Advertisement
Guest User

Untitled

a guest
May 27th, 2020
62
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-05-27T16:29:01.784+0800 INFO instance/beat.go:621 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
  2. 2020-05-27T16:29:01.784+0800 DEBUG [beat] instance/beat.go:673 Beat metadata path: /var/lib/filebeat/meta.json
  3. 2020-05-27T16:29:01.784+0800 INFO instance/beat.go:629 Beat ID: a68a467d-986d-4ce6-8bd1-6df07e58045b
  4. 2020-05-27T16:29:01.784+0800 DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","chmod","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev"],"action":"allow"}]}}}
  5. 2020-05-27T16:29:01.786+0800 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
  6. 2020-05-27T16:29:01.786+0800 INFO [beat] instance/beat.go:957 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "a68a467d-986d-4ce6-8bd1-6df07e58045b"}}}
  7. 2020-05-27T16:29:01.786+0800 INFO [beat] instance/beat.go:966 Build info {"system_info": {"build": {"commit": "5e69e25b920e3d93bec76a09a31da3ab35a55607", "libbeat": "7.7.0", "time": "2020-05-12T00:53:16.000Z", "version": "7.7.0"}}}
  8. 2020-05-27T16:29:01.786+0800 INFO [beat] instance/beat.go:969 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.13.9"}}}
  9. 2020-05-27T16:29:01.786+0800 INFO [beat] instance/beat.go:973 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-05-26T17:11:34+08:00","containerized":false,"name":"ssl","ip":["127.0.0.1/8","::1/128","192.168.40.243/24","fd95:646d:a47f:0:18be:8562:7e22:6ed5/64","fe80::94b7:e629:be3f:e513/64"],"kernel_version":"4.18.0-147.8.1.el8_1.x86_64","mac":["00:15:5d:28:9d:0f"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"8 (Core)","major":8,"minor":1,"patch":1911,"codename":"Core"},"timezone":"CST","timezone_offset_sec":28800,"id":"22af1f7876ee4d0385cc3d3b4198e539"}}}
  10. 2020-05-27T16:29:01.786+0800 INFO [beat] instance/beat.go:1002 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 14713, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-05-27T16:29:01.520+0800"}}}
  11. 2020-05-27T16:29:01.787+0800 INFO instance/beat.go:297 Setup Beat: filebeat; Version: 7.7.0
  12. 2020-05-27T16:29:01.787+0800 DEBUG [beat] instance/beat.go:323 Initializing output plugins
  13. 2020-05-27T16:29:01.787+0800 DEBUG [tls] tlscommon/tls.go:71 tls%!(EXTRA string=loading certificate: %v and key %v, string=/etc/filebeat/certs/wazuh-manager.crt, string=/etc/filebeat/certs/wazuh-manager.key)
  14. 2020-05-27T16:29:01.787+0800 DEBUG [tls] tlscommon/tls.go:160 tls%!(EXTRA string=successfully loaded CA certificate: %v, string=/etc/filebeat/certs/ca/ca.crt)
  15. 2020-05-27T16:29:01.787+0800 INFO eslegclient/connection.go:84 elasticsearch url: https://192.168.40.243:9200
  16. 2020-05-27T16:29:01.787+0800 DEBUG [publisher] pipeline/consumer.go:137 start pipeline event consumer
  17. 2020-05-27T16:29:01.787+0800 INFO [publisher] pipeline/module.go:110 Beat name: ssl
  18. 2020-05-27T16:29:01.788+0800 INFO beater/filebeat.go:92 Enabled modules/filesets: wazuh (alerts), ()
  19. 2020-05-27T16:29:01.790+0800 INFO instance/beat.go:438 filebeat start running.
  20. 2020-05-27T16:29:01.790+0800 DEBUG [test] registrar/migrate.go:159 isFile(/var/lib/filebeat/registry) -> false
  21. 2020-05-27T16:29:01.790+0800 DEBUG [test] registrar/migrate.go:159 isFile() -> false
  22. 2020-05-27T16:29:01.790+0800 DEBUG [test] registrar/migrate.go:152 isDir(/var/lib/filebeat/registry/filebeat) -> true
  23. 2020-05-27T16:29:01.790+0800 DEBUG [test] registrar/migrate.go:159 isFile(/var/lib/filebeat/registry/filebeat/meta.json) -> true
  24. 2020-05-27T16:29:01.790+0800 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s
  25. 2020-05-27T16:29:01.792+0800 DEBUG [registrar] registrar/migrate.go:51 Registry type '0' found
  26. 2020-05-27T16:29:01.792+0800 DEBUG [registrar] registrar/registrar.go:125 Registry file set to: /var/lib/filebeat/registry/filebeat/data.json
  27. 2020-05-27T16:29:01.792+0800 INFO registrar/registrar.go:145 Loading registrar data from /var/lib/filebeat/registry/filebeat/data.json
  28. 2020-05-27T16:29:01.792+0800 INFO registrar/registrar.go:152 States Loaded from registrar: 1
  29. 2020-05-27T16:29:01.792+0800 INFO beater/crawler.go:73 Loading Inputs: 1
  30. 2020-05-27T16:29:01.792+0800 DEBUG [input] log/config.go:204 recursive glob enabled
  31. 2020-05-27T16:29:01.792+0800 DEBUG [input] log/input.go:164 exclude_files: []. Number of states: 1
  32. 2020-05-27T16:29:01.792+0800 DEBUG [input] file/states.go:68 New state added for /var/ossec/logs/alerts/alerts.json
  33. 2020-05-27T16:29:01.793+0800 DEBUG [registrar] registrar/registrar.go:278 Starting Registrar
  34. 2020-05-27T16:29:01.793+0800 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 1}
  35. 2020-05-27T16:29:01.793+0800 DEBUG [registrar] registrar/registrar.go:356 Processing 1 events
  36. 2020-05-27T16:29:01.793+0800 DEBUG [registrar] registrar/registrar.go:326 Registrar state updates processed. Count: 1
  37. 2020-05-27T16:29:01.793+0800 DEBUG [registrar] registrar/registrar.go:346 Registrar states cleaned up. Before: 1, After: 1, Pending: 0
  38. 2020-05-27T16:29:01.793+0800 DEBUG [registrar] registrar/registrar.go:411 Write registry file: /var/lib/filebeat/registry/filebeat/data.json (1)
  39. 2020-05-27T16:29:01.793+0800 DEBUG [publisher] pipeline/client.go:220 Pipeline client receives callback 'onFilteredOut' for event: {Timestamp:0001-01-01 00:00:00 +0000 UTC Meta:null Fields:null Private:{Id:67574462-64768 Finished:true Fileinfo:<nil> Source:/var/ossec/logs/alerts/alerts.json Offset:5738821 Timestamp:2020-05-27 16:27:53.4839881 +0800 CST TTL:-1ns Type:log Meta:map[] FileStateOS:67574462-64768} TimeSeries:false}
  40. 2020-05-27T16:29:01.793+0800 DEBUG [input] log/input.go:185 input with previous states loaded: 1
  41. 2020-05-27T16:29:01.793+0800 INFO log/input.go:152 Configured paths: [/var/ossec/logs/alerts/alerts.json]
  42. 2020-05-27T16:29:01.793+0800 INFO input/input.go:114 Starting input of type: log; ID: 5896905616531920366
  43. 2020-05-27T16:29:01.793+0800 INFO beater/crawler.go:105 Loading and starting Inputs completed. Enabled inputs: 1
  44. 2020-05-27T16:29:01.793+0800 DEBUG [input] log/input.go:191 Start next scan
  45. 2020-05-27T16:29:01.793+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  46. 2020-05-27T16:29:01.793+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5738821
  47. 2020-05-27T16:29:01.793+0800 DEBUG [input] log/input.go:565 File didn't change: /var/ossec/logs/alerts/alerts.json
  48. 2020-05-27T16:29:01.793+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  49. 2020-05-27T16:29:01.797+0800 DEBUG [registrar] registrar/registrar.go:404 Registry file updated. 1 states written.
  50. 2020-05-27T16:29:11.793+0800 DEBUG [input] input/input.go:152 Run input
  51. 2020-05-27T16:29:11.793+0800 DEBUG [input] log/input.go:191 Start next scan
  52. 2020-05-27T16:29:11.793+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  53. 2020-05-27T16:29:11.793+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5738821
  54. 2020-05-27T16:29:11.793+0800 DEBUG [input] log/input.go:520 Resuming harvesting of file: /var/ossec/logs/alerts/alerts.json, offset: 5738821, new size: 5754217
  55. 2020-05-27T16:29:11.793+0800 DEBUG [harvester] log/harvester.go:568 Set previous offset for file: /var/ossec/logs/alerts/alerts.json. Offset: 5738821
  56. 2020-05-27T16:29:11.793+0800 DEBUG [harvester] log/harvester.go:559 Setting offset for file: /var/ossec/logs/alerts/alerts.json. Offset: 5738821
  57. 2020-05-27T16:29:11.793+0800 DEBUG [harvester] log/harvester.go:205 Harvester setup successful. Line terminator: 1
  58. 2020-05-27T16:29:11.793+0800 DEBUG [publisher] pipeline/client.go:220 Pipeline client receives callback 'onFilteredOut' for event: {Timestamp:0001-01-01 00:00:00 +0000 UTC Meta:null Fields:null Private:{Id: Finished:false Fileinfo:0xc000417ba0 Source:/var/ossec/logs/alerts/alerts.json Offset:5738821 Timestamp:2020-05-27 16:29:11.7937505 +0800 CST m=+10.033788501 TTL:-1ns Type:log Meta:map[] FileStateOS:67574462-64768} TimeSeries:false}
  59. 2020-05-27T16:29:11.793+0800 DEBUG [harvester] log/harvester.go:478 Update state: /var/ossec/logs/alerts/alerts.json, offset: 5738821
  60. 2020-05-27T16:29:11.794+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  61. 2020-05-27T16:29:11.794+0800 INFO log/harvester.go:297 Harvester started for file: /var/ossec/logs/alerts/alerts.json
  62. 2020-05-27T16:29:11.794+0800 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 1}
  63. 2020-05-27T16:29:11.794+0800 DEBUG [registrar] registrar/registrar.go:356 Processing 1 events
  64. 2020-05-27T16:29:11.794+0800 DEBUG [registrar] registrar/registrar.go:326 Registrar state updates processed. Count: 1
  65. 2020-05-27T16:29:11.794+0800 DEBUG [registrar] registrar/registrar.go:411 Write registry file: /var/lib/filebeat/registry/filebeat/data.json (1)
  66. 2020-05-27T16:29:11.794+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  67. "@timestamp": "2020-05-27T08:29:11.794Z",
  68. "@metadata": {
  69. "beat": "filebeat",
  70. "type": "_doc",
  71. "version": "7.7.0",
  72. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  73. },
  74. "fields": {
  75. "index_prefix": "wazuh-alerts-3.x-"
  76. },
  77. "ecs": {
  78. "version": "1.5.0"
  79. },
  80. "host": {
  81. "name": "ssl"
  82. },
  83. "agent": {
  84. "version": "7.7.0",
  85. "type": "filebeat",
  86. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  87. "hostname": "ssl",
  88. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  89. },
  90. "message": "{\"timestamp\":\"2020-05-27T16:29:05.704+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":375,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5193886\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.880:123746): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62ad30 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1356 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.880:123746): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568148.880:123746): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.880:123746): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.880:123746): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.880:123746): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123746\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1356\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  91. "event": {
  92. "module": "wazuh",
  93. "dataset": "wazuh.alerts"
  94. },
  95. "fileset": {
  96. "name": "alerts"
  97. },
  98. "service": {
  99. "type": "wazuh"
  100. },
  101. "log": {
  102. "file": {
  103. "path": "/var/ossec/logs/alerts/alerts.json"
  104. },
  105. "offset": 5738821
  106. },
  107. "input": {
  108. "type": "log"
  109. }
  110. }
  111. 2020-05-27T16:29:11.794+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  112. "@timestamp": "2020-05-27T08:29:11.794Z",
  113. "@metadata": {
  114. "beat": "filebeat",
  115. "type": "_doc",
  116. "version": "7.7.0",
  117. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  118. },
  119. "message": "{\"timestamp\":\"2020-05-27T16:29:05.704+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":376,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5195640\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.880:123747): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b5b0 a1=558d8e62b860 a2=558d8e63e750 a3=558d8e61f010 items=2 ppid=1357 pid=1358 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.880:123747): argc=4 a0=\\\"ps\\\" a1=\\\"-u\\\" a2=\\\"devnet\\\" a3=\\\"-f\\\" type=CWD msg=audit(1590568148.880:123747): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.880:123747): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.880:123747): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.880:123747): proctitle=7073002D75006465766E6574002D66\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123747\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1358\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-u\",\"a2\":\"devnet\",\"a3\":\"-f\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  120. "fields": {
  121. "index_prefix": "wazuh-alerts-3.x-"
  122. },
  123. "input": {
  124. "type": "log"
  125. },
  126. "fileset": {
  127. "name": "alerts"
  128. },
  129. "ecs": {
  130. "version": "1.5.0"
  131. },
  132. "agent": {
  133. "version": "7.7.0",
  134. "type": "filebeat",
  135. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  136. "hostname": "ssl",
  137. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  138. },
  139. "log": {
  140. "file": {
  141. "path": "/var/ossec/logs/alerts/alerts.json"
  142. },
  143. "offset": 5740755
  144. },
  145. "service": {
  146. "type": "wazuh"
  147. },
  148. "event": {
  149. "module": "wazuh",
  150. "dataset": "wazuh.alerts"
  151. },
  152. "host": {
  153. "name": "ssl"
  154. }
  155. }
  156. 2020-05-27T16:29:11.794+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  157. "@timestamp": "2020-05-27T08:29:11.794Z",
  158. "@metadata": {
  159. "beat": "filebeat",
  160. "type": "_doc",
  161. "version": "7.7.0",
  162. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  163. },
  164. "agent": {
  165. "hostname": "ssl",
  166. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  167. "version": "7.7.0",
  168. "type": "filebeat",
  169. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f"
  170. },
  171. "message": "{\"timestamp\":\"2020-05-27T16:29:05.706+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":377,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5197421\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.880:123748): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b640 a1=558d8e62b890 a2=558d8e63e750 a3=558d8e61f010 items=2 ppid=1357 pid=1359 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.880:123748): argc=3 a0=\\\"grep\\\" a1=\\\"-w\\\" a2=\\\"lotus-poster\\\" type=CWD msg=audit(1590568148.880:123748): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.880:123748): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.880:123748): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.880:123748): proctitle=67726570002D77006C6F7475732D706F73746572\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123748\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1359\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-w\",\"a2\":\"lotus-poster\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  172. "input": {
  173. "type": "log"
  174. },
  175. "event": {
  176. "module": "wazuh",
  177. "dataset": "wazuh.alerts"
  178. },
  179. "fields": {
  180. "index_prefix": "wazuh-alerts-3.x-"
  181. },
  182. "ecs": {
  183. "version": "1.5.0"
  184. },
  185. "host": {
  186. "name": "ssl"
  187. },
  188. "log": {
  189. "offset": 5742692,
  190. "file": {
  191. "path": "/var/ossec/logs/alerts/alerts.json"
  192. }
  193. },
  194. "service": {
  195. "type": "wazuh"
  196. },
  197. "fileset": {
  198. "name": "alerts"
  199. }
  200. }
  201. 2020-05-27T16:29:11.794+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  202. "@timestamp": "2020-05-27T08:29:11.794Z",
  203. "@metadata": {
  204. "beat": "filebeat",
  205. "type": "_doc",
  206. "version": "7.7.0",
  207. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  208. },
  209. "log": {
  210. "file": {
  211. "path": "/var/ossec/logs/alerts/alerts.json"
  212. },
  213. "offset": 5744649
  214. },
  215. "service": {
  216. "type": "wazuh"
  217. },
  218. "input": {
  219. "type": "log"
  220. },
  221. "event": {
  222. "module": "wazuh",
  223. "dataset": "wazuh.alerts"
  224. },
  225. "fileset": {
  226. "name": "alerts"
  227. },
  228. "fields": {
  229. "index_prefix": "wazuh-alerts-3.x-"
  230. },
  231. "host": {
  232. "name": "ssl"
  233. },
  234. "message": "{\"timestamp\":\"2020-05-27T16:29:05.709+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":378,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5199214\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.884:123749): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b650 a1=558d8e62b890 a2=558d8e63e750 a3=558d8e61f010 items=2 ppid=1357 pid=1360 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.884:123749): argc=3 a0=\\\"grep\\\" a1=\\\"-v\\\" a2=\\\"grep\\\" type=CWD msg=audit(1590568148.884:123749): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.884:123749): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.884:123749): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.884:123749): proctitle=67726570002D760067726570\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123749\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1360\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-v\",\"a2\":\"grep\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  235. "ecs": {
  236. "version": "1.5.0"
  237. },
  238. "agent": {
  239. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  240. "version": "7.7.0",
  241. "type": "filebeat",
  242. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  243. "hostname": "ssl"
  244. }
  245. }
  246. 2020-05-27T16:29:11.794+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  247. "@timestamp": "2020-05-27T08:29:11.794Z",
  248. "@metadata": {
  249. "beat": "filebeat",
  250. "type": "_doc",
  251. "version": "7.7.0",
  252. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  253. },
  254. "fileset": {
  255. "name": "alerts"
  256. },
  257. "ecs": {
  258. "version": "1.5.0"
  259. },
  260. "host": {
  261. "name": "ssl"
  262. },
  263. "agent": {
  264. "version": "7.7.0",
  265. "type": "filebeat",
  266. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  267. "hostname": "ssl",
  268. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  269. },
  270. "event": {
  271. "module": "wazuh",
  272. "dataset": "wazuh.alerts"
  273. },
  274. "message": "{\"timestamp\":\"2020-05-27T16:29:05.711+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":379,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5200975\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.884:123750): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b770 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=1357 pid=1361 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.884:123750): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568148.884:123750): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.884:123750): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.884:123750): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.884:123750): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123750\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1361\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  275. "service": {
  276. "type": "wazuh"
  277. },
  278. "input": {
  279. "type": "log"
  280. },
  281. "fields": {
  282. "index_prefix": "wazuh-alerts-3.x-"
  283. },
  284. "log": {
  285. "offset": 5746574,
  286. "file": {
  287. "path": "/var/ossec/logs/alerts/alerts.json"
  288. }
  289. }
  290. }
  291. 2020-05-27T16:29:11.794+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  292. "@timestamp": "2020-05-27T08:29:11.794Z",
  293. "@metadata": {
  294. "beat": "filebeat",
  295. "type": "_doc",
  296. "version": "7.7.0",
  297. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  298. },
  299. "service": {
  300. "type": "wazuh"
  301. },
  302. "input": {
  303. "type": "log"
  304. },
  305. "event": {
  306. "module": "wazuh",
  307. "dataset": "wazuh.alerts"
  308. },
  309. "fileset": {
  310. "name": "alerts"
  311. },
  312. "ecs": {
  313. "version": "1.5.0"
  314. },
  315. "host": {
  316. "name": "ssl"
  317. },
  318. "log": {
  319. "offset": 5748452,
  320. "file": {
  321. "path": "/var/ossec/logs/alerts/alerts.json"
  322. }
  323. },
  324. "fields": {
  325. "index_prefix": "wazuh-alerts-3.x-"
  326. },
  327. "agent": {
  328. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  329. "version": "7.7.0",
  330. "type": "filebeat",
  331. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  332. "hostname": "ssl"
  333. },
  334. "message": "{\"timestamp\":\"2020-05-27T16:29:05.713+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":380,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5202681\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.900:123751): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e63df70 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1362 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.900:123751): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568148.900:123751): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.900:123751): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.900:123751): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.900:123751): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123751\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1362\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}"
  335. }
  336. 2020-05-27T16:29:11.794+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  337. "@timestamp": "2020-05-27T08:29:11.794Z",
  338. "@metadata": {
  339. "beat": "filebeat",
  340. "type": "_doc",
  341. "version": "7.7.0",
  342. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  343. },
  344. "fileset": {
  345. "name": "alerts"
  346. },
  347. "fields": {
  348. "index_prefix": "wazuh-alerts-3.x-"
  349. },
  350. "service": {
  351. "type": "wazuh"
  352. },
  353. "host": {
  354. "name": "ssl"
  355. },
  356. "message": "{\"timestamp\":\"2020-05-27T16:29:05.716+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":381,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5204435\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.900:123752): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62ad40 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1363 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.900:123752): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568148.900:123752): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.900:123752): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.900:123752): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.900:123752): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123752\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1363\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  357. "event": {
  358. "module": "wazuh",
  359. "dataset": "wazuh.alerts"
  360. },
  361. "ecs": {
  362. "version": "1.5.0"
  363. },
  364. "agent": {
  365. "version": "7.7.0",
  366. "type": "filebeat",
  367. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  368. "hostname": "ssl",
  369. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  370. },
  371. "log": {
  372. "offset": 5750386,
  373. "file": {
  374. "path": "/var/ossec/logs/alerts/alerts.json"
  375. }
  376. },
  377. "input": {
  378. "type": "log"
  379. }
  380. }
  381. 2020-05-27T16:29:11.795+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  382. "@timestamp": "2020-05-27T08:29:11.794Z",
  383. "@metadata": {
  384. "beat": "filebeat",
  385. "type": "_doc",
  386. "version": "7.7.0",
  387. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  388. },
  389. "fileset": {
  390. "name": "alerts"
  391. },
  392. "ecs": {
  393. "version": "1.5.0"
  394. },
  395. "host": {
  396. "name": "ssl"
  397. },
  398. "agent": {
  399. "hostname": "ssl",
  400. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  401. "version": "7.7.0",
  402. "type": "filebeat",
  403. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f"
  404. },
  405. "message": "{\"timestamp\":\"2020-05-27T16:29:05.718+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/sleep\",\"id\":\"80792\",\"firedtimes\":382,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5206189\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.904:123753): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e640cc0 a1=558d8e63df70 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1364 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"sleep\\\" exe=\\\"/bin/sleep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.904:123753): argc=2 a0=\\\"sleep\\\" a1=\\\"120\\\" type=CWD msg=audit(1590568148.904:123753): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.904:123753): item=0 name=\\\"/bin/sleep\\\" inode=5111893 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.904:123753): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.904:123753): proctitle=736C65657000313230\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123753\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1364\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"sleep\",\"exe\":\"/bin/sleep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"sleep\",\"a1\":\"120\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/sleep\",\"inode\":\"5111893\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  406. "event": {
  407. "module": "wazuh",
  408. "dataset": "wazuh.alerts"
  409. },
  410. "fields": {
  411. "index_prefix": "wazuh-alerts-3.x-"
  412. },
  413. "service": {
  414. "type": "wazuh"
  415. },
  416. "log": {
  417. "file": {
  418. "path": "/var/ossec/logs/alerts/alerts.json"
  419. },
  420. "offset": 5752320
  421. },
  422. "input": {
  423. "type": "log"
  424. }
  425. }
  426. 2020-05-27T16:29:11.795+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  427. 2020-05-27T16:29:11.798+0800 DEBUG [registrar] registrar/registrar.go:404 Registry file updated. 1 states written.
