No alerts for http status code 200 #28637

meimi039 · 2025-03-13T17:21:48Z

meimi039
Mar 13, 2025

This is a very similar question to #15910

My goal to to create an alert, when a user accesses a special URL.
A log entry looks like this:

[13/Mar/2025:16:17:50 +0000] - 200 200 - GET https blog.my-site.de "/kali-desktop-in-lxc-via-guacamole/" [Client 140.248.36.55] [Length 7752] [Gzip -] [Sent-to ghost] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Tw
8000
itterbot/1.0" "-"

To test my configuration, I created a custom decoder for my nginx-proxy-manager:

<decoder name="npm-accesslogs">
  <prematch type="pcre2">^\[\d{2}\/\w+\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\]</prematch>
  <regex type="pcre2">^\[(\d{2}\/\w+\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4})\] ?-? ([\d-]+) ([\d-]+) - (\w+) https? (\S+) ("[^"]+"|-) \[Client (\S+)\] \[Length (\d+|-)\] \[Gzip ([^\]]+|-)\] \[Sent-to ([^\]]+|-)\] ("[^"]+"|-) ("[^"]+"|-)$</regex>
  <order>timestamp, http_status_code, secondary_status_code, http_method, url, request_uri, client_ip, content_length, gzip, sent_to, http_useragent, http_referer</order>
</decoder>

I also added some rules for testing:

<group name="npm,accesslogs,">
  <!-- Basisregel für alle NPM-Events -->
  <rule id="100200" level="3">
    <decoded_as>npm-accesslogs</decoded_as>
    <description>All NPM access log events</description>
    <group>accesslog,web</group>
  </rule>

  <!-- specific statuscodes -->
  <rule id="100201" level="5">
    <if_sid>100200</if_sid>
    <field name="http_status_code">401</field>
    <description>Unauthorized access attempt (401)</description>
    <group>authentication_failed</group>
  </rule>

  <rule id="100202" level="4">
    <if_sid>100200</if_sid>
    <field name="http_status_code">404</field>
    <description>Resource not found (404)</description>
    <group>not_found</group>
  </rule>

  <rule id="100203" level="3">
    <if_sid>100200</if_sid>
    <field name="http_status_code">200</field>
    <description>Successful request (200)</description>
    <group>success</group>
  </rule>

</group>

A logtest for the given logentry gives my the following output:

/var/ossec/bin/wazuh-logtest 
Starting wazuh-logtest v4.10.1
Type one log per line

[13/Mar/2025:16:17:50 +0000] - 200 200 - GET https blog.my-site.de "/kali-desktop-in-lxc-via-guacamole/" [Client 140.248.36.55] [Length 7752] [Gzip -] [Sent-to ghost] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0" "-"

**Phase 1: Completed pre-decoding.
        full event: '[13/Mar/2025:16:17:50 +0000] - 200 200 - GET https blog.my-site.de "/kali-desktop-in-lxc-via-guacamole/" [Client 140.248.36.55] [Length 7752] [Gzip -] [Sent-to ghost] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0" "-"'

**Phase 2: Completed decoding.
        name: 'npm-accesslogs'
        client_ip: '140.248.36.55'
        content_length: '7752'
        gzip: '-'
        http_method: 'GET'
        http_referer: '"-"'
        http_status_code: '200'
        http_useragent: '"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0"'
        request_uri: '"/kali-desktop-in-lxc-via-guacamole/"'
        secondary_status_code: '200'
        sent_to: 'ghost'
        timestamp: '13/Mar/2025:16:17:50 +0000'
        url: 'blog.my-site.de'

**Phase 3: Completed filtering (rules).
        id: '100203'
        level: '3'
        description: 'Successful request (200)'
        groups: '['npm', 'accesslogs', 'success']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

So in theory I am happy with the result. But in the threathunting events I can only see http_status_code 400 events, although from the logtest there should be matches for rule 100203:

I cannot explain this to myself. So maybe someone can help me with that, as I think adding a filter for the URL, I want to alert on, is the easier part.

Thank you for helping me, as I am new to wazuh :-)

Answered by matias-braida

Mar 19, 2025

Hi,

I could reproduce the problem on my local machine with the information you sent me previously.

There are issues indexing these event logs. The problem is the field named "timestamp" in your custom decoder.
The format of this field is not the expected, the format used is ISO 8601 (YYYY-MM-DDTHH:MM:SSZ). In future Wazuh version 5.x the timestamp fields format will be configurable.

A workaround for this situation could be:

Change the field name in your custom decoder for example "timestamp1"
Change the current "timestamp" field format to match ISO 8601.

View full answer

matias-braida · 2025-03-14T19:57:54Z

matias-braida
Mar 14, 2025
Collaborator

Hello meimi039,

Let me understand your problem. Are you wondering why you don't receive alerts other than the one with ID 100200 and code 400?

