Wazuh SIEM ile Vcenter izleme

#wazuh #siem #vmware #vcenter

Bu makalemde Wazuh açık kaynak kodlu siem aracı ile vmware vcenter ve ESX izleme işlemleri için neler yapılması gerektiğini anlatacağım. Wazuh ile vcenter’ı entegre ederken syslog protokolünden faydalanacağız.

Öncelikle Vcenter management arayüzüne girerek syslog ayarlarını yapıyoruz. Send Test Message ile test edebilirsiniz.

Ardından wazuh sunucusunda syslog ayarlarını yapıyoruz. Syslog ayarları için rsyslog.conf dosyasını editliyoruz.

nano /etc/rsyslog.conf

konfigurasyon dosyasında aşağıdaki satırları bulup satırları aktif hale getiriyoruz (muhtemelen açıklama gibi algılanması için satır başında #işareti vardır) # işareti kaldırmanız yeterli.

module(load="imudp") 
input(type="imudp" port="514")


module(load="imtcp") 
input(type="imtcp" port="514")

Syslog konfigurasyon dosyasında belli bir ip adresinden gelen logları belirli bir dosyada toplamak için aşağıdaki satırı konfigurasyon dosyasına ekliyoruz.

if $fromhost-ip=='vcenter ip adresi' then /var/log/vmware-esxi.log

syslog konfigurasyon dosyasını kaydedip çıkalım, konfigurasyon dosyasında belirttiğimiz log dosyasını oluşturalım

touch /var/log/vmware-esxi.log

wazuh konfigurasyon dosyasına logları hangi dosyadan okuyacağını belirtmek için ossec.conf dosyasını editliyoruz

nano /var/ossec/etc/ossec.conf

dosya ya aşağıdaki satırları ekliyoruz.

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/vmware-esxi.log</location>
  <out_format>vmware-esxi: $(log)</out_format>
</localfile>

Vcenter için wazuh içerisinde bir dekoder oluşturmamız gerekiyor. Bunun için;

nano /var/ossec/etc/decoders/esxi_decoders.xml

herhangi bir editor ile decoder dosyaasını oluşturup içerisine aşağıda yer alan kuralları giriyoruz.

<decoder name="vmware-esxi">
  <prematch>^vmware-esxi: </prematch>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">\S+ (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\S+) (\S+)\[(\d+)]:</regex>
  <order>logtimestamp, esxi_host, process_name, process_id</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">\S+ (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\S+) (\S+):</regex>
  <order>logtimestamp, esxi_host, process_name</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">\S+ (\w+\s\d+\s\d+:\d+\:\d+) (\S+) (\S+)\[(\d+)]:</regex>
  <order>logtimestamp, esxi_host, process_name, process_id</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">\S+ (\w+\s\d+\s\d+:\d+\:\d+) (\S+) (\S+):</regex>
  <order>logtimestamp, esxi_host, process_name</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : SSH session was opened for '(\w+)@(\S+)'</regex>
  <order>event_id, user, srcip</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : SSH login has failed for '(\w+)@(\S+)'</regex>
  <order>event_id, user, srcip</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : SSH session was closed for '(\w+)@(\S+)'</regex>
  <order>event_id, user, srcip</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : (\S+) on  (\S+) in (\S+) is powered off</regex>
  <order>event_id, vm, esxi_host, datacenter</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : (\S+) on (\S+) in (\S+) has powered on</regex>
  <order>event_id, vm, esxi_host, datacenter</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : User (\w+)@(\S+) logged in</regex>
  <order>event_id, user, srcip</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Cannot login (\w+)@(\S+)</regex>
  <order>event_id, user, srcip</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : User (\w+)@(\S+) logged out</regex>
  <order>event_id, user, srcip</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">: \[(\S+)]: (.+)$</regex>
  <order>user, command</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Guest OS shut down for (\S+) on (\S+) in (\S+)</regex>
  <order>event_id, vm, esxi_host, datacenter</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Guest OS reboot for (\S+) on (\S+) in (\S+)</regex>
  <order>event_id, vm, esxi_host, datacenter</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Created virtual machine (\S+) on (\S+)</regex>
  <order>event_id, vm, esxi_host</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Removed (\S+) on (\S+) from (\S+)</regex>
  <order>event_id, vm, esxi_host, datacenter</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Registered (\S+) on (\S+) in (\S+)</regex>
  <order>event_id, vm, esxi_host, datacenter</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : File upload to path '\[(.+)' was initiated</regex>
  <order>event_id, path</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Deletion of file or directory (.+) from (\S+) was initiated</regex>
  <order>event_id, path, disk</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Account (\S+) was created on host (\S+)</regex>
  <order>event_id, user, esxi_host</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Password was changed for account (\S+) on host (\S+)</regex>
  <order>event_id, user, esxi_host</order>
</decoder>

<decoder name="esxi-syslog">
  <parent>vmware-esxi</parent>
  <regex type="pcre2">Event (\d+) : Account (\S+) was removed on host (\S+)</regex>
  <order>event_id, user, esxi_host</order>
</decoder>
dosyayı kaydedip çıkıyoruz. Ardından custom rule set oluşturmak için bir editör uygulaması yardımı ile dosyayı oluşturup editliyoruz.

nano /var/ossec/etc/rules/esxi_rules.xml
oluşturduğumuz dosya içerisine aşağıdakileri giriyoruz