  428. 2020-05-27T16:29:12.794+0800 INFO [publisher_pipeline_output] pipeline/output.go:101 Connecting to backoff(elasticsearch(https://192.168.40.243:9200))
  429. 2020-05-27T16:29:12.794+0800 DEBUG [esclientleg] eslegclient/connection.go:239 ES Ping(url=https://192.168.40.243:9200)
  430. 2020-05-27T16:29:12.795+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  431. 2020-05-27T16:29:12.813+0800 DEBUG [esclientleg] eslegclient/connection.go:262 Ping status code: 200
  432. 2020-05-27T16:29:12.813+0800 INFO [esclientleg] eslegclient/connection.go:263 Attempting to connect to Elasticsearch version 7.7.0
  433. 2020-05-27T16:29:12.813+0800 DEBUG [esclientleg] eslegclient/connection.go:312 GET https://192.168.40.243:9200/_license?human=false <nil>
  434. 2020-05-27T16:29:12.814+0800 DEBUG [license] licenser/check.go:31 Checking that license covers %sBasic
  435. 2020-05-27T16:29:12.814+0800 INFO [license] licenser/es_callback.go:51 Elasticsearch license: Platinum
  436. 2020-05-27T16:29:12.814+0800 DEBUG [esclientleg] eslegclient/connection.go:239 ES Ping(url=https://192.168.40.243:9200)
  437. 2020-05-27T16:29:12.814+0800 DEBUG [esclientleg] eslegclient/connection.go:262 Ping status code: 200
  438. 2020-05-27T16:29:12.814+0800 INFO [esclientleg] eslegclient/connection.go:263 Attempting to connect to Elasticsearch version 7.7.0
  439. 2020-05-27T16:29:12.814+0800 DEBUG [esclientleg] eslegclient/connection.go:312 GET https://192.168.40.243:9200/_cat/templates/wazuh <nil>
  440. 2020-05-27T16:29:12.815+0800 INFO template/load.go:169 Existing template will be overwritten, as overwrite is enabled.
  441. 2020-05-27T16:29:12.815+0800 DEBUG [template] template/load.go:189 Loading json template from file /etc/filebeat/wazuh-template.json
  442. 2020-05-27T16:29:12.816+0800 INFO template/load.go:109 Try loading template wazuh to Elasticsearch
  443. 2020-05-27T16:29:12.817+0800 DEBUG [esclientleg] eslegclient/connection.go:312 PUT https://192.168.40.243:9200/_template/wazuh map[index_patterns:[wazuh-alerts-3.x-* wazuh-archives-3.x-*] mappings:map[date_detection:false dynamic_templates:[map[string_as_keyword:map[mapping:map[type:keyword] match_mapping_type:string]]] properties:map[@timestamp:map[type:date] @version:map[type:text] GeoLocation:map[properties:map[area_code:map[type:long] city_name:map[type:keyword] continent_code:map[type:text] coordinates:map[type:double] country_code2:map[type:text] country_code3:map[type:text] country_name:map[type:keyword] dma_code:map[type:long] ip:map[type:keyword] latitude:map[type:double] location:map[type:geo_point] longitude:map[type:double] postal_code:map[type:keyword] real_region_name:map[type:keyword] region_name:map[type:keyword] timezone:map[type:text]]] agent:map[properties:map[id:map[type:keyword] ip:map[type:keyword] name:map[type:keyword]]] cluster:map[properties:map[name:map[type:keyword] node:map[type:keyword]]] command:map[type:keyword] data:map[properties:map[action:map[type:keyword] audit:map[properties:map[acct:map[type:keyword] arch:map[type:keyword] auid:map[type:keyword] command:map[type:keyword] cwd:map[type:keyword] dev:map[type:keyword] directory:map[properties:map[inode:map[type:keyword] mode:map[type:keyword] name:map[type:keyword]]] egid:map[type:keyword] enforcing:map[type:keyword] euid:map[type:keyword] exe:map[type:keyword] execve:map[properties:map[a0:map[type:keyword] a1:map[type:keyword] a2:map[type:keyword] a3:map[type:keyword]]] exit:map[type:keyword] file:map[properties:map[inode:map[type:keyword] mode:map[type:keyword] name:map[type:keyword]]] fsgid:map[type:keyword] fsuid:map[type:keyword] gid:map[type:keyword] id:map[type:keyword] key:map[type:keyword] list:map[type:keyword] old-auid:map[type:keyword] old-ses:map[type:keyword] old_enforcing:map[type:keyword] old_prom:map[type:keyword] op:map[type:keyword] pid:map[type:keyword] ppid:map[type:keyword] prom:map[type:keyword] res:map[type:keyword] session:map[type:keyword] sgid:map[type:keyword] srcip:map[type:keyword] subj:map[type:keyword] success:map[type:keyword] suid:map[type:keyword] syscall:map[type:keyword] tty:map[type:keyword] type:map[type:keyword] uid:map[type:keyword]]] aws:map[properties:map[bytes:map[type:long] createdAt:map[type:date] dstaddr:map[type:ip] end:map[type:date] resource.instanceDetails:map[properties:map[launchTime:map[type:date] networkInterfaces:map[properties:map[privateIpAddress:map[type:ip] publicIp:map[type:ip]]]]] service:map[properties:map[action.networkConnectionAction.remoteIpDetails:map[properties:map[geoLocation:map[type:geo_point] ipAddressV4:map[type:ip]]] count:map[type:long] eventFirstSeen:map[type:date] eventLastSeen:map[type:date]]] source_ip_address:map[type:ip] srcaddr:map[type:ip] start:map[type:date] updatedAt:map[type:date]]] command:map[type:keyword] data:map[type:keyword] dstip:map[type:keyword] dstport:map[type:keyword] dstuser:map[type:keyword] extra_data:map[type:keyword] hardware:map[properties:map[cpu_cores:map[type:long] cpu_mhz:map[type:double] cpu_name:map[type:keyword] ram_free:map[type:long] ram_total:map[type:long] ram_usage:map[type:long] serial:map[type:keyword]]] id:map[type:keyword] integration:map[type:keyword] netinfo:map[properties:map[iface:map[properties:map[adapter:map[type:keyword] ipv4:map[properties:map[address:map[type:keyword] broadcast:map[type:keyword] dhcp:map[type:keyword] gateway:map[type:keyword] metric:map[type:long] netmask:map[type:keyword]]] ipv6:map[properties:map[address:map[type:keyword] broadcast:map[type:keyword] dhcp:map[type:keyword] gateway:map[type:keyword] metric:map[type:long] netmask:map[type:keyword]]] mac:map[type:keyword] mtu:map[type:long] name:map[type:keyword] rx_bytes:map[type:long] rx_dropped:map[type:long] rx_errors:map[type:long] rx_packets:map[type:long] state:map[type:keyword] tx_bytes:map[type:long] tx_dropped:map[type:long] tx_errors:map[type:long] tx_packets:map[type:long] type:map[type:keyword]]]]] os:map[properties:map[architecture:map[type:keyword] build:map[type:keyword] codename:map[type:keyword] hostname:map[type:keyword] major:map[type:keyword] minor:map[type:keyword] name:map[type:keyword] platform:map[type:keyword] release:map[type:keyword] release_version:map[type:keyword] sysname:map[type:keyword] version:map[type:keyword]]] oscap:map[properties:map[check:map[properties:map[description:map[type:text] id:map[type:keyword] identifiers:map[type:text] oval:map[properties:map[id:map[type:keyword]]] rationale:map[type:text] references:map[type:text] result:map[type:keyword] severity:map[type:keyword] title:map[type:keyword]]] scan:map[properties:map[benchmark:map[properties:map[id:map[type:keyword]]] content:map[type:keyword] id:map[type:keyword] profile:map[properties:map[id:map[type:keyword] title:map[type:keyword]]] return_code:map[type:long] score:map[type:double]]]]] port:map[properties:map[inode:map[type:long] local_ip:map[type:ip] local_port:map[type:long] pid:map[type:long] process:map[type:keyword] protocol:map[type:keyword] remote_ip:map[type:ip] remote_port:map[type:long] rx_queue:map[type:long] state:map[type:keyword] tx_queue:map[type:long]]] process:map[properties:map[args:map[type:keyword] cmd:map[type:keyword] egroup:map[type:keyword] euser:map[type:keyword] fgroup:map[type:keyword] name:map[type:keyword] nice:map[type:long] nlwp:map[type:long] pgrp:map[type:long] pid:map[type:long] ppid:map[type:long] priority:map[type:long] processor:map[type:long] resident:map[type:long] rgroup:map[type:keyword] ruser:map[type:keyword] session:map[type:long] sgroup:map[type:keyword] share:map[type:long] size:map[type:long] start_time:map[type:long] state:map[type:keyword] stime:map[type:long] suser:map[type:keyword] tgid:map[type:long] tty:map[type:long] utime:map[type:long] vm_size:map[type:long]]] program:map[properties:map[architecture:map[type:keyword] description:map[type:keyword] format:map[type:keyword] install_time:map[type:keyword] location:map[type:keyword] multiarch:map[type:keyword] name:map[type:keyword] priority:map[type:keyword] section:map[type:keyword] size:map[type:long] source:map[type:keyword] vendor:map[type:keyword] version:map[type:keyword]]] protocol:map[type:keyword] sca:map[properties:map[check:map[properties:map[compliance:map[properties:map[cis:map[type:keyword] cis_csc:map[type:keyword] hipaa:map[type:keyword] nist_800_53:map[type:keyword] pci_dss:map[type:keyword]]] description:map[type:keyword] directory:map[type:keyword] file:map[type:keyword] id:map[type:keyword] previous_result:map[type:keyword] process:map[type:keyword] rationale:map[type:keyword] reason:map[type:keyword] references:map[type:keyword] registry:map[type:keyword] remediation:map[type:keyword] result:map[type:keyword] status:map[type:keyword] title:map[type:keyword]]] description:map[type:keyword] failed:map[type:integer] file:map[type:keyword] invalid:map[type:keyword] name:map[type:keyword] passed:map[type:integer] policy:map[type:keyword] policy_id:map[type:keyword] scan_id:map[type:keyword] score:map[type:long] total_checks:map[type:keyword] type:map[type:keyword]]] srcip:map[type:keyword] srcport:map[type:keyword] srcuser:map[type:keyword] status:map[type:keyword] system_name:map[type:keyword] timestamp:map[type:date] title:map[type:keyword] type:map[type:keyword] uid:map[type:keyword] url:map[type:keyword] virustotal:map[properties:map[description:map[type:keyword] error:map[type:keyword] found:map[type:keyword] malicious:map[type:keyword] permalink:map[type:keyword] positives:map[type:keyword] scan_date:map[type:keyword] sha1:map[type:keyword] source:map[properties:map[alert_id:map[type:keyword] file:map[type:keyword] md5:map[type:keyword] sha1:map[type:keyword]]] total:map[type:keyword]]] vulnerability:map[properties:map[advisories:map[type:keyword] bugzilla_reference:map[type:keyword] cve:map[type:keyword] cvss:map[properties:map[cvss2:map[properties:map[base_score:map[type:keyword] exploitability_score:map[type:keyword] impact_score:map[type:keyword] vector:map[properties:map[access_complexity:map[type:keyword] attack_vector:map[type:keyword] authentication:map[type:keyword] availability:map[type:keyword] confidentiality_impact:map[type:keyword] integrity_impact:map[type:keyword] privileges_required:map[type:keyword] scope:map[type:keyword] user_interaction:map[type:keyword]]]]] cvss3:map[properties:map[base_score:map[type:keyword] exploitability_score:map[type:keyword] impact_score:map[type:keyword] vector:map[properties:map[access_complexity:map[type:keyword] attack_vector:map[type:keyword] authentication:map[type:keyword] availability:map[type:keyword] confidentiality_impact:map[type:keyword] integrity_impact:map[type:keyword] privileges_required:map[type:keyword] scope:map[type:keyword] user_interaction:map[type:keyword]]]]]]] cwe_reference:map[type:keyword] package:map[properties:map[architecture:map[type:keyword] condition:map[type:keyword] generated_cpe:map[type:keyword] name:map[type:keyword] version:map[type:keyword]]] published:map[type:date] rationale:map[type:keyword] reference:map[type:keyword] severity:map[type:keyword] state:map[type:keyword] title:map[type:keyword] updated:map[type:date]]]]] decoder:map[properties:map[accumulate:map[type:long] fts:map[type:long] ftscomment:map[type:keyword] name:map[type:keyword] parent:map[type:keyword]]] full_log:map[type:text] host:map[type:keyword] id:map[type:keyword] input:map[properties:map[type:map[type:keyword]]] location:map[type:keyword] manager:map[properties:map[name:map[type:keyword]]] message:map[type:text] offset:map[type:keyword] predecoder:map[properties:map[hostname:map[type:keyword] program_name:map[type:keyword] timestamp:map[type:keyword]]] previous_log:map[type:text] previous_output:map[type:keyword] program_name:map[type:keyword] rule:map[properties:map[cis:map[type:keyword] cve:map[type:keyword] description:map[type:keyword] firedtimes:map[type:long] frequency:map[type:long] gdpr:map[type:keyword] gpg13:map[type:keyword] groups:map[type:keyword] hipaa:map[type:keyword] id:map[type:keyword] info:map[type:keyword] level:map[type:long] mail:map[type:boolean] nist_800_53:map[type:keyword] pci_dss:map[type:keyword]]] syscheck:map[properties:map[audit:map[properties:map[effective_user:map[properties:map[id:map[type:keyword] name:map[type:keyword]]] group:map[properties:map[id:map[type:keyword] name:map[type:keyword]]] login_user:map[properties:map[id:map[type:keyword] name:map[type:keyword]]] process:map[properties:map[id:map[type:keyword] name:map[type:keyword] ppid:map[type:keyword]]] user:map[properties:map[id:map[type:keyword] name:map[type:keyword]]]]] diff:map[type:keyword] event:map[type:keyword] gid_after:map[type:keyword] gid_before:map[type:keyword] gname_after:map[type:keyword] gname_before:map[type:keyword] hard_links:map[type:keyword] inode_after:map[type:keyword] inode_before:map[type:keyword] md5_after:map[type:keyword] md5_before:map[type:keyword] mtime_after:map[format:date_optional_time type:date] mtime_before:map[format:date_optional_time type:date] path:map[type:keyword] perm_after:map[type:keyword] perm_before:map[type:keyword] sha1_after:map[type:keyword] sha1_before:map[type:keyword] sha256_after:map[type:keyword] sha256_before:map[type:keyword] size_after:map[type:long] size_before:map[type:long] tags:map[type:keyword] uid_after:map[type:keyword] uid_before:map[type:keyword] uname_after:map[type:keyword] uname_before:map[type:keyword]]] timestamp:map[format:date_optional_time||epoch_millis type:date] title:map[type:keyword] type:map[type:text]]] order:0 settings:map[index.auto_expand_replicas:0-1 index.mapping.total_fields.limit:10000 index.number_of_replicas:0 index.number_of_shards:3 index.query.default_field:[GeoLocation.city_name GeoLocation.continent_code GeoLocation.country_code2 GeoLocation.country_code3 GeoLocation.country_name GeoLocation.ip GeoLocation.postal_code GeoLocation.real_region_name GeoLocation.region_name GeoLocation.timezone agent.id agent.ip agent.name cluster.name cluster.node command data data.action data.audit data.audit.acct data.audit.arch data.audit.auid data.audit.command data.audit.cwd data.audit.dev data.audit.directory.inode data.audit.directory.mode data.audit.directory.name data.audit.egid data.audit.enforcing data.audit.euid data.audit.exe data.audit.execve.a0 data.audit.execve.a1 data.audit.execve.a2 data.audit.execve.a3 data.audit.exit data.audit.file.inode data.audit.file.mode data.audit.file.name data.audit.fsgid data.audit.fsuid data.audit.gid data.audit.id data.audit.key data.audit.list data.audit.old-auid data.audit.old-ses data.audit.old_enforcing data.audit.old_prom data.audit.op data.audit.pid data.audit.ppid data.audit.prom data.audit.res data.audit.session data.audit.sgid data.audit.srcip data.audit.subj data.audit.success data.audit.suid data.audit.syscall data.audit.tty data.audit.uid data.aws.accountId data.aws.account_id data.aws.action data.aws.actor data.aws.aws_account_id data.aws.description data.aws.dstport data.aws.errorCode data.aws.errorMessage data.aws.eventID data.aws.eventName data.aws.eventSource data.aws.eventType data.aws.id data.aws.name data.aws.requestParameters.accessKeyId data.aws.requestParameters.bucketName data.aws.requestParameters.gatewayId data.aws.requestParameters.groupDescription data.aws.requestParameters.groupId data.aws.requestParameters.groupName data.aws.requestParameters.host data.aws.requestParameters.hostedZoneId data.aws.requestParameters.instanceId data.aws.requestParameters.instanceProfileName data.aws.requestParameters.loadBalancerName data.aws.requestParameters.loadBalancerPorts data.aws.requestParameters.masterUserPassword data.aws.requestParameters.masterUsername data.aws.requestParameters.name data.aws.requestParameters.natGatewayId data.aws.requestParameters.networkAclId data.aws.requestParameters.path data.aws.requestParameters.policyName data.aws.requestParameters.port data.aws.requestParameters.stackId data.aws.requestParameters.stackName data.aws.requestParameters.subnetId data.aws.requestParameters.subnetIds data.aws.requestParameters.volumeId data.aws.requestParameters.vpcId data.aws.resource.accessKeyDetails.accessKeyId data.aws.resource.accessKeyDetails.principalId data.aws.resource.accessKeyDetails.userName data.aws.resource.instanceDetails.instanceId data.aws.resource.instanceDetails.instanceState data.aws.resource.instanceDetails.networkInterfaces.privateDnsName data.aws.resource.instanceDetails.networkInterfaces.publicDnsName data.aws.resource.instanceDetails.networkInterfaces.subnetId data.aws.resource.instanceDetails.networkInterfaces.vpcId data.aws.resource.instanceDetails.tags.value data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId data.aws.responseElements.description data.aws.responseElements.instanceId data.aws.responseElements.instances.instanceId data.aws.responseElements.instancesSet.items.instanceId data.aws.responseElements.listeners.port data.aws.responseElements.loadBalancerName data.aws.responseElements.loadBalancers.vpcId data.aws.responseElements.loginProfile.userName data.aws.responseElements.networkAcl.vpcId data.aws.responseElements.ownerId data.aws.responseElements.publicIp data.aws.responseElements.user.userId data.aws.responseElements.user.userName data.aws.responseElements.volumeId data.aws.service.serviceName data.aws.severity data.aws.source data.aws.sourceIPAddress data.aws.srcport data.aws.userIdentity.accessKeyId data.aws.userIdentity.accountId data.aws.userIdentity.userName data.aws.vpcEndpointId data.command data.data data.docker.Actor.Attributes.container data.docker.Actor.Attributes.image data.docker.Actor.Attributes.name data.docker.Actor.ID data.docker.id data.docker.message data.docker.status data.dstip data.dstport data.dstuser data.extra_data data.hardware.serial data.id data.integration data.netinfo.iface.adapter data.netinfo.iface.ipv4.address data.netinfo.iface.ipv6.address data.netinfo.iface.mac data.netinfo.iface.name data.os.architecture data.os.build data.os.codename data.os.hostname data.os.major data.os.minor data.os.name data.os.platform data.os.release data.os.release_version data.os.sysname data.os.version data.oscap.check.description data.oscap.check.id data.oscap.check.identifiers