Having tested your custom rules with "wazuh-logtest" tool successfully. Now you can check if the expected log events are reaching the Wazuh manager in the working environment.

To check all data that is collected by the manager you can set the parameter "logall" and "logall_json" to "yes" on the configuration file "ossec.conf" on the wazuh-manager.
Please take a look at the links:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json

After setting these parameters, please restart the wazuh-manager.

With these parameters set to "yes", the manager will start to log all events received from agents even if they don't trip a rule.
All the received event logs will be logged to files "/var/ossec/logs/archives/archives.log" and "/var/ossec/logs/archives/archives.json".

At this point, you can verify if the manager is receiving the expected event logs. If not, there is another issue that is not related to the custom decoders or rules you have created.

Regards

1 reply

meimi039 Mar 15, 2025
Author

Hi Matias!

Thanks for the reply. I set logall to yes and found lines of the following pattern:

2025 Mar 15 07:58:27 (webdocker) any->/var/docker/web/nginx-proxy-manager/data/logs/proxy-host-19_access.log [15/Mar/2025:11:58:25 +0000] - 200 200 - GET https blog.my-site.de "/robots.txt" [Client 185.191.171.15] [Length 190] [Gzip -] [Sent-to ghost] "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)" "-"

So the manager receives the logs of the agent. But still missing the alerts in the webui, even though the logtest states "**Alert to be generated."

--- Off-Topic ---

I also send traefik-logs from an other agent to wazuh. They look like this in /var/ossec/logs/archives/archives.log:

2025 Mar 15 08:06:33 (ccloud) any->/var/docker/web/traefik/log/access.log {"ClientAddr":"185.101.373.311:57034","ClientHost":"185.101.373.311","ClientPort":"57034","ClientUsername":"-","DownstreamContentSize":555,"DownstreamStatus":404,"Duration":1489794,"OriginContentSize":555,"OriginDuration":1205745,"OriginStatus":404,"Overhead":284049,"RequestAddr":"www.my-site.de","RequestContentSize":0,"RequestCount":28474,"RequestHost":"www.my-site.de","RequestMethod":"GET","RequestPath":"/favicon.ico","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"website@docker","ServiceAddr":"172.18.0.2:80","ServiceName":"website-web@docker","ServiceURL":"http://172.18.0.2:80","SpanId":"0000000000000000","StartLocal":"2025-03-15T13:06:33.076964956+01:00","StartUTC":"2025-03-15T12:06:33.076964956Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"websecure","level":"info","msg":"","time":"2025-03-15T13:06:33+01:00"}

I added a rule like so:

  <rule id="100002" level="3">
    <decoded_as>json</decoded_as>
    <field name="entryPointName">websecure</field>
    <description>Traefik-Access log event detected</description>
  </rule>

Logtest shows in that case:

/var/ossec/bin/wazuh-logtest 
Starting wazuh-logtest v4.10.1
Type one log per line

{"ClientAddr":"185.101.373.311:57034","ClientHost":"185.101.373.311","ClientPort":"57034","ClientUsername":"-","DownstreamContentSize":555,"DownstreamStatus":404,"Duration":1489794,"OriginContentSize":555,"OriginDuration":1205745,"OriginStatus":404,"Overhead":284049,"RequestAddr":"www.my-site.de","RequestContentSize":0,"RequestCount":28474,"RequestHost":"www.my-site.de","RequestMethod":"GET","RequestPath":"/favicon.ico","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"website@docker","ServiceAddr":"172.18.0.2:80","ServiceName":"website-web@docker","ServiceURL":"http://172.18.0.2:80","SpanId":"0000000000000000","StartLocal":"2025-03-15T13:06:33.076964956+01:00","StartUTC":"2025-03-15T12:06:33.076964956Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"websecure","level":"info","msg":"","time":"2025-03-15T13:06:33+01:00"}

**Phase 1: Completed pre-decoding.
        full event: '{"ClientAddr":"185.101.373.311:57034","ClientHost":"185.101.373.311","ClientPort":"57034","ClientUsername":"-","DownstreamContentSize":555,"DownstreamStatus":404,"Duration":1489794,"OriginContentSize":555,"OriginDuration":1205745,"OriginStatus":404,"Overhead":284049,"RequestAddr":"www.my-site.de","RequestContentSize":0,"RequestCount":28474,"RequestHost":"www.my-site.de","RequestMethod":"GET","RequestPath":"/favicon.ico","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"website@docker","ServiceAddr":"172.18.0.2:80","ServiceName":"website-web@docker","ServiceURL":"http://172.18.0.2:80","SpanId":"0000000000000000","StartLocal":"2025-03-15T13:06:33.076964956+01:00","StartUTC":"2025-03-15T12:06:33.076964956Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"websecure","level":"info","msg":"","time":"2025-03-15T13:06:33+01:00"}'