<group name="vmware-esxi-syslog,">
  <rule id="111010" level="0">
    <decoded_as>vmware-esxi</decoded_as>
    <description>VMware ESXi syslogs grouped.</description>
  </rule>

  <!-- create new virtual machines -->
  <rule id="111011" level="5">
    <if_sid>111010</if_sid>
    <match>Created virtual machine</match>
    <description>VMware ESXi: A new VM $(vm) was created on $(esxi_host).</description>
  </rule>

  <!-- virtual machines state changes -->
  <rule id="111012" level="3">
    <if_sid>111010</if_sid>
    <match>has powered on</match>
    <description>VMware ESXi: VM $(vm) on $(esxi_host) has powered on.</description>
  </rule>

  <rule id="111013" level="8">
    <if_sid>111010</if_sid>
    <match>is powered off</match>
    <description>VMware ESXi: VM $(vm) on $(esxi_host) was powered off.</description>
  </rule>

  <rule id="111014" level="8">
    <if_sid>111010</if_sid>
    <match>Guest OS shut down</match>
    <description>VMware ESXi: VM $(vm) on $(esxi_host) was shut down.</description>
  </rule>

  <rule id="111015" level="8">
    <if_sid>111010</if_sid>
    <match>Guest OS reboot</match>
    <description>VMware ESXi: VM $(vm) on $(esxi_host) was rebooted.</description>
  </rule>

  <!-- logins, logouts through web console, SSH and scripts -->
  <rule id="111016" level="7">
    <if_sid>111010</if_sid>
    <match>logged in</match>
    <description>VMware ESXi: User $(dstuser) with IP $(srcip) was logged in to $(esxi_host).</description>
  </rule>

  <rule id="111017" level="3">
    <if_sid>111010</if_sid>
    <match>logged out</match>
    <description>VMware ESXi: User $(dstuser) with IP $(srcip) was logged out from $(esxi_host).</description>
  </rule>

  <rule id="111018" level="8">
    <if_sid>111010</if_sid>
    <match>Cannot login</match>
    <description>VMware ESXi: User $(dstuser) with IP $(srcip) was trying to log in to $(esxi_host).</description>
  </rule>

  <rule id="111019" level="7">
    <if_sid>111010</if_sid>
    <match>: SSH session was opened</match>
    <description>VMware ESXi: User $(dstuser) with IP $(srcip) established SSH connection to $(esxi_host).</description>
  </rule>

  <rule id="111020" level="8">
    <if_sid>111010</if_sid>
    <match>: SSH login has failed</match>
    <description>VMware ESXi: User $(dstuser) with IP $(srcip) failed to SSH to $(esxi_host).</description>
  </rule>

  <rule id="111021" level="3">
    <if_sid>111010</if_sid>
    <match>: SSH session was closed</match>
    <description>VMware ESXi: User $(dstuser) with IP $(srcip) was disconnected from $(esxi_host).</description>
  </rule>

  <!-- datastore file upload, delete -->
  <rule id="111022" level="8">
    <if_sid>111010</if_sid>
    <match>File upload</match>
    <description>VMware ESXi: A file in $(path) was uploaded on $(esxi_host).</description>
  </rule>

  <rule id="111023" level="11">
    <if_sid>111010</if_sid>
    <match>Deletion of file or directory</match>
    <description>VMware ESXi: $(path) in $(disk) was deleted on $(esxi_host).</description>
  </rule>

  <!-- virtual machine registration and removal -->
  <rule id="111024" level="5">
    <if_sid>111010</if_sid>
    <regex>Registered (\S+) on</regex>
    <description>VMware ESXi: A new VM $(vm) was registered on $(esxi_host).</description>
  </rule>

  <rule id="111025" level="8">
    <if_sid>111010</if_sid>
    <regex>Removed (\S+) on</regex>
    <description>VMware ESXi: VM $(vm) was removed from $(esxi_host).</description>
  </rule>

  <!-- user create, modify and delete -->
  <rule id="111026" level="8">
    <if_sid>111010</if_sid>
    <regex>Account (\S+) was created</regex>
    <description>VMware ESXi: A new user $(dstuser) was created on $(esxi_host).</description>
  </rule>

  <rule id="111027" level="11">
    <if_sid>111010</if_sid>
    <regex>Account (\S+) was removed</regex>
    <description>VMware ESXi: User $(dstuser) was deleted from $(esxi_host).</description>
  </rule>

  <rule id="111028" level="8">
    <if_sid>111010</if_sid>
    <match>Password was changed</match>
    <description>VMware ESXi: Password for User $(dstuser) was changed on $(esxi_host).</description>
  </rule>

  <!-- shell commands -->
  <rule id="111029" level="8">
    <if_sid>111010</if_sid>
    <regex>shell[(\d+)]: [(\S+)]</regex>
    <description>VMware ESXi: User $(dstuser) run command $(command) on $(esxi_host) shell.</description>
  </rule>
</group>

dosyayı kaydedip çıkıyoruz. Wazuh manager servisini yeniden başlatıyoruz.

systemctl restart wazuh-manager

Wazuh arayüzüne gidip discover bölümünden logları kontrol ediyoruz.

DEV Community

Wazuh SIEM ile Vcenter izleme

Top comments (0)

Read next

História 2: Lory e a Criação de Views no Sistema de E-commerce

What are the 4 W's of ERP?

How JavaScript and Its Ecosystem Enable the Development of High-Performance Websites

Update Django Key using .env