data.oscap.check.oval.id data.oscap.check.rationale data.oscap.check.references data.oscap.check.result data.oscap.check.severity data.oscap.check.title data.oscap.scan.benchmark.id data.oscap.scan.content data.oscap.scan.id data.oscap.scan.profile.id data.oscap.scan.profile.title data.osquery.columns.address data.osquery.columns.command data.osquery.columns.description data.osquery.columns.dst_ip data.osquery.columns.gid data.osquery.columns.hostname data.osquery.columns.md5 data.osquery.columns.path data.osquery.columns.sha1 data.osquery.columns.sha256 data.osquery.columns.src_ip data.osquery.columns.user data.osquery.columns.username data.osquery.name data.osquery.pack data.port.process data.port.protocol data.port.state data.process.args data.process.cmd data.process.egroup data.process.euser data.process.fgroup data.process.name data.process.rgroup data.process.ruser data.process.sgroup data.process.state data.process.suser data.program.architecture data.program.description data.program.format data.program.location data.program.multiarch data.program.name data.program.priority data.program.section data.program.source data.program.vendor data.program.version data.protocol data.pwd data.sca data.sca.check.compliance.cis data.sca.check.compliance.cis_csc data.sca.check.compliance.pci_dss data.sca.check.compliance.hipaa data.sca.check.compliance.nist_800_53 data.sca.check.description data.sca.check.directory data.sca.check.file data.sca.check.id data.sca.check.previous_result data.sca.check.process data.sca.check.rationale data.sca.check.reason data.sca.check.references data.sca.check.registry data.sca.check.remediation data.sca.check.result data.sca.check.status data.sca.check.title data.sca.description data.sca.file data.sca.invalid data.sca.name data.sca.policy data.sca.policy_id data.sca.scan_id data.sca.total_checks data.script data.src_ip data.src_port data.srcip data.srcport data.srcuser data.status data.system_name data.title data.tty data.uid data.url data.virustotal.description data.virustotal.error data.virustotal.found data.virustotal.permalink data.virustotal.scan_date data.virustotal.sha1 data.virustotal.source.alert_id data.virustotal.source.file data.virustotal.source.md5 data.virustotal.source.sha1 data.vulnerability.advisories data.vulnerability.bugzilla_reference data.vulnerability.cve data.vulnerability.cvss.cvss2.base_score data.vulnerability.cvss.cvss2.exploitability_score data.vulnerability.cvss.cvss2.impact_score data.vulnerability.cvss.cvss2.vector.access_complexity data.vulnerability.cvss.cvss2.vector.attack_vector data.vulnerability.cvss.cvss2.vector.authentication data.vulnerability.cvss.cvss2.vector.availability data.vulnerability.cvss.cvss2.vector.confidentiality_impact data.vulnerability.cvss.cvss2.vector.integrity_impact data.vulnerability.cvss.cvss2.vector.privileges_required data.vulnerability.cvss.cvss2.vector.scope data.vulnerability.cvss.cvss2.vector.user_interaction data.vulnerability.cvss.cvss3.base_score data.vulnerability.cvss.cvss3.exploitability_score data.vulnerability.cvss.cvss3.impact_score data.vulnerability.cvss.cvss3.vector.access_complexity data.vulnerability.cvss.cvss3.vector.attack_vector data.vulnerability.cvss.cvss3.vector.authentication data.vulnerability.cvss.cvss3.vector.availability data.vulnerability.cvss.cvss3.vector.confidentiality_impact data.vulnerability.cvss.cvss3.vector.integrity_impact data.vulnerability.cvss.cvss3.vector.privileges_required data.vulnerability.cvss.cvss3.vector.scope data.vulnerability.cvss.cvss3.vector.user_interaction data.vulnerability.cwe_reference data.vulnerability.package.architecture data.vulnerability.package.condition data.vulnerability.package.generated_cpe data.vulnerability.package.name data.vulnerability.package.version data.vulnerability.rationale data.vulnerability.reference data.vulnerability.severity data.vulnerability.state data.vulnerability.title data.win.eventdata.auditPolicyChanges data.win.eventdata.auditPolicyChangesId data.win.eventdata.binary data.win.eventdata.category data.win.eventdata.categoryId data.win.eventdata.data data.win.eventdata.image data.win.eventdata.ipAddress data.win.eventdata.ipPort data.win.eventdata.keyName data.win.eventdata.logonGuid data.win.eventdata.logonProcessName data.win.eventdata.operation data.win.eventdata.parentImage data.win.eventdata.processId data.win.eventdata.processName data.win.eventdata.providerName data.win.eventdata.returnCode data.win.eventdata.service data.win.eventdata.status data.win.eventdata.subcategory data.win.eventdata.subcategoryGuid data.win.eventdata.subcategoryId data.win.eventdata.subjectDomainName data.win.eventdata.subjectLogonId data.win.eventdata.subjectUserName data.win.eventdata.subjectUserSid data.win.eventdata.targetDomainName data.win.eventdata.targetLinkedLogonId data.win.eventdata.targetLogonId data.win.eventdata.targetUserName data.win.eventdata.targetUserSid data.win.eventdata.workstationName data.win.system.channel data.win.system.computer data.win.system.eventID data.win.system.eventRecordID data.win.system.eventSourceName data.win.system.keywords data.win.system.level data.win.system.message data.win.system.opcode data.win.system.processID data.win.system.providerGuid data.win.system.providerName data.win.system.securityUserID data.win.system.severityValue data.win.system.userID decoder.ftscomment decoder.name decoder.parent full_log host id input location manager.name message offset predecoder.hostname predecoder.program_name previous_log previous_output program_name rule.cis rule.cve rule.description rule.gdpr rule.gpg13 rule.groups rule.id rule.info rule.pci_dss rule.hipaa rule.nist_800_53 syscheck.audit.effective_user.id syscheck.audit.effective_user.name syscheck.audit.group.id syscheck.audit.group.name syscheck.audit.login_user.id syscheck.audit.login_user.name syscheck.audit.process.id syscheck.audit.process.name syscheck.audit.process.ppid syscheck.audit.user.id syscheck.audit.user.name syscheck.diff syscheck.event syscheck.gid_after syscheck.gid_before syscheck.gname_after syscheck.gname_before syscheck.inode_after syscheck.inode_before syscheck.md5_after syscheck.md5_before syscheck.path syscheck.perm_after syscheck.perm_before syscheck.sha1_after syscheck.sha1_before syscheck.sha256_after syscheck.sha256_before syscheck.tags syscheck.uid_after syscheck.uid_before syscheck.uname_after syscheck.uname_before title type] index.refresh_interval:5s] version:1]
  444. 2020-05-27T16:29:12.936+0800 INFO template/load.go:101 template with name 'wazuh' loaded.
  445. 2020-05-27T16:29:12.936+0800 INFO [index-management] idxmgmt/std.go:295 Loaded index template.
  446. 2020-05-27T16:29:12.936+0800 DEBUG [esclientleg] eslegclient/connection.go:312 GET https://192.168.40.243:9200/ <nil>
  447. 2020-05-27T16:29:12.936+0800 DEBUG [modules] fileset/pipelines.go:67 Required processors: []
  448. 2020-05-27T16:29:12.937+0800 DEBUG [esclientleg] eslegclient/connection.go:312 GET https://192.168.40.243:9200/_ingest/pipeline/filebeat-7.7.0-wazuh-alerts-pipeline <nil>
  449. 2020-05-27T16:29:12.938+0800 DEBUG [modules] fileset/pipelines.go:120 Pipeline filebeat-7.7.0-wazuh-alerts-pipeline already loaded
  450. 2020-05-27T16:29:12.938+0800 INFO [publisher_pipeline_output] pipeline/output.go:111 Connection to backoff(elasticsearch(https://192.168.40.243:9200)) established
  451. 2020-05-27T16:29:12.959+0800 DEBUG [elasticsearch] elasticsearch/client.go:217 PublishEvents: 8 events have been published to elasticsearch in 21.6644ms.
  452. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef547354, ext:10034101601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5738821},"message":"{\"timestamp\":\"2020-05-27T16:29:05.704+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":375,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5193886\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.880:123746): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62ad30 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1356 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.880:123746): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568148.880:123746): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.880:123746): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.880:123746): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.880:123746): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123746\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1356\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5740755, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  453. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef5c1dd4, ext:10034604001, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5740755},"message":"{\"timestamp\":\"2020-05-27T16:29:05.704+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":376,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5195640\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.880:123747): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b5b0 a1=558d8e62b860 a2=558d8e63e750 a3=558d8e61f010 items=2 ppid=1357 pid=1358 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.880:123747): argc=4 a0=\\\"ps\\\" a1=\\\"-u\\\" a2=\\\"devnet\\\" a3=\\\"-f\\\" type=CWD msg=audit(1590568148.880:123747): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.880:123747): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.880:123747): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.880:123747): proctitle=7073002D75006465766E6574002D66\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123747\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1358\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-u\",\"a2\":\"devnet\",\"a3\":\"-f\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5742692, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  454. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef5d73a0, ext:10034691501, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5742692},"message":"{\"timestamp\":\"2020-05-27T16:29:05.706+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":377,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5197421\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.880:123748): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b640 a1=558d8e62b890 a2=558d8e63e750 a3=558d8e61f010 items=2 ppid=1357 pid=1359 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.880:123748): argc=3 a0=\\\"grep\\\" a1=\\\"-w\\\" a2=\\\"lotus-poster\\\" type=CWD msg=audit(1590568148.880:123748): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.880:123748): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.880:123748): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.880:123748): proctitle=67726570002D77006C6F7475732D706F73746572\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123748\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1359\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-w\",\"a2\":\"lotus-poster\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5744649, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  455. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef5ea964, ext:10034770801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5744649},"message":"{\"timestamp\":\"2020-05-27T16:29:05.709+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":378,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5199214\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.884:123749): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b650 a1=558d8e62b890 a2=558d8e63e750 a3=558d8e61f010 items=2 ppid=1357 pid=1360 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.884:123749): argc=3 a0=\\\"grep\\\" a1=\\\"-v\\\" a2=\\\"grep\\\" type=CWD msg=audit(1590568148.884:123749): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.884:123749): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.884:123749): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.884:123749): proctitle=67726570002D760067726570\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123749\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1360\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-v\",\"a2\":\"grep\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5746574, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  456. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef5fae54, ext:10034837601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5746574},"message":"{\"timestamp\":\"2020-05-27T16:29:05.711+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":379,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5200975\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.884:123750): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62b770 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=1357 pid=1361 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.884:123750): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568148.884:123750): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.884:123750): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.884:123750): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.884:123750): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123750\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1357\",\"pid\":\"1361\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5748452, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  457. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef60ba4c, ext:10034906201, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5748452},"message":"{\"timestamp\":\"2020-05-27T16:29:05.713+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":380,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5202681\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.900:123751): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e63df70 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1362 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.900:123751): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568148.900:123751): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.900:123751): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.900:123751): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.900:123751): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123751\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1362\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5750386, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  458. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef61b3e8, ext:10034970101, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5750386},"message":"{\"timestamp\":\"2020-05-27T16:29:05.716+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":381,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5204435\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.900:123752): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e62ad40 a1=558d8e640ca0 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1363 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.900:123752): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568148.900:123752): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.900:123752): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.900:123752): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.900:123752): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123752\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1363\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5752320, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  459. 2020-05-27T16:29:12.960+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba715ef62b3c4, ext:10035035601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5752320},"message":"{\"timestamp\":\"2020-05-27T16:29:05.718+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/sleep\",\"id\":\"80792\",\"firedtimes\":382,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568145.5206189\",\"full_log\":\"type=SYSCALL msg=audit(1590568148.904:123753): arch=c000003e syscall=59 success=yes exit=0 a0=558d8e640cc0 a1=558d8e63df70 a2=558d8e63e750 a3=8 items=2 ppid=18289 pid=1364 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=116 comm=\\\"sleep\\\" exe=\\\"/bin/sleep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568148.904:123753): argc=2 a0=\\\"sleep\\\" a1=\\\"120\\\" type=CWD msg=audit(1590568148.904:123753): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568148.904:123753): item=0 name=\\\"/bin/sleep\\\" inode=5111893 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568148.904:123753): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568148.904:123753): proctitle=736C65657000313230\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123753\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"1364\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"sleep\",\"exe\":\"/bin/sleep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"sleep\",\"a1\":\"120\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/sleep\",\"inode\":\"5111893\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5754217, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  460. 2020-05-27T16:29:12.960+0800 DEBUG [publisher] memqueue/ackloop.go:160 ackloop: receive ack [0: 0, 8]
  461. 2020-05-27T16:29:12.960+0800 DEBUG [publisher] memqueue/eventloop.go:535 broker ACK events: count=8, start-seq=1, end-seq=8
  462.  
  463. 2020-05-27T16:29:12.960+0800 DEBUG [publisher] memqueue/ackloop.go:128 ackloop: return ack to broker loop:8
  464. 2020-05-27T16:29:12.960+0800 DEBUG [publisher] memqueue/ackloop.go:131 ackloop: done send ack
  465. 2020-05-27T16:29:12.960+0800 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 8}
  466. 2020-05-27T16:29:12.960+0800 DEBUG [registrar] registrar/registrar.go:356 Processing 8 events
  467. 2020-05-27T16:29:12.960+0800 DEBUG [registrar] registrar/registrar.go:326 Registrar state updates processed. Count: 8
  468. 2020-05-27T16:29:12.960+0800 DEBUG [registrar] registrar/registrar.go:411 Write registry file: /var/lib/filebeat/registry/filebeat/data.json (1)
  469. 2020-05-27T16:29:12.976+0800 DEBUG [registrar] registrar/registrar.go:404 Registry file updated. 1 states written.
