logginginterpretation

Difficulty in interpreting the log output from a network logging device 'Wazuh'

In the given below log message, klnagent is an agent of antivirus kaspersky that send logs.

ossec: output: 'netstat listening ports':

tcp 0.0.0.0:22 0.0.0.0:* 9656/sshd

tcp6 :::22 :::* 9656/sshd

tcp 0.0.0.0:111 0.0.0.0:* 1/systemd

tcp6 :::111 :::* 1/systemd

udp 0.0.0.0:111 0.0.0.0:* 1/systemd

udp6 :::111 :::* 1/systemd

tcp6 :::443 :::* 24826/java

udp 0.0.0.0:644 0.0.0.0:* 32271/rpcbind

udp6 :::644 :::* 32271/rpcbind

tcp 127.0.0.1:4853 0.0.0.0:* 126444/geckodriver

tcp 127.0.0.1:6710 0.0.0.0:* 124922/geckodriver

tcp6 127.0.0.1:8005 :::* 24826/java

tcp6 :::8009 :::* 24826/java

tcp 127.0.0.1:12050 0.0.0.0:* 9843/klnagent

tcp 127.0.0.1:13322 0.0.0.0:* 124940/firefox

tcp6 127.0.0.1:13341 :::* 11017/java

tcp 127.0.0.1:14245 0.0.0.0:* 126463/firefox

udp 0.0.0.0:15000 0.0.0.0:* 9843/klnagent

udp6 :::15000 :::* 9843/klnagent

tcp 127.0.0.1:15730 0.0.0.0:* 9843/klnagent

tcp6 ::1:15730 :::* 9843/klnagent

tcp6 127.0.0.1:19269 :::* 11017/java

tcp 127.0.0.1:25890 0.0.0.0:* 9843/klnagent

tcp 127.0.0.1:30523 0.0.0.0:* 9843/klnagent

tcp6 ::1:30523 :::* 9843/klnagent

tcp 127.0.0.1:34146 0.0.0.0:* 9843/klnagent

tcp 127.0.0.1:35019 0.0.0.0:* 9843/klnagent

udp 0.0.0.0:46909 0.0.0.0:* 9659/rsyslogd

Solution

  • Wazuh comes with a few commands configured to monitor its output. By looking at your output the command used by Wazuh to show that information was:

    <localfile>
  <log_format>full_command</log_format>
  <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
  <alias>netstat listening ports</alias>
  <frequency>360</frequency>
</localfile>

    You may find it in either your /var/ossec/etc/ossec.conf ( For linux systems) or C:\\Program Files (x86)\ossec-agent\ossec.conf ( For Windows Wazuh agents).

    This command allows you to monitor open listening ports in your devices to avoid them to expose unused ports. For example, the line:

    tcp 0.0.0.0:22 0.0.0.0:* 9656/sshd

    Tell us the port 22 is listening for TCP connections from any IP and any port ( 0.0.0.0:* ). 9656/ssh gives us information about the process' PID and the program name.

    You may look for further information about command monitoring in our documentation.

    I hope it helps you. Regards.