**Phase 2: Completed decoding.
        name: 'json'
        ClientAddr: '185.101.373.311:57034'
        ClientHost: '185.101.373.311'
        ClientPort: '57034'
        ClientUsername: '-'
        DownstreamContentSize: '555'
        DownstreamStatus: '404'
        Duration: '1489794'
        OriginContentSize: '555'
        OriginDuration: '1205745'
        OriginStatus: '404'
        Overhead: '284049'
        RequestAddr: 'www.my-site.de'
        RequestContentSize: '0'
        RequestCount: '28474'
        RequestHost: 'www.my-site.de'
        RequestMethod: 'GET'
        RequestPath: '/favicon.ico'
        RequestPort: '-'
        RequestProtocol: 'HTTP/2.0'
        RequestScheme: 'https'
        RetryAttempts: '0'
        RouterName: 'website@docker'
        ServiceAddr: '172.18.0.2:80'
        ServiceName: 'website-web@docker'
        ServiceURL: 'http://172.18.0.2:80'
        SpanId: '0000000000000000'
        StartLocal: '2025-03-15T13:06:33.076964956+01:00'
        StartUTC: '2025-03-15T12:06:33.076964956Z'
        TLSCipher: 'TLS_AES_128_GCM_SHA256'
        TLSVersion: '1.3'
        TraceId: '00000000000000000000000000000000'
        entryPointName: 'websecure'
        level: 'info'
        time: '2025-03-15T13:06:33+01:00'

**Phase 3: Completed filtering (rules).
        id: '100002'
        level: '3'
        description: 'Traefik-Access log event detected'
        groups: '['local']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

So even though this example is a 404 entry, the 200 OK entries show up in the webui for my traefik logs:

--- End-Off-Topic ---

So as the traefik logs do work as expected, I cannot figure out, why the NPM logs behave differently except for the difference in the log-formats (json/syslog).

Maybe someone has a working example for NPM or a fresh start, as I am in the beginning of configuring wazuh :-)

matias-braida · 2025-03-17T12:19:17Z

matias-braida
Mar 17, 2025
Collaborator

Hi meimi039,

To get the event log information is convenient to use the events found in the "archives.json" file instead of the "archives.log".

The log you are looking for will be inside a JSON object in the file "archives.json" in key "full_log":
example:

"full_log": "Sep 26 15:55:59 VBox su: (to root) sudo on pts/2"

This is because sometimes there are differences between the message of "archives.json" and "archives.log".

Once you have the event log from the "archives.json" file, we have to test it again in the wazuh-logtest tool.

Regards

4 replies

meimi039 Mar 17, 2025
Author

Hi matias!

Thanks for digging deeper. In the archives.json I found entries, like this one:

{
  "timestamp": "2025-03-17T16:00:40.556-0400",
  "rule": {
    "level": 3,
    "description": "Successful request (200)",
    "id": "100203",
    "firedtimes": 32,
    "mail": false,
    "groups": [
      "npm",
      "accesslogs",
      "success"
    ]
  },
  "agent": {
    "id": "001",
    "name": "webdocker",
    "ip": "192.168.311.381"
  },
  "manager": {
    "name": "wazuh"
  },
  "id": "1742241640.65373154",
  "full_log": "[17/Mar/2025:20:00:39 +0000] - 200 200 - GET https blog.my-site.de \"/content/images/thumbnail/photo-1552826580-0d47cf898dee\" [Client 192.9.377.249] [Length 667819] [Gzip -] [Sent-to ghost] \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36\" \"https://blog.my-site.de/normal_url/\"",
  "decoder": {
    "name": "npm-accesslogs"
  },
  "data": {
    "url": "blog.my-site.de",
    "timestamp": "17/Mar/2025:20:00:39 +0000",
    "http_status_code": "200",
    "secondary_status_code": "200",
    "http_method": "GET",
    "request_uri": "\"/content/images/thumbnail/photo-1552826580-0d47cf898dee\"",
    "client_ip": "192.9.377.249",
    "content_length": "667819",
    "gzip": "-",
    "sent_to": "ghost",
    "http_useragent": "\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36\"",
    "http_referer": "\"https://blog.my-site.de/normal_url/\""
  },
  "location": "/var/docker/web/nginx-proxy-manager/data/logs/proxy-host-19_access.log"
}

In the logtest, I see this after replacing the \" by single ":

/var/ossec/bin/wazuh-logtest 
Starting wazuh-logtest v4.10.1
Type one log per line

[17/Mar/2025:20:00:39 +0000] - 200 200 - GET https blog.my-site.de "/content/images/thumbnail/photo-1552826580-0d47cf898dee" [Client 192.109.77.249] [Length 667819] [Gzip -] [Sent-to ghost] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" "https://blog.my-site.de/normal_url/"