  470. 2020-05-27T16:29:14.795+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  471. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  472. "@timestamp": "2020-05-27T08:29:18.796Z",
  473. "@metadata": {
  474. "beat": "filebeat",
  475. "type": "_doc",
  476. "version": "7.7.0",
  477. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  478. },
  479. "message": "{\"timestamp\":\"2020-05-27T16:29:17.040+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":383,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5207914\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.413:123754): arch=c000003e syscall=59 success=yes exit=0 a0=56146338de60 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1377 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.413:123754): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568159.413:123754): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.413:123754): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.413:123754): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.413:123754): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123754\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1377\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  480. "fields": {
  481. "index_prefix": "wazuh-alerts-3.x-"
  482. },
  483. "host": {
  484. "name": "ssl"
  485. },
  486. "agent": {
  487. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  488. "hostname": "ssl",
  489. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  490. "version": "7.7.0",
  491. "type": "filebeat"
  492. },
  493. "log": {
  494. "offset": 5754217,
  495. "file": {
  496. "path": "/var/ossec/logs/alerts/alerts.json"
  497. }
  498. },
  499. "service": {
  500. "type": "wazuh"
  501. },
  502. "input": {
  503. "type": "log"
  504. },
  505. "event": {
  506. "module": "wazuh",
  507. "dataset": "wazuh.alerts"
  508. },
  509. "fileset": {
  510. "name": "alerts"
  511. },
  512. "ecs": {
  513. "version": "1.5.0"
  514. }
  515. }
  516. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  517. "@timestamp": "2020-05-27T08:29:18.796Z",
  518. "@metadata": {
  519. "beat": "filebeat",
  520. "type": "_doc",
  521. "version": "7.7.0",
  522. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  523. },
  524. "agent": {
  525. "hostname": "ssl",
  526. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  527. "version": "7.7.0",
  528. "type": "filebeat",
  529. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f"
  530. },
  531. "message": "{\"timestamp\":\"2020-05-27T16:29:17.040+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":384,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5209670\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123755): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e6e0 a1=56146338e990 a2=5614633a1880 a3=561463382010 items=2 ppid=1378 pid=1379 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.417:123755): argc=4 a0=\\\"ps\\\" a1=\\\"-u\\\" a2=\\\"testnet\\\" a3=\\\"-f\\\" type=CWD msg=audit(1590568159.417:123755): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.417:123755): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.417:123755): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.417:123755): proctitle=7073002D7500746573746E6574002D66\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123755\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1379\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-u\",\"a2\":\"testnet\",\"a3\":\"-f\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  532. "event": {
  533. "module": "wazuh",
  534. "dataset": "wazuh.alerts"
  535. },
  536. "host": {
  537. "name": "ssl"
  538. },
  539. "fileset": {
  540. "name": "alerts"
  541. },
  542. "fields": {
  543. "index_prefix": "wazuh-alerts-3.x-"
  544. },
  545. "ecs": {
  546. "version": "1.5.0"
  547. },
  548. "log": {
  549. "offset": 5756153,
  550. "file": {
  551. "path": "/var/ossec/logs/alerts/alerts.json"
  552. }
  553. },
  554. "service": {
  555. "type": "wazuh"
  556. },
  557. "input": {
  558. "type": "log"
  559. }
  560. }
  561. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  562. "@timestamp": "2020-05-27T08:29:18.796Z",
  563. "@metadata": {
  564. "beat": "filebeat",
  565. "type": "_doc",
  566. "version": "7.7.0",
  567. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  568. },
  569. "input": {
  570. "type": "log"
  571. },
  572. "fileset": {
  573. "name": "alerts"
  574. },
  575. "ecs": {
  576. "version": "1.5.0"
  577. },
  578. "host": {
  579. "name": "ssl"
  580. },
  581. "log": {
  582. "offset": 5758098,
  583. "file": {
  584. "path": "/var/ossec/logs/alerts/alerts.json"
  585. }
  586. },
  587. "message": "{\"timestamp\":\"2020-05-27T16:29:17.042+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":385,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5211459\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123756): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e770 a1=56146338e9c0 a2=5614633a1880 a3=561463382010 items=2 ppid=1378 pid=1380 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123756\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1380\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}",
  588. "fields": {
  589. "index_prefix": "wazuh-alerts-3.x-"
  590. },
  591. "service": {
  592. "type": "wazuh"
  593. },
  594. "event": {
  595. "module": "wazuh",
  596. "dataset": "wazuh.alerts"
  597. },
  598. "agent": {
  599. "version": "7.7.0",
  600. "type": "filebeat",
  601. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  602. "hostname": "ssl",
  603. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  604. }
  605. }
  606. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  607. "@timestamp": "2020-05-27T08:29:18.796Z",
  608. "@metadata": {
  609. "beat": "filebeat",
  610. "type": "_doc",
  611. "version": "7.7.0",
  612. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  613. },
  614. "input": {
  615. "type": "log"
  616. },
  617. "event": {
  618. "module": "wazuh",
  619. "dataset": "wazuh.alerts"
  620. },
  621. "agent": {
  622. "version": "7.7.0",
  623. "type": "filebeat",
  624. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  625. "hostname": "ssl",
  626. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  627. },
  628. "message": "{\"timestamp\":\"2020-05-27T16:29:17.045+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":386,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5212379\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123757): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e780 a1=56146338e9c0 a2=5614633a1880 a3=561463382010 items=2 ppid=1378 pid=1381 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123757\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1381\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}",
  629. "log": {
  630. "offset": 5759207,
  631. "file": {
  632. "path": "/var/ossec/logs/alerts/alerts.json"
  633. }
  634. },
  635. "fileset": {
  636. "name": "alerts"
  637. },
  638. "fields": {
  639. "index_prefix": "wazuh-alerts-3.x-"
  640. },
  641. "service": {
  642. "type": "wazuh"
  643. },
  644. "ecs": {
  645. "version": "1.5.0"
  646. },
  647. "host": {
  648. "name": "ssl"
  649. }
  650. }
  651. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  652. "@timestamp": "2020-05-27T08:29:18.796Z",
  653. "@metadata": {
  654. "beat": "filebeat",
  655. "type": "_doc",
  656. "version": "7.7.0",
  657. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  658. },
  659. "service": {
  660. "type": "wazuh"
  661. },
  662. "ecs": {
  663. "version": "1.5.0"
  664. },
  665. "agent": {
  666. "version": "7.7.0",
  667. "type": "filebeat",
  668. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  669. "hostname": "ssl",
  670. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  671. },
  672. "message": "{\"timestamp\":\"2020-05-27T16:29:17.070+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":387,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5213299\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123758): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e8a0 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=1378 pid=1382 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.417:123758): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568159.417:123758): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.417:123758): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.417:123758): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.417:123758): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123758\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1382\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  673. "log": {
  674. "offset": 5760316,
  675. "file": {
  676. "path": "/var/ossec/logs/alerts/alerts.json"
  677. }
  678. },
  679. "input": {
  680. "type": "log"
  681. },
  682. "fileset": {
  683. "name": "alerts"
  684. },
  685. "event": {
  686. "module": "wazuh",
  687. "dataset": "wazuh.alerts"
  688. },
  689. "fields": {
  690. "index_prefix": "wazuh-alerts-3.x-"
  691. },
  692. "host": {
  693. "name": "ssl"
  694. }
  695. }
  696. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  697. "@timestamp": "2020-05-27T08:29:18.796Z",
  698. "@metadata": {
  699. "beat": "filebeat",
  700. "type": "_doc",
  701. "version": "7.7.0",
  702. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  703. },
  704. "input": {
  705. "type": "log"
  706. },
  707. "log": {
  708. "offset": 5762198,
  709. "file": {
  710. "path": "/var/ossec/logs/alerts/alerts.json"
  711. }
  712. },
  713. "message": "{\"timestamp\":\"2020-05-27T16:29:17.072+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":388,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5215009\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.433:123759): arch=c000003e syscall=59 success=yes exit=0 a0=5614633a3cc0 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1383 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.433:123759): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568159.433:123759): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.433:123759): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.433:123759): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.433:123759): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123759\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1383\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  714. "fileset": {
  715. "name": "alerts"
  716. },
  717. "service": {
  718. "type": "wazuh"
  719. },
  720. "agent": {
  721. "version": "7.7.0",
  722. "type": "filebeat",
  723. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  724. "hostname": "ssl",
  725. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  726. },
  727. "fields": {
  728. "index_prefix": "wazuh-alerts-3.x-"
  729. },
  730. "event": {
  731. "module": "wazuh",
  732. "dataset": "wazuh.alerts"
  733. },
  734. "ecs": {
  735. "version": "1.5.0"
  736. },
  737. "host": {
  738. "name": "ssl"
  739. }
  740. }
  741. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  742. "@timestamp": "2020-05-27T08:29:18.796Z",
  743. "@metadata": {
  744. "beat": "filebeat",
  745. "type": "_doc",
  746. "version": "7.7.0",
  747. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  748. },
  749. "fileset": {
  750. "name": "alerts"
  751. },
  752. "fields": {
  753. "index_prefix": "wazuh-alerts-3.x-"
  754. },
  755. "input": {
  756. "type": "log"
  757. },
  758. "event": {
  759. "module": "wazuh",
  760. "dataset": "wazuh.alerts"
  761. },
  762. "ecs": {
  763. "version": "1.5.0"
  764. },
  765. "message": "{\"timestamp\":\"2020-05-27T16:29:17.074+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":389,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5216765\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.433:123760): arch=c000003e syscall=59 success=yes exit=0 a0=56146338de70 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1384 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.433:123760): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568159.433:123760): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.433:123760): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.433:123760): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.433:123760): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123760\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1384\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  766. "service": {
  767. "type": "wazuh"
  768. },
  769. "host": {
  770. "name": "ssl"
  771. },
  772. "agent": {
  773. "version": "7.7.0",
  774. "type": "filebeat",
  775. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  776. "hostname": "ssl",
  777. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  778. },
  779. "log": {
  780. "file": {
  781. "path": "/var/ossec/logs/alerts/alerts.json"
  782. },
  783. "offset": 5764134
  784. }
  785. }
  786. 2020-05-27T16:29:18.796+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  787. "@timestamp": "2020-05-27T08:29:18.796Z",
  788. "@metadata": {
  789. "beat": "filebeat",
  790. "type": "_doc",
  791. "version": "7.7.0",
  792. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  793. },
  794. "fields": {
  795. "index_prefix": "wazuh-alerts-3.x-"
  796. },
  797. "service": {
  798. "type": "wazuh"
  799. },
  800. "ecs": {
  801. "version": "1.5.0"
  802. },
  803. "host": {
  804. "name": "ssl"
  805. },
  806. "fileset": {
  807. "name": "alerts"
  808. },
  809. "message": "{\"timestamp\":\"2020-05-27T16:29:17.077+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/sleep\",\"id\":\"80792\",\"firedtimes\":390,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5218521\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.437:123761): arch=c000003e syscall=59 success=yes exit=0 a0=5614633a32e0 a1=5614633a3cc0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1385 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"sleep\\\" exe=\\\"/bin/sleep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.437:123761): argc=2 a0=\\\"sleep\\\" a1=\\\"120\\\" type=CWD msg=audit(1590568159.437:123761): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.437:123761): item=0 name=\\\"/bin/sleep\\\" inode=5111893 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.437:123761): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.437:123761): proctitle=736C65657000313230\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123761\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1385\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"sleep\",\"exe\":\"/bin/sleep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"sleep\",\"a1\":\"120\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/sleep\",\"inode\":\"5111893\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  810. "input": {
  811. "type": "log"
  812. },
  813. "event": {
  814. "module": "wazuh",
  815. "dataset": "wazuh.alerts"
  816. },
  817. "agent": {
  818. "hostname": "ssl",
  819. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  820. "version": "7.7.0",
  821. "type": "filebeat",
  822. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f"
  823. },
  824. "log": {
  825. "file": {
  826. "path": "/var/ossec/logs/alerts/alerts.json"
  827. },
  828. "offset": 5766070
  829. }
  830. }
  831. 2020-05-27T16:29:18.796+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  832. 2020-05-27T16:29:19.797+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  833. 2020-05-27T16:29:19.815+0800 DEBUG [elasticsearch] elasticsearch/client.go:217 PublishEvents: 8 events have been published to elasticsearch in 18.2819ms.
  834. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af7622c4, ext:17036309301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5754217},"message":"{\"timestamp\":\"2020-05-27T16:29:17.040+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":383,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5207914\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.413:123754): arch=c000003e syscall=59 success=yes exit=0 a0=56146338de60 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1377 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.413:123754): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568159.413:123754): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.413:123754): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.413:123754): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.413:123754): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123754\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1377\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5756153, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  835. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af792578, ext:17036506501, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5756153},"message":"{\"timestamp\":\"2020-05-27T16:29:17.040+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":384,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5209670\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123755): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e6e0 a1=56146338e990 a2=5614633a1880 a3=561463382010 items=2 ppid=1378 pid=1379 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.417:123755): argc=4 a0=\\\"ps\\\" a1=\\\"-u\\\" a2=\\\"testnet\\\" a3=\\\"-f\\\" type=CWD msg=audit(1590568159.417:123755): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.417:123755): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.417:123755): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.417:123755): proctitle=7073002D7500746573746E6574002D66\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123755\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1379\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-u\",\"a2\":\"testnet\",\"a3\":\"-f\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5758098, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  836. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af7a5ba0, ext:17036585901, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5758098},"message":"{\"timestamp\":\"2020-05-27T16:29:17.042+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":385,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5211459\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123756): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e770 a1=56146338e9c0 a2=5614633a1880 a3=561463382010 items=2 ppid=1378 pid=1380 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123756\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1380\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5759207, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  837. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af7b4bdc, ext:17036647501, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5759207},"message":"{\"timestamp\":\"2020-05-27T16:29:17.045+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":386,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5212379\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123757): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e780 a1=56146338e9c0 a2=5614633a1880 a3=561463382010 items=2 ppid=1378 pid=1381 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123757\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1381\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5760316, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  838. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af7c6648, ext:17036719701, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5760316},"message":"{\"timestamp\":\"2020-05-27T16:29:17.070+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":387,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5213299\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.417:123758): arch=c000003e syscall=59 success=yes exit=0 a0=56146338e8a0 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=1378 pid=1382 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.417:123758): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568159.417:123758): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.417:123758): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.417:123758): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.417:123758): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123758\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1378\",\"pid\":\"1382\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5762198, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  839. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af7d6e58, ext:17036787301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5762198},"message":"{\"timestamp\":\"2020-05-27T16:29:17.072+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":388,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5215009\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.433:123759): arch=c000003e syscall=59 success=yes exit=0 a0=5614633a3cc0 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1383 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.433:123759): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568159.433:123759): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.433:123759): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.433:123759): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.433:123759): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123759\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1383\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5764134, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  840. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af7e627c, ext:17036849801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5764134},"message":"{\"timestamp\":\"2020-05-27T16:29:17.074+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":389,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5216765\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.433:123760): arch=c000003e syscall=59 success=yes exit=0 a0=56146338de70 a1=56146338fbf0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1384 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.433:123760): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568159.433:123760): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.433:123760): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.433:123760): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.433:123760): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123760\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1384\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5766070, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  841. 2020-05-27T16:29:19.815+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba717af7f5704, ext:17036912501, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5766070},"message":"{\"timestamp\":\"2020-05-27T16:29:17.077+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/sleep\",\"id\":\"80792\",\"firedtimes\":390,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568157.5218521\",\"full_log\":\"type=SYSCALL msg=audit(1590568159.437:123761): arch=c000003e syscall=59 success=yes exit=0 a0=5614633a32e0 a1=5614633a3cc0 a2=5614633a1880 a3=8 items=2 ppid=5217 pid=1385 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"sleep\\\" exe=\\\"/bin/sleep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568159.437:123761): argc=2 a0=\\\"sleep\\\" a1=\\\"120\\\" type=CWD msg=audit(1590568159.437:123761): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568159.437:123761): item=0 name=\\\"/bin/sleep\\\" inode=5111893 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568159.437:123761): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568159.437:123761): proctitle=736C65657000313230\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123761\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5217\",\"pid\":\"1385\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"sleep\",\"exe\":\"/bin/sleep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"sleep\",\"a1\":\"120\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/sleep\",\"inode\":\"5111893\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5767969, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  842. 2020-05-27T16:29:19.815+0800 DEBUG [publisher] memqueue/ackloop.go:160 ackloop: receive ack [1: 0, 8]
  843. 2020-05-27T16:29:19.815+0800 DEBUG [publisher] memqueue/eventloop.go:535 broker ACK events: count=8, start-seq=9, end-seq=16
  844.  
  845. 2020-05-27T16:29:19.815+0800 DEBUG [publisher] memqueue/ackloop.go:128 ackloop: return ack to broker loop:8
  846. 2020-05-27T16:29:19.815+0800 DEBUG [publisher] memqueue/ackloop.go:131 ackloop: done send ack
  847. 2020-05-27T16:29:19.815+0800 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 8}
  848. 2020-05-27T16:29:19.815+0800 DEBUG [registrar] registrar/registrar.go:356 Processing 8 events
  849. 2020-05-27T16:29:19.815+0800 DEBUG [registrar] registrar/registrar.go:326 Registrar state updates processed. Count: 8
  850. 2020-05-27T16:29:19.815+0800 DEBUG [registrar] registrar/registrar.go:411 Write registry file: /var/lib/filebeat/registry/filebeat/data.json (1)
  851. 2020-05-27T16:29:19.826+0800 DEBUG [registrar] registrar/registrar.go:404 Registry file updated. 1 states written.
