01:00 wazuh-prod opensearch-dashboards[9400]: {"type":"response","@timestamp":"2025-01-22T12:09:20Z","tags":[],"pid":9400,"method":"post","statusCode":401,"req":{"url":"/auth/login?dataSourceId=","method":"post","headers":{"host":"wazuh.auk.test","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0","accept":"*/*","accept-language":"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home","content-type":"application/json","osd-version":"2.16.0","osd-xsrf":"osd-fetch","content-length":"40","origin":"https://wazuh.auk.test","sec-gpc":"1","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","priority":"u=0"},"remoteAddress":"1.2.3.4","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"https://wazuh.auk.test/app/login?nextUrl=%2Fapp%2Fwz-home"},"res":{"statusCode":401,"responseTime":333,"contentLength":9},"message":"POST /auth/login?dataSourceId= 401 333ms - 9.0B"}'