**Phase 1: Completed pre-decoding.
        full event: '[17/Mar/2025:20:00:39 +0000] - 200 200 - GET https blog.my-site.de "/content/images/thumbnail/photo-1552826580-0d47cf898dee" [Client 192.109.77.249] [Length 667819] [Gzip -] [Sent-to ghost] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" "https://blog.my-site.de/normal_url/"'

**Phase 2: Completed decoding.
        name: 'npm-accesslogs'
        client_ip: '192.109.77.249'
        content_length: '667819'
        gzip: '-'
        http_method: 'GET'
        http_referer: '"https://blog.my-site.de/normal_url/"'
        http_status_code: '200'
        http_useragent: '"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"'
        request_uri: '"/content/images/thumbnail/photo-1552826580-0d47cf898dee"'
        secondary_status_code: '200'
        sent_to: 'ghost'
        timestamp: '17/Mar/2025:20:00:39 +0000'
        url: 'blog.my-site.de'

**Phase 3: Completed filtering (rules).
        id: '100203'
        level: '3'
        description: 'Successful request (200)'
        groups: '['npm', 'accesslogs', 'success']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

matias-braida Mar 17, 2025
Collaborator

Hi,

In the records of the file "archive.json", if an event triggers a rule you can see the key "rule" with the data related to the triggered rule.
Also, you can find the key "decoder" with the data associated with the decoder that matches the event log.

In the case you have shared, both the "rule" and the "decoder" keys are present and have the expected information.

Have you tried in the dashboard to only filter using the rule.id = 100203?
Also, take into account that the screen does not show all the alert entries, they are paginated.

meimi039 Mar 18, 2025
Author

Hi matias!

That is exaclty what I dont understand. It looks all good in the console, but in the dashboard no alerts match the rule 100203:

I cannot figure out what I am missing here. I temporarily set the alert-level to 12 just to make the alert more urgent. But that didnt work out.

matias-braida Mar 19, 2025
Collaborator

Hi,
Let me ask the team, and I will get back to you with an answer as soon as possible.

matias-braida · 2025-03-19T13:11:16Z

matias-braida
Mar 19, 2025
Collaborator

Hi again,

The alert information in the record of the file "archives.json" that you have for the rule id 100203 does not mean that the alert was correctly indexed.

One possibility is that there exists indexing issues for these alerts (for example: one invalid field n 8000 ame, etc).

First, we can check if these alerts are being indexed.
To do this, please go to the "Discover" section of the dashboard. There type the search filter "rule.id:100203".
Here is an image to guide you but using another "rule.id:5501".

Please share your results.

0 replies

matias-braida · 2025-03-19T14:10:10Z

matias-braida
Mar 19, 2025
Collaborator

Hi,

I could reproduce the problem on my local machine with the information you sent me previously.

There are issues indexing these event logs. The problem is the field named "timestamp" in your custom decoder.
The format of this field is not the expected, the format used is ISO 8601 (YYYY-MM-DDTHH:MM:SSZ). In future Wazuh version 5.x the timestamp fields format will be configurable.

A workaround for this situation could be:

Change the field name in your custom decoder for example "timestamp1"
Change the current "timestamp" field format to match ISO 8601.

1 reply

meimi039 Mar 19, 2025
Author

Hi Matias!

You are just awesome! That was the right thing to look at.
I changed the fieldname to "time", which caused alerts to come in right away:

Thank you so much. I think I can make it from here.

Best regards

Michael

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No alerts for http status code 200 #28637

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 4 comments 6 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

No alerts for http status code 200 #28637

meimi039 Mar 13, 2025

Replies: 4 comments · 6 replies

matias-braida Mar 14, 2025 Collaborator

meimi039 Mar 15, 2025 Author

matias-braida Mar 17, 2025 Collaborator

meimi039 Mar 17, 2025 Author

matias-braida Mar 17, 2025 Collaborator

meimi039 Mar 18, 2025 Author

matias-braida Mar 19, 2025 Collaborator

matias-braida Mar 19, 2025 Collaborator

matias-braida Mar 19, 2025 Collaborator

meimi039 Mar 19, 2025 Author

meimi039
Mar 13, 2025

Replies: 4 comments 6 replies

matias-braida
Mar 14, 2025
Collaborator

meimi039 Mar 15, 2025
Author

matias-braida
Mar 17, 2025
Collaborator

meimi039 Mar 17, 2025
Author

matias-braida Mar 17, 2025
Collaborator

meimi039 Mar 18, 2025
Author

matias-braida Mar 19, 2025
Collaborator

matias-braida
Mar 19, 2025
Collaborator

matias-braida
Mar 19, 2025
Collaborator

meimi039 Mar 19, 2025
Author