  852. 2020-05-27T16:29:21.794+0800 DEBUG [input] input/input.go:152 Run input
  853. 2020-05-27T16:29:21.794+0800 DEBUG [input] log/input.go:191 Start next scan
  854. 2020-05-27T16:29:21.794+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  855. 2020-05-27T16:29:21.794+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5767969
  856. 2020-05-27T16:29:21.794+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  857. 2020-05-27T16:29:21.794+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  858. 2020-05-27T16:29:21.797+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  859. 2020-05-27T16:29:25.797+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  860. 2020-05-27T16:29:31.791+0800 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":{"ms":13}},"total":{"ticks":80,"time":{"ms":84},"value":80},"user":{"ticks":70,"time":{"ms":71}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":12},"info":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","uptime":{"ms":30029}},"memstats":{"gc_next":9497024,"memory_alloc":5556328,"memory_total":15474616,"rss":57622528},"runtime":{"goroutines":27}},"filebeat":{"events":{"added":18,"done":18},"harvester":{"files":{"f4dc1e0f-d51b-4b78-a4ed-ecd2b6df521f":{"last_event_published_time":"2020-05-27T16:29:18.796Z","last_event_timestamp":"2020-05-27T16:29:18.796Z","name":"/var/ossec/logs/alerts/alerts.json","read_offset":5767969,"size":5754217,"start_time":"2020-05-27T16:29:11.793Z"}},"open_files":1,"running":1,"started":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"batches":2,"dropped":16,"total":16},"type":"elasticsearch"},"pipeline":{"clients":1,"events":{"active":0,"filtered":2,"published":16,"retry":8,"total":18},"queue":{"acked":16}}},"registrar":{"states":{"current":1,"update":18},"writes":{"success":4,"total":4}},"system":{"cpu":{"cores":1},"load":{"1":0.02,"15":0.31,"5":0.08,"norm":{"1":0.02,"15":0.31,"5":0.08}}}}}}
  861. 2020-05-27T16:29:31.794+0800 DEBUG [input] input/input.go:152 Run input
  862. 2020-05-27T16:29:31.794+0800 DEBUG [input] log/input.go:191 Start next scan
  863. 2020-05-27T16:29:31.794+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  864. 2020-05-27T16:29:31.794+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5767969
  865. 2020-05-27T16:29:31.794+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  866. 2020-05-27T16:29:31.794+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  867. 2020-05-27T16:29:33.798+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  868. 2020-05-27T16:29:41.794+0800 DEBUG [input] input/input.go:152 Run input
  869. 2020-05-27T16:29:41.794+0800 DEBUG [input] log/input.go:191 Start next scan
  870. 2020-05-27T16:29:41.794+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  871. 2020-05-27T16:29:41.794+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5767969
  872. 2020-05-27T16:29:41.794+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  873. 2020-05-27T16:29:41.794+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  874. 2020-05-27T16:29:43.798+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  875. 2020-05-27T16:29:51.795+0800 DEBUG [input] input/input.go:152 Run input
  876. 2020-05-27T16:29:51.795+0800 DEBUG [input] log/input.go:191 Start next scan
  877. 2020-05-27T16:29:51.795+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  878. 2020-05-27T16:29:51.795+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5767969
  879. 2020-05-27T16:29:51.795+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  880. 2020-05-27T16:29:51.795+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  881. 2020-05-27T16:29:53.798+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  882. "@timestamp": "2020-05-27T08:29:53.798Z",
  883. "@metadata": {
  884. "beat": "filebeat",
  885. "type": "_doc",
  886. "version": "7.7.0",
  887. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  888. },
  889. "message": "{\"timestamp\":\"2020-05-27T16:29:47.089+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":391,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5220248\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123762): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1ddfe60 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1470 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123762): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568189.977:123762): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123762): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123762): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123762): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123762\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1470\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  890. "input": {
  891. "type": "log"
  892. },
  893. "fileset": {
  894. "name": "alerts"
  895. },
  896. "host": {
  897. "name": "ssl"
  898. },
  899. "log": {
  900. "offset": 5767969,
  901. "file": {
  902. "path": "/var/ossec/logs/alerts/alerts.json"
  903. }
  904. },
  905. "event": {
  906. "module": "wazuh",
  907. "dataset": "wazuh.alerts"
  908. },
  909. "fields": {
  910. "index_prefix": "wazuh-alerts-3.x-"
  911. },
  912. "service": {
  913. "type": "wazuh"
  914. },
  915. "ecs": {
  916. "version": "1.5.0"
  917. },
  918. "agent": {
  919. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  920. "version": "7.7.0",
  921. "type": "filebeat",
  922. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  923. "hostname": "ssl"
  924. }
  925. }
  926. 2020-05-27T16:29:53.798+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  927. "@timestamp": "2020-05-27T08:29:53.798Z",
  928. "@metadata": {
  929. "beat": "filebeat",
  930. "type": "_doc",
  931. "version": "7.7.0",
  932. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  933. },
  934. "agent": {
  935. "version": "7.7.0",
  936. "type": "filebeat",
  937. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  938. "hostname": "ssl",
  939. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  940. },
  941. "log": {
  942. "offset": 5769905,
  943. "file": {
  944. "path": "/var/ossec/logs/alerts/alerts.json"
  945. }
  946. },
  947. "input": {
  948. "type": "log"
  949. },
  950. "fileset": {
  951. "name": "alerts"
  952. },
  953. "fields": {
  954. "index_prefix": "wazuh-alerts-3.x-"
  955. },
  956. "ecs": {
  957. "version": "1.5.0"
  958. },
  959. "host": {
  960. "name": "ssl"
  961. },
  962. "message": "{\"timestamp\":\"2020-05-27T16:29:47.089+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":392,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5222004\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123763): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de06e0 a1=55f3b1de0990 a2=55f3b1df3880 a3=55f3b1dd4010 items=2 ppid=1471 pid=1472 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123763): argc=4 a0=\\\"ps\\\" a1=\\\"-u\\\" a2=\\\"testnet\\\" a3=\\\"-f\\\" type=CWD msg=audit(1590568189.977:123763): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123763): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123763): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123763): proctitle=7073002D7500746573746E6574002D66\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123763\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1472\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-u\",\"a2\":\"testnet\",\"a3\":\"-f\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  963. "service": {
  964. "type": "wazuh"
  965. },
  966. "event": {
  967. "module": "wazuh",
  968. "dataset": "wazuh.alerts"
  969. }
  970. }
  971. 2020-05-27T16:29:53.799+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  972. "@timestamp": "2020-05-27T08:29:53.798Z",
  973. "@metadata": {
  974. "beat": "filebeat",
  975. "type": "_doc",
  976. "version": "7.7.0",
  977. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  978. },
  979. "ecs": {
  980. "version": "1.5.0"
  981. },
  982. "log": {
  983. "offset": 5771850,
  984. "file": {
  985. "path": "/var/ossec/logs/alerts/alerts.json"
  986. }
  987. },
  988. "message": "{\"timestamp\":\"2020-05-27T16:29:47.091+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":393,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5223793\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123764): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de0770 a1=55f3b1de09c0 a2=55f3b1df3880 a3=55f3b1dd4010 items=2 ppid=1471 pid=1473 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123764): argc=3 a0=\\\"grep\\\" a1=\\\"-w\\\" a2=\\\"lotus-slave-miner\\\" type=CWD msg=audit(1590568189.977:123764): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123764): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123764): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123764): proctitle=67726570002D77006C6F7475732D736C6176652D6D696E6572\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123764\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1473\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-w\",\"a2\":\"lotus-slave-miner\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  989. "service": {
  990. "type": "wazuh"
  991. },
  992. "input": {
  993. "type": "log"
  994. },
  995. "fileset": {
  996. "name": "alerts"
  997. },
  998. "fields": {
  999. "index_prefix": "wazuh-alerts-3.x-"
  1000. },
  1001. "event": {
  1002. "module": "wazuh",
  1003. "dataset": "wazuh.alerts"
  1004. },
  1005. "agent": {
  1006. "version": "7.7.0",
  1007. "type": "filebeat",
  1008. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1009. "hostname": "ssl",
  1010. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1011. },
  1012. "host": {
  1013. "name": "ssl"
  1014. }
  1015. }
  1016. 2020-05-27T16:29:53.799+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1017. "@timestamp": "2020-05-27T08:29:53.799Z",
  1018. "@metadata": {
  1019. "beat": "filebeat",
  1020. "type": "_doc",
  1021. "version": "7.7.0",
  1022. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1023. },
  1024. "host": {
  1025. "name": "ssl"
  1026. },
  1027. "agent": {
  1028. "version": "7.7.0",
  1029. "type": "filebeat",
  1030. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1031. "hostname": "ssl",
  1032. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1033. },
  1034. "log": {
  1035. "offset": 5773831,
  1036. "file": {
  1037. "path": "/var/ossec/logs/alerts/alerts.json"
  1038. }
  1039. },
  1040. "service": {
  1041. "type": "wazuh"
  1042. },
  1043. "event": {
  1044. "module": "wazuh",
  1045. "dataset": "wazuh.alerts"
  1046. },
  1047. "ecs": {
  1048. "version": "1.5.0"
  1049. },
  1050. "message": "{\"timestamp\":\"2020-05-27T16:29:47.094+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":394,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5225610\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123765): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de0780 a1=55f3b1de09c0 a2=55f3b1df3880 a3=55f3b1dd4010 items=2 ppid=1471 pid=1474 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123765): argc=3 a0=\\\"grep\\\" a1=\\\"-v\\\" a2=\\\"grep\\\" type=CWD msg=audit(1590568189.977:123765): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123765): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123765): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123765): proctitle=67726570002D760067726570\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123765\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1474\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-v\",\"a2\":\"grep\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1051. "fields": {
  1052. "index_prefix": "wazuh-alerts-3.x-"
  1053. },
  1054. "input": {
  1055. "type": "log"
  1056. },
  1057. "fileset": {
  1058. "name": "alerts"
  1059. }
  1060. }
  1061. 2020-05-27T16:29:53.799+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1062. "@timestamp": "2020-05-27T08:29:53.799Z",
  1063. "@metadata": {
  1064. "beat": "filebeat",
  1065. "type": "_doc",
  1066. "version": "7.7.0",
  1067. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1068. },
  1069. "log": {
  1070. "offset": 5775760,
  1071. "file": {
  1072. "path": "/var/ossec/logs/alerts/alerts.json"
  1073. }
  1074. },
  1075. "message": "{\"timestamp\":\"2020-05-27T16:29:47.096+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":395,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5227375\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123766): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de08a0 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=1471 pid=1475 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123766): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568189.977:123766): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123766): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123766): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123766): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123766\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1475\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1076. "fileset": {
  1077. "name": "alerts"
  1078. },
  1079. "service": {
  1080. "type": "wazuh"
  1081. },
  1082. "input": {
  1083. "type": "log"
  1084. },
  1085. "ecs": {
  1086. "version": "1.5.0"
  1087. },
  1088. "fields": {
  1089. "index_prefix": "wazuh-alerts-3.x-"
  1090. },
  1091. "event": {
  1092. "module": "wazuh",
  1093. "dataset": "wazuh.alerts"
  1094. },
  1095. "agent": {
  1096. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1097. "version": "7.7.0",
  1098. "type": "filebeat",
  1099. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1100. "hostname": "ssl"
  1101. },
  1102. "host": {
  1103. "name": "ssl"
  1104. }
  1105. }
  1106. 2020-05-27T16:29:53.799+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1107. "@timestamp": "2020-05-27T08:29:53.799Z",
  1108. "@metadata": {
  1109. "beat": "filebeat",
  1110. "type": "_doc",
  1111. "version": "7.7.0",
  1112. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1113. },
  1114. "fileset": {
  1115. "name": "alerts"
  1116. },
  1117. "host": {
  1118. "name": "ssl"
  1119. },
  1120. "agent": {
  1121. "type": "filebeat",
  1122. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1123. "hostname": "ssl",
  1124. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1125. "version": "7.7.0"
  1126. },
  1127. "log": {
  1128. "offset": 5777642,
  1129. "file": {
  1130. "path": "/var/ossec/logs/alerts/alerts.json"
  1131. }
  1132. },
  1133. "service": {
  1134. "type": "wazuh"
  1135. },
  1136. "input": {
  1137. "type": "log"
  1138. },
  1139. "event": {
  1140. "module": "wazuh",
  1141. "dataset": "wazuh.alerts"
  1142. },
  1143. "message": "{\"timestamp\":\"2020-05-27T16:29:47.098+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":396,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5229085\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.997:123767): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1df5c10 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1476 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.997:123767): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568189.997:123767): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.997:123767): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.997:123767): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.997:123767): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123767\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1476\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1144. "fields": {
  1145. "index_prefix": "wazuh-alerts-3.x-"
  1146. },
  1147. "ecs": {
  1148. "version": "1.5.0"
  1149. }
  1150. }
  1151. 2020-05-27T16:29:53.799+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1152. "@timestamp": "2020-05-27T08:29:53.799Z",
  1153. "@metadata": {
  1154. "beat": "filebeat",
  1155. "type": "_doc",
  1156. "version": "7.7.0",
  1157. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1158. },
  1159. "agent": {
  1160. "type": "filebeat",
  1161. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1162. "hostname": "ssl",
  1163. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1164. "version": "7.7.0"
  1165. },
  1166. "log": {
  1167. "offset": 5779578,
  1168. "file": {
  1169. "path": "/var/ossec/logs/alerts/alerts.json"
  1170. }
  1171. },
  1172. "message": "{\"timestamp\":\"2020-05-27T16:29:47.101+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":397,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5230841\",\"full_log\":\"type=SYSCALL msg=audit(1590568190.001:123768): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1ddfe90 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1477 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568190.001:123768): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568190.001:123768): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568190.001:123768): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568190.001:123768): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568190.001:123768): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123768\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1477\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1173. "event": {
  1174. "dataset": "wazuh.alerts",
  1175. "module": "wazuh"
  1176. },
  1177. "fileset": {
  1178. "name": "alerts"
  1179. },
  1180. "input": {
  1181. "type": "log"
  1182. },
  1183. "fields": {
  1184. "index_prefix": "wazuh-alerts-3.x-"
  1185. },
  1186. "service": {
  1187. "type": "wazuh"
  1188. },
  1189. "ecs": {
  1190. "version": "1.5.0"
  1191. },
  1192. "host": {
  1193. "name": "ssl"
  1194. }
  1195. }
  1196. 2020-05-27T16:29:53.799+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1197. "@timestamp": "2020-05-27T08:29:53.799Z",
  1198. "@metadata": {
  1199. "beat": "filebeat",
  1200. "type": "_doc",
  1201. "version": "7.7.0",
  1202. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1203. },
  1204. "message": "{\"timestamp\":\"2020-05-27T16:29:47.103+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/sleep\",\"id\":\"80792\",\"firedtimes\":398,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5232597\",\"full_log\":\"type=SYSCALL msg=audit(1590568190.001:123769): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1df52a0 a1=55f3b1df5c10 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1478 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"sleep\\\" exe=\\\"/bin/sleep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568190.001:123769): argc=2 a0=\\\"sleep\\\" a1=\\\"120\\\" type=CWD msg=audit(1590568190.001:123769): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568190.001:123769): item=0 name=\\\"/bin/sleep\\\" inode=5111893 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568190.001:123769): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568190.001:123769): proctitle=736C65657000313230\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123769\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1478\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"sleep\",\"exe\":\"/bin/sleep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"sleep\",\"a1\":\"120\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/sleep\",\"inode\":\"5111893\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1205. "fields": {
  1206. "index_prefix": "wazuh-alerts-3.x-"
  1207. },
  1208. "input": {
  1209. "type": "log"
  1210. },
  1211. "ecs": {
  1212. "version": "1.5.0"
  1213. },
  1214. "host": {
  1215. "name": "ssl"
  1216. },
  1217. "agent": {
  1218. "version": "7.7.0",
  1219. "type": "filebeat",
  1220. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1221. "hostname": "ssl",
  1222. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1223. },
  1224. "log": {
  1225. "offset": 5781514,
  1226. "file": {
  1227. "path": "/var/ossec/logs/alerts/alerts.json"
  1228. }
  1229. },
  1230. "service": {
  1231. "type": "wazuh"
  1232. },
  1233. "event": {
  1234. "module": "wazuh",
  1235. "dataset": "wazuh.alerts"
  1236. },
  1237. "fileset": {
  1238. "name": "alerts"
  1239. }
  1240. }
  1241. 2020-05-27T16:29:53.799+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  1242. 2020-05-27T16:29:54.799+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  1243. 2020-05-27T16:29:54.806+0800 DEBUG [elasticsearch] elasticsearch/client.go:217 PublishEvents: 8 events have been published to elasticsearch in 7.1203ms.
  1244. 2020-05-27T16:29:54.806+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206f9b4a18, ext:52038744101, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5767969},"message":"{\"timestamp\":\"2020-05-27T16:29:47.089+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":391,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5220248\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123762): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1ddfe60 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1470 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123762): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568189.977:123762): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123762): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123762): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123762): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123762\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1470\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5769905, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1245. 2020-05-27T16:29:54.806+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206f9e0ac8, ext:52038924501, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5769905},"message":"{\"timestamp\":\"2020-05-27T16:29:47.089+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":392,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5222004\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123763): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de06e0 a1=55f3b1de0990 a2=55f3b1df3880 a3=55f3b1dd4010 items=2 ppid=1471 pid=1472 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123763): argc=4 a0=\\\"ps\\\" a1=\\\"-u\\\" a2=\\\"testnet\\\" a3=\\\"-f\\\" type=CWD msg=audit(1590568189.977:123763): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123763): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123763): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123763): proctitle=7073002D7500746573746E6574002D66\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123763\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1472\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-u\",\"a2\":\"testnet\",\"a3\":\"-f\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5771850, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1246. 2020-05-27T16:29:54.806+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206f9f2d04, ext:52038998801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5771850},"message":"{\"timestamp\":\"2020-05-27T16:29:47.091+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":393,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5223793\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123764): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de0770 a1=55f3b1de09c0 a2=55f3b1df3880 a3=55f3b1dd4010 items=2 ppid=1471 pid=1473 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123764): argc=3 a0=\\\"grep\\\" a1=\\\"-w\\\" a2=\\\"lotus-slave-miner\\\" type=CWD msg=audit(1590568189.977:123764): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123764): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123764): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123764): proctitle=67726570002D77006C6F7475732D736C6176652D6D696E6572\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123764\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1473\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-w\",\"a2\":\"lotus-slave-miner\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5773831, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1247. 2020-05-27T16:29:54.806+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206fa02830, ext:52039063201, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5773831},"message":"{\"timestamp\":\"2020-05-27T16:29:47.094+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":394,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5225610\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123765): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de0780 a1=55f3b1de09c0 a2=55f3b1df3880 a3=55f3b1dd4010 items=2 ppid=1471 pid=1474 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123765): argc=3 a0=\\\"grep\\\" a1=\\\"-v\\\" a2=\\\"grep\\\" type=CWD msg=audit(1590568189.977:123765): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123765): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123765): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123765): proctitle=67726570002D760067726570\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123765\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1474\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-v\",\"a2\":\"grep\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5775760, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1248. 2020-05-27T16:29:54.806+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206fa126e0, ext:52039128401, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5775760},"message":"{\"timestamp\":\"2020-05-27T16:29:47.096+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":395,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5227375\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.977:123766): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1de08a0 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=1471 pid=1475 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.977:123766): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568189.977:123766): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.977:123766): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.977:123766): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.977:123766): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123766\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1471\",\"pid\":\"1475\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5777642, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1249. 2020-05-27T16:29:54.807+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206fa22270, ext:52039192801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5777642},"message":"{\"timestamp\":\"2020-05-27T16:29:47.098+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":396,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5229085\",\"full_log\":\"type=SYSCALL msg=audit(1590568189.997:123767): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1df5c10 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1476 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568189.997:123767): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568189.997:123767): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568189.997:123767): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568189.997:123767): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568189.997:123767): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123767\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1476\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5779578, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1250. 2020-05-27T16:29:54.807+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206fa3143c, ext:52039254601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5779578},"message":"{\"timestamp\":\"2020-05-27T16:29:47.101+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/date\",\"id\":\"80792\",\"firedtimes\":397,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5230841\",\"full_log\":\"type=SYSCALL msg=audit(1590568190.001:123768): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1ddfe90 a1=55f3b1de1bf0 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1477 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"date\\\" exe=\\\"/bin/date\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568190.001:123768): argc=2 a0=\\\"date\\\" a1=2B25592D256D2D25642025483A254D3A2553 type=CWD msg=audit(1590568190.001:123768): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568190.001:123768): item=0 name=\\\"/bin/date\\\" inode=5111829 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568190.001:123768): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568190.001:123768): proctitle=64617465002B25592D256D2D25642025483A254D3A2553\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123768\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1477\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"date\",\"exe\":\"/bin/date\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"date\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/date\",\"inode\":\"5111829\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5781514, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1251. 2020-05-27T16:29:54.807+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7206fa3fd70, ext:52039314301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5781514},"message":"{\"timestamp\":\"2020-05-27T16:29:47.103+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/sleep\",\"id\":\"80792\",\"firedtimes\":398,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568187.5232597\",\"full_log\":\"type=SYSCALL msg=audit(1590568190.001:123769): arch=c000003e syscall=59 success=yes exit=0 a0=55f3b1df52a0 a1=55f3b1df5c10 a2=55f3b1df3880 a3=8 items=2 ppid=5452 pid=1478 auid=1007 uid=1007 gid=1002 euid=1007 suid=1007 fsuid=1007 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4337 comm=\\\"sleep\\\" exe=\\\"/bin/sleep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568190.001:123769): argc=2 a0=\\\"sleep\\\" a1=\\\"120\\\" type=CWD msg=audit(1590568190.001:123769): cwd=\\\"/tank2/testnet\\\" type=PATH msg=audit(1590568190.001:123769): item=0 name=\\\"/bin/sleep\\\" inode=5111893 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568190.001:123769): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568190.001:123769): proctitle=736C65657000313230\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123769\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"5452\",\"pid\":\"1478\",\"auid\":\"1007\",\"uid\":\"1007\",\"gid\":\"1002\",\"euid\":\"1007\",\"suid\":\"1007\",\"fsuid\":\"1007\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4337\",\"command\":\"sleep\",\"exe\":\"/bin/sleep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"sleep\",\"a1\":\"120\"},\"cwd\":\"/tank2/testnet\",\"file\":{\"name\":\"/bin/sleep\",\"inode\":\"5111893\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5783413, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  1252. 2020-05-27T16:29:54.807+0800 DEBUG [publisher] memqueue/ackloop.go:160 ackloop: receive ack [2: 0, 8]
  1253. 2020-05-27T16:29:54.807+0800 DEBUG [publisher] memqueue/eventloop.go:535 broker ACK events: count=8, start-seq=17, end-seq=24
  1254.  
  1255. 2020-05-27T16:29:54.807+0800 DEBUG [publisher] memqueue/ackloop.go:128 ackloop: return ack to broker loop:8
  1256. 2020-05-27T16:29:54.807+0800 DEBUG [publisher] memqueue/ackloop.go:131 ackloop: done send ack
  1257. 2020-05-27T16:29:54.807+0800 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 8}
  1258. 2020-05-27T16:29:54.807+0800 DEBUG [registrar] registrar/registrar.go:356 Processing 8 events
  1259. 2020-05-27T16:29:54.807+0800 DEBUG [registrar] registrar/registrar.go:326 Registrar state updates processed. Count: 8
  1260. 2020-05-27T16:29:54.807+0800 DEBUG [registrar] registrar/registrar.go:411 Write registry file: /var/lib/filebeat/registry/filebeat/data.json (1)
  1261. 2020-05-27T16:29:54.816+0800 DEBUG [registrar] registrar/registrar.go:404 Registry file updated. 1 states written.
  1262. 2020-05-27T16:29:56.800+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  1263. 2020-05-27T16:30:00.808+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1264. "@timestamp": "2020-05-27T08:30:00.808Z",
  1265. "@metadata": {
  1266. "beat": "filebeat",
  1267. "type": "_doc",
  1268. "version": "7.7.0",
  1269. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1270. },
  1271. "agent": {
  1272. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1273. "version": "7.7.0",
  1274. "type": "filebeat",
  1275. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1276. "hostname": "ssl"
  1277. },
  1278. "log": {
  1279. "offset": 5783413,
  1280. "file": {
  1281. "path": "/var/ossec/logs/alerts/alerts.json"
  1282. }
  1283. },
  1284. "message": "{\"timestamp\":\"2020-05-27T16:29:59.133+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/dash\",\"id\":\"80792\",\"firedtimes\":399,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5234324\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.181:123774): arch=c000003e syscall=59 success=yes exit=0 a0=55816a2aec46 a1=7ffc70cf4980 a2=55816a2aec60 a3=7ffc70cf4a20 items=2 ppid=1501 pid=1502 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"sh\\\" exe=\\\"/bin/dash\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.181:123774): argc=3 a0=\\\"/bin/sh\\\" a1=\\\"-c\\\" a2=2F686F6D652F6465766E65742F62696E2F6D6F6E69746F72696E675F736C6176652E73682020262620206563686F20737563636573736564203E3E202F686F6D652F6465766E65742F6C6F672F6D6F69746F722E6C6F67 type=CWD msg=audit(1590568201.181:123774): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.181:123774): item=0 name=\\\"/bin/sh\\\" inode=5111828 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.181:123774): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.181:123774): proctitle=2F62696E2F7368002D63002F686F6D652F6465766E65742F62696E2F6D6F6E69746F72696E675F736C6176652E73682020262620206563686F20737563636573736564203E3E202F686F6D652F6465766E65742F6C6F672F6D6F69746F722E6C6F67\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123774\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1501\",\"pid\":\"1502\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"sh\",\"exe\":\"/bin/dash\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/bin/sh\",\"a1\":\"-c\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/sh\",\"inode\":\"5111828\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1285. "event": {
  1286. "module": "wazuh",
  1287. "dataset": "wazuh.alerts"
  1288. },
  1289. "fileset": {
  1290. "name": "alerts"
  1291. },
  1292. "service": {
  1293. "type": "wazuh"
  1294. },
  1295. "input": {
  1296. "type": "log"
  1297. },
  1298. "ecs": {
  1299. "version": "1.5.0"
  1300. },
  1301. "fields": {
  1302. "index_prefix": "wazuh-alerts-3.x-"
  1303. },
  1304. "host": {
  1305. "name": "ssl"
  1306. }
  1307. }
  1308. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1309. "@timestamp": "2020-05-27T08:30:00.808Z",
  1310. "@metadata": {
  1311. "beat": "filebeat",
  1312. "type": "_doc",
  1313. "version": "7.7.0",
  1314. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1315. },
  1316. "log": {
  1317. "offset": 5785664,
  1318. "file": {
  1319. "path": "/var/ossec/logs/alerts/alerts.json"
  1320. }
  1321. },
  1322. "message": "{\"timestamp\":\"2020-05-27T16:29:59.135+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/bash\",\"id\":\"80792\",\"firedtimes\":400,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5236403\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.185:123775): arch=c000003e syscall=59 success=yes exit=0 a0=564c1f4e4c08 a1=564c1f4e4c48 a2=564c1f4e4c58 a3=7f75fc13c810 items=3 ppid=1502 pid=1503 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"monitoring_slav\\\" exe=\\\"/bin/bash\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.185:123775): argc=2 a0=\\\"/bin/bash\\\" a1=\\\"/home/devnet/bin/monitoring_slave.sh\\\" type=CWD msg=audit(1590568201.185:123775): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.185:123775): item=0 name=\\\"/home/devnet/bin/monitoring_slave.sh\\\" inode=898433027 dev=08:00 mode=0100755 ouid=1006 ogid=1002 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123775): item=1 name=\\\"/bin/bash\\\" inode=5111810 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123775): item=2 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.185:123775): proctitle=2F62696E2F62617368002F686F6D652F6465766E65742F62696E2F6D6F6E69746F72696E675F736C6176652E7368\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123775\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1502\",\"pid\":\"1503\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"monitoring_slav\",\"exe\":\"/bin/bash\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/bin/bash\",\"a1\":\"/home/devnet/bin/monitoring_slave.sh\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/home/devnet/bin/monitoring_slave.sh\",\"inode\":\"898433027\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1323. "input": {
  1324. "type": "log"
  1325. },
  1326. "agent": {
  1327. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1328. "hostname": "ssl",
  1329. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1330. "version": "7.7.0",
  1331. "type": "filebeat"
  1332. },
  1333. "service": {
  1334. "type": "wazuh"
  1335. },
  1336. "event": {
  1337. "module": "wazuh",
  1338. "dataset": "wazuh.alerts"
  1339. },
  1340. "fileset": {
  1341. "name": "alerts"
  1342. },
  1343. "fields": {
  1344. "index_prefix": "wazuh-alerts-3.x-"
  1345. },
  1346. "ecs": {
  1347. "version": "1.5.0"
  1348. },
  1349. "host": {
  1350. "name": "ssl"
  1351. }
  1352. }
  1353. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1354. "@timestamp": "2020-05-27T08:30:00.809Z",
  1355. "@metadata": {
  1356. "beat": "filebeat",
  1357. "type": "_doc",
  1358. "version": "7.7.0",
  1359. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1360. },
  1361. "agent": {
  1362. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1363. "hostname": "ssl",
  1364. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1365. "version": "7.7.0",
  1366. "type": "filebeat"
  1367. },
  1368. "ecs": {
  1369. "version": "1.5.0"
  1370. },
  1371. "fields": {
  1372. "index_prefix": "wazuh-alerts-3.x-"
  1373. },
  1374. "service": {
  1375. "type": "wazuh"
  1376. },
  1377. "input": {
  1378. "type": "log"
  1379. },
  1380. "fileset": {
  1381. "name": "alerts"
  1382. },
  1383. "log": {
  1384. "offset": 5788015,
  1385. "file": {
  1386. "path": "/var/ossec/logs/alerts/alerts.json"
  1387. }
  1388. },
  1389. "message": "{\"timestamp\":\"2020-05-27T16:29:59.137+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":401,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5238580\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.185:123776): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0460 a1=5645f36c0a00 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1504 pid=1506 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.185:123776): argc=3 a0=\\\"grep\\\" a1=\\\"lotus-slave:0\\\" a2=\\\"/home/devnet/log/filGuard.out\\\" type=CWD msg=audit(1590568201.185:123776): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.185:123776): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123776): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.185:123776): proctitle=67726570006C6F7475732D736C6176653A30002F686F6D652F6465766E65742F6C6F672F66696C47756172642E6F7574\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123776\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1504\",\"pid\":\"1506\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"lotus-slave:0\",\"a2\":\"/home/devnet/log/filGuard.out\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1390. "event": {
  1391. "module": "wazuh",
  1392. "dataset": "wazuh.alerts"
  1393. },
  1394. "host": {
  1395. "name": "ssl"
  1396. }
  1397. }
  1398. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1399. "@timestamp": "2020-05-27T08:30:00.809Z",
  1400. "@metadata": {
  1401. "beat": "filebeat",
  1402. "type": "_doc",
  1403. "version": "7.7.0",
  1404. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1405. },
  1406. "log": {
  1407. "offset": 5790086,
  1408. "file": {
  1409. "path": "/var/ossec/logs/alerts/alerts.json"
  1410. }
  1411. },
  1412. "service": {
  1413. "type": "wazuh"
  1414. },
  1415. "input": {
  1416. "type": "log"
  1417. },
  1418. "fields": {
  1419. "index_prefix": "wazuh-alerts-3.x-"
  1420. },
  1421. "ecs": {
  1422. "version": "1.5.0"
  1423. },
  1424. "agent": {
  1425. "version": "7.7.0",
  1426. "type": "filebeat",
  1427. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1428. "hostname": "ssl",
  1429. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1430. },
  1431. "message": "{\"timestamp\":\"2020-05-27T16:29:59.139+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":402,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5240487\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.185:123777): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c05f0 a1=5645f36c08a0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1504 pid=1507 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.185:123777): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568201.185:123777): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.185:123777): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123777): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.185:123777): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123777\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1504\",\"pid\":\"1507\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1432. "event": {
  1433. "dataset": "wazuh.alerts",
  1434. "module": "wazuh"
  1435. },
  1436. "fileset": {
  1437. "name": "alerts"
  1438. },
  1439. "host": {
  1440. "name": "ssl"
  1441. }
  1442. }
  1443. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1444. "@timestamp": "2020-05-27T08:30:00.809Z",
  1445. "@metadata": {
  1446. "beat": "filebeat",
  1447. "type": "_doc",
  1448. "version": "7.7.0",
  1449. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1450. },
  1451. "ecs": {
  1452. "version": "1.5.0"
  1453. },
  1454. "input": {
  1455. "type": "log"
  1456. },
  1457. "fields": {
  1458. "index_prefix": "wazuh-alerts-3.x-"
  1459. },
  1460. "event": {
  1461. "module": "wazuh",
  1462. "dataset": "wazuh.alerts"
  1463. },
  1464. "fileset": {
  1465. "name": "alerts"
  1466. },
  1467. "service": {
  1468. "type": "wazuh"
  1469. },
  1470. "host": {
  1471. "name": "ssl"
  1472. },
  1473. "agent": {
  1474. "hostname": "ssl",
  1475. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1476. "version": "7.7.0",
  1477. "type": "filebeat",
  1478. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f"
  1479. },
  1480. "log": {
  1481. "file": {
  1482. "path": "/var/ossec/logs/alerts/alerts.json"
  1483. },
  1484. "offset": 5791977
  1485. },
  1486. "message": "{\"timestamp\":\"2020-05-27T16:29:59.141+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":403,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5242206\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.193:123778): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0850 a1=5645f36c0b00 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1508 pid=1510 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.193:123778): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568201.193:123778): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.193:123778): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.193:123778): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.193:123778): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123778\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1508\",\"pid\":\"1510\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}"
  1487. }
  1488. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1489. "@timestamp": "2020-05-27T08:30:00.809Z",
  1490. "@metadata": {
  1491. "beat": "filebeat",
  1492. "type": "_doc",
  1493. "version": "7.7.0",
  1494. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1495. },
  1496. "log": {
  1497. "offset": 5793868,
  1498. "file": {
  1499. "path": "/var/ossec/logs/alerts/alerts.json"
  1500. }
  1501. },
  1502. "fileset": {
  1503. "name": "alerts"
  1504. },
  1505. "fields": {
  1506. "index_prefix": "wazuh-alerts-3.x-"
  1507. },
  1508. "ecs": {
  1509. "version": "1.5.0"
  1510. },
  1511. "message": "{\"timestamp\":\"2020-05-27T16:29:59.143+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":404,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5243925\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.193:123779): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c06c0 a1=5645f36c0cb0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1508 pid=1509 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.193:123779): argc=3 a0=\\\"grep\\\" a1=\\\"lotus-poster:0\\\" a2=\\\"/home/devnet/log/filGuard.out\\\" type=CWD msg=audit(1590568201.193:123779): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.193:123779): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.193:123779): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.193:123779): proctitle=67726570006C6F7475732D706F737465723A30002F686F6D652F6465766E65742F6C6F672F66696C47756172642E6F7574\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123779\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1508\",\"pid\":\"1509\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"lotus-poster:0\",\"a2\":\"/home/devnet/log/filGuard.out\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1512. "input": {
  1513. "type": "log"
  1514. },
  1515. "event": {
  1516. "module": "wazuh",
  1517. "dataset": "wazuh.alerts"
  1518. },
  1519. "service": {
  1520. "type": "wazuh"
  1521. },
  1522. "host": {
  1523. "name": "ssl"
  1524. },
  1525. "agent": {
  1526. "type": "filebeat",
  1527. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1528. "hostname": "ssl",
  1529. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1530. "version": "7.7.0"
  1531. }
  1532. }
  1533. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1534. "@timestamp": "2020-05-27T08:30:00.809Z",
  1535. "@metadata": {
  1536. "beat": "filebeat",
  1537. "type": "_doc",
  1538. "version": "7.7.0",
  1539. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1540. },
  1541. "message": "{\"timestamp\":\"2020-05-27T16:29:59.145+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":405,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5245836\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123780): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0d10 a1=5645f36c0ff0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1512 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123780): argc=2 a0=\\\"ps\\\" a1=\\\"-ef\\\" type=CWD msg=audit(1590568201.201:123780): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123780): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123780): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123780): proctitle=7073002D6566\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123780\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1512\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-ef\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1542. "service": {
  1543. "type": "wazuh"
  1544. },
  1545. "input": {
  1546. "type": "log"
  1547. },
  1548. "fields": {
  1549. "index_prefix": "wazuh-alerts-3.x-"
  1550. },
  1551. "agent": {
  1552. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1553. "version": "7.7.0",
  1554. "type": "filebeat",
  1555. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1556. "hostname": "ssl"
  1557. },
  1558. "log": {
  1559. "offset": 5795943,
  1560. "file": {
  1561. "path": "/var/ossec/logs/alerts/alerts.json"
  1562. }
  1563. },
  1564. "fileset": {
  1565. "name": "alerts"
  1566. },
  1567. "ecs": {
  1568. "version": "1.5.0"
  1569. },
  1570. "host": {
  1571. "name": "ssl"
  1572. },
  1573. "event": {
  1574. "module": "wazuh",
  1575. "dataset": "wazuh.alerts"
  1576. }
  1577. }
  1578. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1579. "@timestamp": "2020-05-27T08:30:00.809Z",
  1580. "@metadata": {
  1581. "beat": "filebeat",
  1582. "type": "_doc",
  1583. "version": "7.7.0",
  1584. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1585. },
  1586. "fields": {
  1587. "index_prefix": "wazuh-alerts-3.x-"
  1588. },
  1589. "agent": {
  1590. "hostname": "ssl",
  1591. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1592. "version": "7.7.0",
  1593. "type": "filebeat",
  1594. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f"
  1595. },
  1596. "ecs": {
  1597. "version": "1.5.0"
  1598. },
  1599. "log": {
  1600. "offset": 5797818,
  1601. "file": {
  1602. "path": "/var/ossec/logs/alerts/alerts.json"
  1603. }
  1604. },
  1605. "service": {
  1606. "type": "wazuh"
  1607. },
  1608. "event": {
  1609. "dataset": "wazuh.alerts",
  1610. "module": "wazuh"
  1611. },
  1612. "fileset": {
  1613. "name": "alerts"
  1614. },
  1615. "message": "{\"timestamp\":\"2020-05-27T16:29:59.147+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":406,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5247539\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123781): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0c10 a1=5645f36c11f0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1513 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123781): argc=3 a0=\\\"grep\\\" a1=\\\"-w\\\" a2=\\\"lotus-slave-miner\\\" type=CWD msg=audit(1590568201.201:123781): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123781): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123781): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123781): proctitle=67726570002D77006C6F7475732D736C6176652D6D696E6572\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123781\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1513\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-w\",\"a2\":\"lotus-slave-miner\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1616. "input": {
  1617. "type": "log"
  1618. },
  1619. "host": {
  1620. "name": "ssl"
  1621. }
  1622. }
  1623. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1624. "@timestamp": "2020-05-27T08:30:00.809Z",
  1625. "@metadata": {
  1626. "beat": "filebeat",
  1627. "type": "_doc",
  1628. "version": "7.7.0",
  1629. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1630. },
  1631. "input": {
  1632. "type": "log"
  1633. },
  1634. "event": {
  1635. "dataset": "wazuh.alerts",
  1636. "module": "wazuh"
  1637. },
  1638. "service": {
  1639. "type": "wazuh"
  1640. },
  1641. "ecs": {
  1642. "version": "1.5.0"
  1643. },
  1644. "log": {
  1645. "offset": 5799797,
  1646. "file": {
  1647. "path": "/var/ossec/logs/alerts/alerts.json"
  1648. }
  1649. },
  1650. "fileset": {
  1651. "name": "alerts"
  1652. },
  1653. "fields": {
  1654. "index_prefix": "wazuh-alerts-3.x-"
  1655. },
  1656. "host": {
  1657. "name": "ssl"
  1658. },
  1659. "agent": {
  1660. "type": "filebeat",
  1661. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1662. "hostname": "ssl",
  1663. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1664. "version": "7.7.0"
  1665. },
  1666. "message": "{\"timestamp\":\"2020-05-27T16:29:59.151+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":407,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5249354\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123782): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0dc0 a1=5645f36c1070 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1515 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123782): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568201.201:123782): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123782): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123782): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123782): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123782\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1515\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}"
  1667. }
  1668. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1669. "@timestamp": "2020-05-27T08:30:00.809Z",
  1670. "@metadata": {
  1671. "beat": "filebeat",
  1672. "type": "_doc",
  1673. "version": "7.7.0",
  1674. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1675. },
  1676. "message": "{\"timestamp\":\"2020-05-27T16:29:59.153+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":408,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5251073\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123783): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0c20 a1=5645f36c1170 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1514 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123783): argc=3 a0=\\\"grep\\\" a1=\\\"-v\\\" a2=\\\"grep\\\" type=CWD msg=audit(1590568201.201:123783): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123783): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123783): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123783): proctitle=67726570002D760067726570\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123783\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1514\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-v\",\"a2\":\"grep\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1677. "service": {
  1678. "type": "wazuh"
  1679. },
  1680. "event": {
  1681. "module": "wazuh",
  1682. "dataset": "wazuh.alerts"
  1683. },
  1684. "fileset": {
  1685. "name": "alerts"
  1686. },
  1687. "fields": {
  1688. "index_prefix": "wazuh-alerts-3.x-"
  1689. },
  1690. "host": {
  1691. "name": "ssl"
  1692. },
  1693. "ecs": {
  1694. "version": "1.5.0"
  1695. },
  1696. "log": {
  1697. "offset": 5801688,
  1698. "file": {
  1699. "path": "/var/ossec/logs/alerts/alerts.json"
  1700. }
  1701. },
  1702. "agent": {
  1703. "version": "7.7.0",
  1704. "type": "filebeat",
  1705. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1706. "hostname": "ssl",
  1707. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1708. },
  1709. "input": {
  1710. "type": "log"
  1711. }
  1712. }
  1713. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1714. "@timestamp": "2020-05-27T08:30:00.809Z",
  1715. "@metadata": {
  1716. "beat": "filebeat",
  1717. "type": "_doc",
  1718. "version": "7.7.0",
  1719. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1720. },
  1721. "fileset": {
  1722. "name": "alerts"
  1723. },
  1724. "fields": {
  1725. "index_prefix": "wazuh-alerts-3.x-"
  1726. },
  1727. "service": {
  1728. "type": "wazuh"
  1729. },
  1730. "ecs": {
  1731. "version": "1.5.0"
  1732. },
  1733. "host": {
  1734. "name": "ssl"
  1735. },
  1736. "agent": {
  1737. "hostname": "ssl",
  1738. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1739. "version": "7.7.0",
  1740. "type": "filebeat",
  1741. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f"
  1742. },
  1743. "log": {
  1744. "offset": 5803615,
  1745. "file": {
  1746. "path": "/var/ossec/logs/alerts/alerts.json"
  1747. }
  1748. },
  1749. "message": "{\"timestamp\":\"2020-05-27T16:29:59.155+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: \",\"id\":\"80792\",\"firedtimes\":409,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5252836\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.217:123784): arch=c000003e syscall=59 per=400000 success=yes exit=0 a0=5645f36c1c90 a1=5645f36beed0 a2=5645f36bd850 a3=8 items=2 ppid=1503 pid=1516 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"lotus-slave-min\\\" exe=\\\"/tank1/devnet/bin/lotus-slave-miner\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.217:123784): argc=2 a0=\\\"/home/devnet/bin/lotus-slave-miner\\\" a1=\\\"info\\\" type=CWD msg=audit(1590568201.217:123784): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.217:123784): item=0 name=\\\"/home/devnet/bin/lotus-slave-miner\\\" inode=896729129 dev=08:00 mode=0100750 ouid=1006 ogid=1002 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.217:123784): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.217:123784): proctitle=2F686F6D652F6465766E65742F62696E2F6C6F7475732D736C6176652D6D696E657200696E666F\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123784\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/home/devnet/bin/lotus-slave-miner\",\"a1\":\"info\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/home/devnet/bin/lotus-slave-miner\",\"inode\":\"896729129\",\"mode\":\"0100750\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1750. "input": {
  1751. "type": "log"
  1752. },
  1753. "event": {
  1754. "module": "wazuh",
  1755. "dataset": "wazuh.alerts"
  1756. }
  1757. }
  1758. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1759. "@timestamp": "2020-05-27T08:30:00.809Z",
  1760. "@metadata": {
  1761. "beat": "filebeat",
  1762. "type": "_doc",
  1763. "version": "7.7.0",
  1764. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1765. },
  1766. "input": {
  1767. "type": "log"
  1768. },
  1769. "ecs": {
  1770. "version": "1.5.0"
  1771. },
  1772. "host": {
  1773. "name": "ssl"
  1774. },
  1775. "message": "{\"timestamp\":\"2020-05-27T16:29:59.157+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/getconf\",\"id\":\"80792\",\"firedtimes\":410,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5254435\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.225:123785): arch=c000003e syscall=59 success=yes exit=0 a0=c000052b00 a1=c0001e4b80 a2=c0000ba8c0 a3=8 items=2 ppid=1516 pid=1522 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"getconf\\\" exe=\\\"/usr/bin/getconf\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.225:123785): argc=2 a0=\\\"/usr/bin/getconf\\\" a1=\\\"CLK_TCK\\\" type=CWD msg=audit(1590568201.225:123785): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.225:123785): item=0 name=\\\"/usr/bin/getconf\\\" inode=1048667 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.225:123785): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.225:123785): proctitle=2F7573722F62696E2F676574636F6E6600434C4B5F54434B\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123785\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1516\",\"pid\":\"1522\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"getconf\",\"exe\":\"/usr/bin/getconf\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/usr/bin/getconf\",\"a1\":\"CLK_TCK\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/getconf\",\"inode\":\"1048667\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1776. "fields": {
  1777. "index_prefix": "wazuh-alerts-3.x-"
  1778. },
  1779. "service": {
  1780. "type": "wazuh"
  1781. },
  1782. "event": {
  1783. "module": "wazuh",
  1784. "dataset": "wazuh.alerts"
  1785. },
  1786. "agent": {
  1787. "type": "filebeat",
  1788. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1789. "hostname": "ssl",
  1790. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1791. "version": "7.7.0"
  1792. },
  1793. "log": {
  1794. "offset": 5805443,
  1795. "file": {
  1796. "path": "/var/ossec/logs/alerts/alerts.json"
  1797. }
  1798. },
  1799. "fileset": {
  1800. "name": "alerts"
  1801. }
  1802. }
  1803. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1804. "@timestamp": "2020-05-27T08:30:00.809Z",
  1805. "@metadata": {
  1806. "beat": "filebeat",
  1807. "type": "_doc",
  1808. "version": "7.7.0",
  1809. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1810. },
  1811. "host": {
  1812. "name": "ssl"
  1813. },
  1814. "service": {
  1815. "type": "wazuh"
  1816. },
  1817. "input": {
  1818. "type": "log"
  1819. },
  1820. "fields": {
  1821. "index_prefix": "wazuh-alerts-3.x-"
  1822. },
  1823. "event": {
  1824. "module": "wazuh",
  1825. "dataset": "wazuh.alerts"
  1826. },
  1827. "fileset": {
  1828. "name": "alerts"
  1829. },
  1830. "ecs": {
  1831. "version": "1.5.0"
  1832. },
  1833. "agent": {
  1834. "version": "7.7.0",
  1835. "type": "filebeat",
  1836. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1837. "hostname": "ssl",
  1838. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1839. },
  1840. "log": {
  1841. "file": {
  1842. "path": "/var/ossec/logs/alerts/alerts.json"
  1843. },
  1844. "offset": 5807428
  1845. },
  1846. "message": "{\"timestamp\":\"2020-05-27T16:29:59.159+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":411,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5256248\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123786): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2050 a1=5645f36c2390 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1529 pid=1531 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123786): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit1\\\" type=CWD msg=audit(1590568201.285:123786): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123786): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123786): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123786): proctitle=6772657000507265436F6D6D697431\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123786\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1529\",\"pid\":\"1531\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit1\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}"
  1847. }
  1848. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1849. "@timestamp": "2020-05-27T08:30:00.809Z",
  1850. "@metadata": {
  1851. "beat": "filebeat",
  1852. "type": "_doc",
  1853. "version": "7.7.0",
  1854. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1855. },
  1856. "log": {
  1857. "offset": 5809353,
  1858. "file": {
  1859. "path": "/var/ossec/logs/alerts/alerts.json"
  1860. }
  1861. },
  1862. "message": "{\"timestamp\":\"2020-05-27T16:29:59.162+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":412,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5258001\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123787): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c1f40 a1=5645f36c2290 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1529 pid=1532 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123787): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024327D type=CWD msg=audit(1590568201.285:123787): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123787): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123787): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123787): proctitle=61776B007B207072696E742024327D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123787\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1529\",\"pid\":\"1532\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1863. "input": {
  1864. "type": "log"
  1865. },
  1866. "event": {
  1867. "module": "wazuh",
  1868. "dataset": "wazuh.alerts"
  1869. },
  1870. "fileset": {
  1871. "name": "alerts"
  1872. },
  1873. "host": {
  1874. "name": "ssl"
  1875. },
  1876. "ecs": {
  1877. "version": "1.5.0"
  1878. },
  1879. "service": {
  1880. "type": "wazuh"
  1881. },
  1882. "fields": {
  1883. "index_prefix": "wazuh-alerts-3.x-"
  1884. },
  1885. "agent": {
  1886. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1887. "hostname": "ssl",
  1888. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  1889. "version": "7.7.0",
  1890. "type": "filebeat"
  1891. }
  1892. }
  1893. 2020-05-27T16:30:00.809+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1894. "@timestamp": "2020-05-27T08:30:00.809Z",
  1895. "@metadata": {
  1896. "beat": "filebeat",
  1897. "type": "_doc",
  1898. "version": "7.7.0",
  1899. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1900. },
  1901. "message": "{\"timestamp\":\"2020-05-27T16:29:59.164+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":413,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5259750\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123788): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2070 a1=5645f36c23b0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1533 pid=1535 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123788): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit1\\\" type=CWD msg=audit(1590568201.285:123788): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123788): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123788): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123788): proctitle=6772657000507265436F6D6D697431\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123788\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1533\",\"pid\":\"1535\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit1\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1902. "service": {
  1903. "type": "wazuh"
  1904. },
  1905. "fields": {
  1906. "index_prefix": "wazuh-alerts-3.x-"
  1907. },
  1908. "ecs": {
  1909. "version": "1.5.0"
  1910. },
  1911. "host": {
  1912. "name": "ssl"
  1913. },
  1914. "agent": {
  1915. "version": "7.7.0",
  1916. "type": "filebeat",
  1917. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1918. "hostname": "ssl",
  1919. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1920. },
  1921. "log": {
  1922. "offset": 5811282,
  1923. "file": {
  1924. "path": "/var/ossec/logs/alerts/alerts.json"
  1925. }
  1926. },
  1927. "input": {
  1928. "type": "log"
  1929. },
  1930. "event": {
  1931. "module": "wazuh",
  1932. "dataset": "wazuh.alerts"
  1933. },
  1934. "fileset": {
  1935. "name": "alerts"
  1936. }
  1937. }
  1938. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1939. "@timestamp": "2020-05-27T08:30:00.809Z",
  1940. "@metadata": {
  1941. "beat": "filebeat",
  1942. "type": "_doc",
  1943. "version": "7.7.0",
  1944. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1945. },
  1946. "host": {
  1947. "name": "ssl"
  1948. },
  1949. "input": {
  1950. "type": "log"
  1951. },
  1952. "event": {
  1953. "module": "wazuh",
  1954. "dataset": "wazuh.alerts"
  1955. },
  1956. "ecs": {
  1957. "version": "1.5.0"
  1958. },
  1959. "fileset": {
  1960. "name": "alerts"
  1961. },
  1962. "fields": {
  1963. "index_prefix": "wazuh-alerts-3.x-"
  1964. },
  1965. "agent": {
  1966. "version": "7.7.0",
  1967. "type": "filebeat",
  1968. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  1969. "hostname": "ssl",
  1970. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  1971. },
  1972. "log": {
  1973. "offset": 5813207,
  1974. "file": {
  1975. "path": "/var/ossec/logs/alerts/alerts.json"
  1976. }
  1977. },
  1978. "message": "{\"timestamp\":\"2020-05-27T16:29:59.167+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":414,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5261503\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123789): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c1f60 a1=5645f36c22b0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1533 pid=1536 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123789): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024347D type=CWD msg=audit(1590568201.285:123789): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123789): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123789): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123789): proctitle=61776B007B207072696E742024347D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123789\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1533\",\"pid\":\"1536\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  1979. "service": {
  1980. "type": "wazuh"
  1981. }
  1982. }
  1983. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  1984. "@timestamp": "2020-05-27T08:30:00.810Z",
  1985. "@metadata": {
  1986. "beat": "filebeat",
  1987. "type": "_doc",
  1988. "version": "7.7.0",
  1989. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  1990. },
  1991. "event": {
  1992. "module": "wazuh",
  1993. "dataset": "wazuh.alerts"
  1994. },
  1995. "fields": {
  1996. "index_prefix": "wazuh-alerts-3.x-"
  1997. },
  1998. "host": {
  1999. "name": "ssl"
  2000. },
  2001. "ecs": {
  2002. "version": "1.5.0"
  2003. },
  2004. "log": {
  2005. "offset": 5815136,
  2006. "file": {
  2007. "path": "/var/ossec/logs/alerts/alerts.json"
  2008. }
  2009. },
  2010. "message": "{\"timestamp\":\"2020-05-27T16:29:59.169+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":415,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5263252\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.289:123790): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2310 a1=5645f36c2670 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1537 pid=1539 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.289:123790): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit1\\\" type=CWD msg=audit(1590568201.289:123790): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.289:123790): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.289:123790): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.289:123790): proctitle=6772657000507265436F6D6D697431\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123790\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1537\",\"pid\":\"1539\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit1\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2011. "service": {
  2012. "type": "wazuh"
  2013. },
  2014. "input": {
  2015. "type": "log"
  2016. },
  2017. "fileset": {
  2018. "name": "alerts"
  2019. },
  2020. "agent": {
  2021. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  2022. "version": "7.7.0",
  2023. "type": "filebeat",
  2024. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2025. "hostname": "ssl"
  2026. }
  2027. }
  2028. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2029. "@timestamp": "2020-05-27T08:30:00.810Z",
  2030. "@metadata": {
  2031. "beat": "filebeat",
  2032. "type": "_doc",
  2033. "version": "7.7.0",
  2034. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2035. },
  2036. "log": {
  2037. "file": {
  2038. "path": "/var/ossec/logs/alerts/alerts.json"
  2039. },
  2040. "offset": 5817061
  2041. },
  2042. "message": "{\"timestamp\":\"2020-05-27T16:29:59.171+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":416,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5265005\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.289:123791): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2340 a1=5645f36c2620 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1537 pid=1540 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.289:123791): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024357D type=CWD msg=audit(1590568201.289:123791): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.289:123791): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.289:123791): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.289:123791): proctitle=61776B007B207072696E742024357D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123791\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1537\",\"pid\":\"1540\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2043. "event": {
  2044. "module": "wazuh",
  2045. "dataset": "wazuh.alerts"
  2046. },
  2047. "fields": {
  2048. "index_prefix": "wazuh-alerts-3.x-"
  2049. },
  2050. "input": {
  2051. "type": "log"
  2052. },
  2053. "fileset": {
  2054. "name": "alerts"
  2055. },
  2056. "service": {
  2057. "type": "wazuh"
  2058. },
  2059. "ecs": {
  2060. "version": "1.5.0"
  2061. },
  2062. "host": {
  2063. "name": "ssl"
  2064. },
  2065. "agent": {
  2066. "version": "7.7.0",
  2067. "type": "filebeat",
  2068. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2069. "hostname": "ssl",
  2070. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  2071. }
  2072. }
  2073. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2074. "@timestamp": "2020-05-27T08:30:00.810Z",
  2075. "@metadata": {
  2076. "beat": "filebeat",
  2077. "type": "_doc",
  2078. "version": "7.7.0",
  2079. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2080. },
  2081. "message": "{\"timestamp\":\"2020-05-27T16:29:59.173+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/tr\",\"id\":\"80792\",\"firedtimes\":417,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5266754\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.289:123792): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2170 a1=5645f36c2700 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1537 pid=1541 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"tr\\\" exe=\\\"/usr/bin/tr\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.289:123792): argc=3 a0=\\\"tr\\\" a1=\\\"-cd\\\" a2=\\\"[0-9]\\\" type=CWD msg=audit(1590568201.289:123792): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.289:123792): item=0 name=\\\"/usr/bin/tr\\\" inode=1048852 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.289:123792): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.289:123792): proctitle=7472002D6364005B302D395D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123792\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1537\",\"pid\":\"1541\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"tr\",\"exe\":\"/usr/bin/tr\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"tr\",\"a1\":\"-cd\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/tr\",\"inode\":\"1048852\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2082. "event": {
  2083. "module": "wazuh",
  2084. "dataset": "wazuh.alerts"
  2085. },
  2086. "fields": {
  2087. "index_prefix": "wazuh-alerts-3.x-"
  2088. },
  2089. "ecs": {
  2090. "version": "1.5.0"
  2091. },
  2092. "host": {
  2093. "name": "ssl"
  2094. },
  2095. "log": {
  2096. "offset": 5818990,
  2097. "file": {
  2098. "path": "/var/ossec/logs/alerts/alerts.json"
  2099. }
  2100. },
  2101. "fileset": {
  2102. "name": "alerts"
  2103. },
  2104. "service": {
  2105. "type": "wazuh"
  2106. },
  2107. "agent": {
  2108. "type": "filebeat",
  2109. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2110. "hostname": "ssl",
  2111. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  2112. "version": "7.7.0"
  2113. },
  2114. "input": {
  2115. "type": "log"
  2116. }
  2117. }
  2118. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2119. "@timestamp": "2020-05-27T08:30:00.810Z",
  2120. "@metadata": {
  2121. "beat": "filebeat",
  2122. "type": "_doc",
  2123. "version": "7.7.0",
  2124. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2125. },
  2126. "log": {
  2127. "offset": 5820910,
  2128. "file": {
  2129. "path": "/var/ossec/logs/alerts/alerts.json"
  2130. }
  2131. },
  2132. "message": "{\"timestamp\":\"2020-05-27T16:29:59.175+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":418,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5268523\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123793): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2320 a1=5645f36c2680 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1542 pid=1544 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123793): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit2\\\" type=CWD msg=audit(1590568201.293:123793): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123793): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123793): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123793): proctitle=6772657000507265436F6D6D697432\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123793\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1542\",\"pid\":\"1544\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit2\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2133. "event": {
  2134. "module": "wazuh",
  2135. "dataset": "wazuh.alerts"
  2136. },
  2137. "fields": {
  2138. "index_prefix": "wazuh-alerts-3.x-"
  2139. },
  2140. "agent": {
  2141. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  2142. "version": "7.7.0",
  2143. "type": "filebeat",
  2144. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2145. "hostname": "ssl"
  2146. },
  2147. "input": {
  2148. "type": "log"
  2149. },
  2150. "fileset": {
  2151. "name": "alerts"
  2152. },
  2153. "service": {
  2154. "type": "wazuh"
  2155. },
  2156. "ecs": {
  2157. "version": "1.5.0"
  2158. },
  2159. "host": {
  2160. "name": "ssl"
  2161. }
  2162. }
  2163. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2164. "@timestamp": "2020-05-27T08:30:00.810Z",
  2165. "@metadata": {
  2166. "beat": "filebeat",
  2167. "type": "_doc",
  2168. "version": "7.7.0",
  2169. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2170. },
  2171. "message": "{\"timestamp\":\"2020-05-27T16:29:59.177+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/tr\",\"id\":\"80792\",\"firedtimes\":419,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5270276\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123794): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2180 a1=5645f36c2710 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1542 pid=1546 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"tr\\\" exe=\\\"/usr/bin/tr\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123794): argc=3 a0=\\\"tr\\\" a1=\\\"-cd\\\" a2=\\\"[0-9]\\\" type=CWD msg=audit(1590568201.293:123794): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123794): item=0 name=\\\"/usr/bin/tr\\\" inode=1048852 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123794): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123794): proctitle=7472002D6364005B302D395D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123794\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1542\",\"pid\":\"1546\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"tr\",\"exe\":\"/usr/bin/tr\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"tr\",\"a1\":\"-cd\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/tr\",\"inode\":\"1048852\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2172. "event": {
  2173. "module": "wazuh",
  2174. "dataset": "wazuh.alerts"
  2175. },
  2176. "fields": {
  2177. "index_prefix": "wazuh-alerts-3.x-"
  2178. },
  2179. "service": {
  2180. "type": "wazuh"
  2181. },
  2182. "ecs": {
  2183. "version": "1.5.0"
  2184. },
  2185. "agent": {
  2186. "version": "7.7.0",
  2187. "type": "filebeat",
  2188. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2189. "hostname": "ssl",
  2190. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  2191. },
  2192. "log": {
  2193. "offset": 5822835,
  2194. "file": {
  2195. "path": "/var/ossec/logs/alerts/alerts.json"
  2196. }
  2197. },
  2198. "input": {
  2199. "type": "log"
  2200. },
  2201. "fileset": {
  2202. "name": "alerts"
  2203. },
  2204. "host": {
  2205. "name": "ssl"
  2206. }
  2207. }
  2208. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2209. "@timestamp": "2020-05-27T08:30:00.810Z",
  2210. "@metadata": {
  2211. "beat": "filebeat",
  2212. "type": "_doc",
  2213. "version": "7.7.0",
  2214. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2215. },
  2216. "fields": {
  2217. "index_prefix": "wazuh-alerts-3.x-"
  2218. },
  2219. "message": "{\"timestamp\":\"2020-05-27T16:29:59.179+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":420,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5272045\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123795): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2350 a1=5645f36c2630 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1542 pid=1545 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123795): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024327D type=CWD msg=audit(1590568201.293:123795): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123795): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123795): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123795): proctitle=61776B007B207072696E742024327D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123795\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1542\",\"pid\":\"1545\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2220. "input": {
  2221. "type": "log"
  2222. },
  2223. "event": {
  2224. "module": "wazuh",
  2225. "dataset": "wazuh.alerts"
  2226. },
  2227. "fileset": {
  2228. "name": "alerts"
  2229. },
  2230. "agent": {
  2231. "type": "filebeat",
  2232. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2233. "hostname": "ssl",
  2234. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  2235. "version": "7.7.0"
  2236. },
  2237. "log": {
  2238. "offset": 5824755,
  2239. "file": {
  2240. "path": "/var/ossec/logs/alerts/alerts.json"
  2241. }
  2242. },
  2243. "service": {
  2244. "type": "wazuh"
  2245. },
  2246. "ecs": {
  2247. "version": "1.5.0"
  2248. },
  2249. "host": {
  2250. "name": "ssl"
  2251. }
  2252. }
  2253. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2254. "@timestamp": "2020-05-27T08:30:00.810Z",
  2255. "@metadata": {
  2256. "beat": "filebeat",
  2257. "type": "_doc",
  2258. "version": "7.7.0",
  2259. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2260. },
  2261. "fileset": {
  2262. "name": "alerts"
  2263. },
  2264. "agent": {
  2265. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  2266. "version": "7.7.0",
  2267. "type": "filebeat",
  2268. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2269. "hostname": "ssl"
  2270. },
  2271. "fields": {
  2272. "index_prefix": "wazuh-alerts-3.x-"
  2273. },
  2274. "input": {
  2275. "type": "log"
  2276. },
  2277. "event": {
  2278. "module": "wazuh",
  2279. "dataset": "wazuh.alerts"
  2280. },
  2281. "ecs": {
  2282. "version": "1.5.0"
  2283. },
  2284. "host": {
  2285. "name": "ssl"
  2286. },
  2287. "log": {
  2288. "offset": 5826684,
  2289. "file": {
  2290. "path": "/var/ossec/logs/alerts/alerts.json"
  2291. }
  2292. },
  2293. "message": "{\"timestamp\":\"2020-05-27T16:29:59.182+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":421,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5273794\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123796): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2340 a1=5645f36c26a0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1547 pid=1549 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123796): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit2\\\" type=CWD msg=audit(1590568201.293:123796): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123796): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123796): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123796): proctitle=6772657000507265436F6D6D697432\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123796\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1547\",\"pid\":\"1549\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit2\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2294. "service": {
  2295. "type": "wazuh"
  2296. }
  2297. }
  2298. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2299. "@timestamp": "2020-05-27T08:30:00.810Z",
  2300. "@metadata": {
  2301. "beat": "filebeat",
  2302. "type": "_doc",
  2303. "version": "7.7.0",
  2304. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2305. },
  2306. "ecs": {
  2307. "version": "1.5.0"
  2308. },
  2309. "host": {
  2310. "name": "ssl"
  2311. },
  2312. "agent": {
  2313. "version": "7.7.0",
  2314. "type": "filebeat",
  2315. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2316. "hostname": "ssl",
  2317. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  2318. },
  2319. "log": {
  2320. "offset": 5828609,
  2321. "file": {
  2322. "path": "/var/ossec/logs/alerts/alerts.json"
  2323. }
  2324. },
  2325. "message": "{\"timestamp\":\"2020-05-27T16:29:59.183+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":422,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5275547\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123797): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2370 a1=5645f36c2650 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1547 pid=1550 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123797\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1547\",\"pid\":\"1550\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}",
  2326. "fileset": {
  2327. "name": "alerts"
  2328. },
  2329. "fields": {
  2330. "index_prefix": "wazuh-alerts-3.x-"
  2331. },
  2332. "service": {
  2333. "type": "wazuh"
  2334. },
  2335. "input": {
  2336. "type": "log"
  2337. },
  2338. "event": {
  2339. "module": "wazuh",
  2340. "dataset": "wazuh.alerts"
  2341. }
  2342. }
  2343. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2344. "@timestamp": "2020-05-27T08:30:00.810Z",
  2345. "@metadata": {
  2346. "beat": "filebeat",
  2347. "type": "_doc",
  2348. "version": "7.7.0",
  2349. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2350. },
  2351. "message": "{\"timestamp\":\"2020-05-27T16:29:59.185+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/tr\",\"id\":\"80792\",\"firedtimes\":423,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5276477\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123798): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c21a0 a1=5645f36c2730 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1547 pid=1551 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"tr\\\" exe=\\\"/usr/bin/tr\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123798\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1547\",\"pid\":\"1551\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"tr\",\"exe\":\"/usr/bin/tr\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}",
  2352. "log": {
  2353. "offset": 5829728,
  2354. "file": {
  2355. "path": "/var/ossec/logs/alerts/alerts.json"
  2356. }
  2357. },
  2358. "service": {
  2359. "type": "wazuh"
  2360. },
  2361. "input": {
  2362. "type": "log"
  2363. },
  2364. "event": {
  2365. "dataset": "wazuh.alerts",
  2366. "module": "wazuh"
  2367. },
  2368. "fileset": {
  2369. "name": "alerts"
  2370. },
  2371. "fields": {
  2372. "index_prefix": "wazuh-alerts-3.x-"
  2373. },
  2374. "host": {
  2375. "name": "ssl"
  2376. },
  2377. "agent": {
  2378. "version": "7.7.0",
  2379. "type": "filebeat",
  2380. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2381. "hostname": "ssl",
  2382. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b"
  2383. },
  2384. "ecs": {
  2385. "version": "1.5.0"
  2386. }
  2387. }
  2388. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2389. "@timestamp": "2020-05-27T08:30:00.810Z",
  2390. "@metadata": {
  2391. "beat": "filebeat",
  2392. "type": "_doc",
  2393. "version": "7.7.0",
  2394. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2395. },
  2396. "event": {
  2397. "module": "wazuh",
  2398. "dataset": "wazuh.alerts"
  2399. },
  2400. "fileset": {
  2401. "name": "alerts"
  2402. },
  2403. "fields": {
  2404. "index_prefix": "wazuh-alerts-3.x-"
  2405. },
  2406. "ecs": {
  2407. "version": "1.5.0"
  2408. },
  2409. "host": {
  2410. "name": "ssl"
  2411. },
  2412. "agent": {
  2413. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2414. "hostname": "ssl",
  2415. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  2416. "version": "7.7.0",
  2417. "type": "filebeat"
  2418. },
  2419. "log": {
  2420. "file": {
  2421. "path": "/var/ossec/logs/alerts/alerts.json"
  2422. },
  2423. "offset": 5830839
  2424. },
  2425. "message": "{\"timestamp\":\"2020-05-27T16:29:59.208+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/sbin/sendmail\",\"id\":\"80792\",\"firedtimes\":424,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5277399\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.297:123799): arch=c000003e syscall=59 success=yes exit=0 a0=7ffc70cf4b30 a1=7ffc70cf45a0 a2=7ffc70cf64e0 a3=7faa9d714330 items=2 ppid=1501 pid=1552 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"sendmail\\\" exe=\\\"/usr/sbin/sendmail\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.297:123799): argc=6 a0=\\\"/usr/sbin/sendmail\\\" a1=\\\"-i\\\" a2=\\\"-FCronDaemon\\\" a3=\\\"-B8BITMIME\\\" a4=\\\"-oem\\\" a5=\\\"devnet\\\" type=CWD msg=audit(1590568201.297:123799): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.297:123799): item=0 name=\\\"/usr/sbin/sendmail\\\" inode=1063910 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.297:123799): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.297:123799): proctitle=2F7573722F7362696E2F73656E646D61696C002D69002D4643726F6E4461656D6F6E002D42384249544D494D45002D6F656D006465766E6574\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123799\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1501\",\"pid\":\"1552\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"sendmail\",\"exe\":\"/usr/sbin/sendmail\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/usr/sbin/sendmail\",\"a1\":\"-i\",\"a2\":\"-FCronDaemon\",\"a3\":\"-B8BITMIME\",\"a4\":\"-oem\",\"a5\":\"devnet\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/sbin/sendmail\",\"inode\":\"1063910\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2426. "service": {
  2427. "type": "wazuh"
  2428. },
  2429. "input": {
  2430. "type": "log"
  2431. }
  2432. }
  2433. 2020-05-27T16:30:00.810+0800 DEBUG [processors] processing/processors.go:187 Publish event: {
  2434. "@timestamp": "2020-05-27T08:30:00.810Z",
  2435. "@metadata": {
  2436. "beat": "filebeat",
  2437. "type": "_doc",
  2438. "version": "7.7.0",
  2439. "pipeline": "filebeat-7.7.0-wazuh-alerts-pipeline"
  2440. },
  2441. "message": "{\"timestamp\":\"2020-05-27T16:29:59.210+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/sbin/postdrop\",\"id\":\"80792\",\"firedtimes\":425,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5279461\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.301:123800): arch=c000003e syscall=59 success=yes exit=0 a0=55e2c4a13cd0 a1=55e2c4a13d00 a2=55e2c4a143a0 a3=e items=2 ppid=1552 pid=1553 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=115 sgid=115 fsgid=115 tty=(none) ses=4370 comm=\\\"postdrop\\\" exe=\\\"/usr/sbin/postdrop\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.301:123800): argc=2 a0=\\\"/usr/sbin/postdrop\\\" a1=\\\"-r\\\" type=CWD msg=audit(1590568201.301:123800): cwd=\\\"/var/spool/postfix\\\" type=PATH msg=audit(1590568201.301:123800): item=0 name=\\\"/usr/sbin/postdrop\\\" inode=1063894 dev=103:02 mode=0102555 ouid=0 ogid=115 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.301:123800): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.301:123800): proctitle=2F7573722F7362696E2F706F737464726F70002D72\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123800\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1552\",\"pid\":\"1553\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"115\",\"sgid\":\"115\",\"fsgid\":\"115\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"postdrop\",\"exe\":\"/usr/sbin/postdrop\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/usr/sbin/postdrop\",\"a1\":\"-r\"},\"cwd\":\"/var/spool/postfix\",\"file\":{\"name\":\"/usr/sbin/postdrop\",\"inode\":\"1063894\",\"mode\":\"0102555\"}}},\"location\":\"/var/log/audit/audit.log\"}",
  2442. "service": {
  2443. "type": "wazuh"
  2444. },
  2445. "input": {
  2446. "type": "log"
  2447. },
  2448. "agent": {
  2449. "type": "filebeat",
  2450. "ephemeral_id": "28051190-6424-4701-ab5a-f4207bbd229f",
  2451. "hostname": "ssl",
  2452. "id": "a68a467d-986d-4ce6-8bd1-6df07e58045b",
  2453. "version": "7.7.0"
  2454. },
  2455. "ecs": {
  2456. "version": "1.5.0"
  2457. },
  2458. "log": {
  2459. "offset": 5833041,
  2460. "file": {
  2461. "path": "/var/ossec/logs/alerts/alerts.json"
  2462. }
  2463. },
  2464. "fileset": {
  2465. "name": "alerts"
  2466. },
  2467. "fields": {
  2468. "index_prefix": "wazuh-alerts-3.x-"
  2469. },
  2470. "event": {
  2471. "module": "wazuh",
  2472. "dataset": "wazuh.alerts"
  2473. },
  2474. "host": {
  2475. "name": "ssl"
  2476. }
  2477. }
  2478. 2020-05-27T16:30:00.810+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  2479. 2020-05-27T16:30:01.791+0800 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":{"ms":4}},"total":{"ticks":80,"time":{"ms":7},"value":80},"user":{"ticks":70,"time":{"ms":3}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":12},"info":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","uptime":{"ms":60028}},"memstats":{"gc_next":9497024,"memory_alloc":7055304,"memory_total":16973592},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":27,"added":35,"done":8},"harvester":{"files":{"f4dc1e0f-d51b-4b78-a4ed-ecd2b6df521f":{"last_event_published_time":"2020-05-27T16:30:00.810Z","last_event_timestamp":"2020-05-27T16:30:00.810Z","read_offset":67069,"size":13752}},"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"batches":1,"dropped":8,"total":8}},"pipeline":{"clients":1,"events":{"active":27,"published":35,"total":35},"queue":{"acked":8}}},"registrar":{"states":{"current":1,"update":8},"writes":{"success":1,"total":1}},"system":{"load":{"1":0.6,"15":0.35,"5":0.21,"norm":{"1":0.6,"15":0.35,"5":0.21}}}}}}
  2480. 2020-05-27T16:30:01.795+0800 DEBUG [input] input/input.go:152 Run input
  2481. 2020-05-27T16:30:01.795+0800 DEBUG [input] log/input.go:191 Start next scan
  2482. 2020-05-27T16:30:01.795+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  2483. 2020-05-27T16:30:01.795+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5835038
  2484. 2020-05-27T16:30:01.795+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  2485. 2020-05-27T16:30:01.795+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  2486. 2020-05-27T16:30:01.818+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  2487. 2020-05-27T16:30:01.818+0800 DEBUG [elasticsearch] elasticsearch/client.go:217 PublishEvents: 27 events have been published to elasticsearch in 8.0029ms.
  2488. 2020-05-27T16:30:01.818+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223034b7d4, ext:59048799301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5783413},"message":"{\"timestamp\":\"2020-05-27T16:29:59.133+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/dash\",\"id\":\"80792\",\"firedtimes\":399,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5234324\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.181:123774): arch=c000003e syscall=59 success=yes exit=0 a0=55816a2aec46 a1=7ffc70cf4980 a2=55816a2aec60 a3=7ffc70cf4a20 items=2 ppid=1501 pid=1502 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"sh\\\" exe=\\\"/bin/dash\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.181:123774): argc=3 a0=\\\"/bin/sh\\\" a1=\\\"-c\\\" a2=2F686F6D652F6465766E65742F62696E2F6D6F6E69746F72696E675F736C6176652E73682020262620206563686F20737563636573736564203E3E202F686F6D652F6465766E65742F6C6F672F6D6F69746F722E6C6F67 type=CWD msg=audit(1590568201.181:123774): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.181:123774): item=0 name=\\\"/bin/sh\\\" inode=5111828 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.181:123774): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.181:123774): proctitle=2F62696E2F7368002D63002F686F6D652F6465766E65742F62696E2F6D6F6E69746F72696E675F736C6176652E73682020262620206563686F20737563636573736564203E3E202F686F6D652F6465766E65742F6C6F672F6D6F69746F722E6C6F67\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123774\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1501\",\"pid\":\"1502\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"sh\",\"exe\":\"/bin/dash\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/bin/sh\",\"a1\":\"-c\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/sh\",\"inode\":\"5111828\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5785664, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2489. 2020-05-27T16:30:01.818+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba72230377b40, ext:59048980301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5785664},"message":"{\"timestamp\":\"2020-05-27T16:29:59.135+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/bash\",\"id\":\"80792\",\"firedtimes\":400,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5236403\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.185:123775): arch=c000003e syscall=59 success=yes exit=0 a0=564c1f4e4c08 a1=564c1f4e4c48 a2=564c1f4e4c58 a3=7f75fc13c810 items=3 ppid=1502 pid=1503 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"monitoring_slav\\\" exe=\\\"/bin/bash\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.185:123775): argc=2 a0=\\\"/bin/bash\\\" a1=\\\"/home/devnet/bin/monitoring_slave.sh\\\" type=CWD msg=audit(1590568201.185:123775): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.185:123775): item=0 name=\\\"/home/devnet/bin/monitoring_slave.sh\\\" inode=898433027 dev=08:00 mode=0100755 ouid=1006 ogid=1002 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123775): item=1 name=\\\"/bin/bash\\\" inode=5111810 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123775): item=2 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.185:123775): proctitle=2F62696E2F62617368002F686F6D652F6465766E65742F62696E2F6D6F6E69746F72696E675F736C6176652E7368\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123775\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1502\",\"pid\":\"1503\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"monitoring_slav\",\"exe\":\"/bin/bash\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/bin/bash\",\"a1\":\"/home/devnet/bin/monitoring_slave.sh\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/home/devnet/bin/monitoring_slave.sh\",\"inode\":\"898433027\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5788015, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2490. 2020-05-27T16:30:01.818+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223038c0a4, ext:59049063601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5788015},"message":"{\"timestamp\":\"2020-05-27T16:29:59.137+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":401,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5238580\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.185:123776): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0460 a1=5645f36c0a00 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1504 pid=1506 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.185:123776): argc=3 a0=\\\"grep\\\" a1=\\\"lotus-slave:0\\\" a2=\\\"/home/devnet/log/filGuard.out\\\" type=CWD msg=audit(1590568201.185:123776): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.185:123776): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123776): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.185:123776): proctitle=67726570006C6F7475732D736C6176653A30002F686F6D652F6465766E65742F6C6F672F66696C47756172642E6F7574\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123776\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1504\",\"pid\":\"1506\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"lotus-slave:0\",\"a2\":\"/home/devnet/log/filGuard.out\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5790086, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2491. 2020-05-27T16:30:01.818+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722303a5eb4, ext:59049169701, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5790086},"message":"{\"timestamp\":\"2020-05-27T16:29:59.139+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":402,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5240487\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.185:123777): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c05f0 a1=5645f36c08a0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1504 pid=1507 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.185:123777): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568201.185:123777): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.185:123777): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.185:123777): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.185:123777): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123777\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1504\",\"pid\":\"1507\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5791977, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2492. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722303b77f4, ext:59049241601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5791977},"message":"{\"timestamp\":\"2020-05-27T16:29:59.141+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":403,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5242206\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.193:123778): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0850 a1=5645f36c0b00 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1508 pid=1510 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.193:123778): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568201.193:123778): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.193:123778): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.193:123778): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.193:123778): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123778\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1508\",\"pid\":\"1510\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5793868, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2493. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722303c8c20, ext:59049312301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5793868},"message":"{\"timestamp\":\"2020-05-27T16:29:59.143+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":404,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5243925\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.193:123779): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c06c0 a1=5645f36c0cb0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1508 pid=1509 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.193:123779): argc=3 a0=\\\"grep\\\" a1=\\\"lotus-poster:0\\\" a2=\\\"/home/devnet/log/filGuard.out\\\" type=CWD msg=audit(1590568201.193:123779): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.193:123779): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.193:123779): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.193:123779): proctitle=67726570006C6F7475732D706F737465723A30002F686F6D652F6465766E65742F6C6F672F66696C47756172642E6F7574\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123779\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1508\",\"pid\":\"1509\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"lotus-poster:0\",\"a2\":\"/home/devnet/log/filGuard.out\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5795943, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2494. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722303d8490, ext:59049375901, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5795943},"message":"{\"timestamp\":\"2020-05-27T16:29:59.145+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/ps\",\"id\":\"80792\",\"firedtimes\":405,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5245836\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123780): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0d10 a1=5645f36c0ff0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1512 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"ps\\\" exe=\\\"/bin/ps\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123780): argc=2 a0=\\\"ps\\\" a1=\\\"-ef\\\" type=CWD msg=audit(1590568201.201:123780): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123780): item=0 name=\\\"/bin/ps\\\" inode=5111868 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123780): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123780): proctitle=7073002D6566\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123780\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1512\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"ps\",\"exe\":\"/bin/ps\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"ps\",\"a1\":\"-ef\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/ps\",\"inode\":\"5111868\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5797818, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2495. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722303e92e0, ext:59049445101, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5797818},"message":"{\"timestamp\":\"2020-05-27T16:29:59.147+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":406,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5247539\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123781): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0c10 a1=5645f36c11f0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1513 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123781): argc=3 a0=\\\"grep\\\" a1=\\\"-w\\\" a2=\\\"lotus-slave-miner\\\" type=CWD msg=audit(1590568201.201:123781): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123781): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123781): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123781): proctitle=67726570002D77006C6F7475732D736C6176652D6D696E6572\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123781\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1513\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-w\",\"a2\":\"lotus-slave-miner\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5799797, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2496. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722303fd9d4, ext:59049528901, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5799797},"message":"{\"timestamp\":\"2020-05-27T16:29:59.151+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/wc\",\"id\":\"80792\",\"firedtimes\":407,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5249354\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123782): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0dc0 a1=5645f36c1070 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1515 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"wc\\\" exe=\\\"/usr/bin/wc\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123782): argc=2 a0=\\\"wc\\\" a1=\\\"-l\\\" type=CWD msg=audit(1590568201.201:123782): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123782): item=0 name=\\\"/usr/bin/wc\\\" inode=1048881 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123782): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123782): proctitle=7763002D6C\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123782\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1515\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"wc\",\"exe\":\"/usr/bin/wc\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"wc\",\"a1\":\"-l\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/wc\",\"inode\":\"1048881\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5801688, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2497. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223040d1e0, ext:59049592301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5801688},"message":"{\"timestamp\":\"2020-05-27T16:29:59.153+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":408,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5251073\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.201:123783): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c0c20 a1=5645f36c1170 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1511 pid=1514 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.201:123783): argc=3 a0=\\\"grep\\\" a1=\\\"-v\\\" a2=\\\"grep\\\" type=CWD msg=audit(1590568201.201:123783): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.201:123783): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.201:123783): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.201:123783): proctitle=67726570002D760067726570\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123783\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1511\",\"pid\":\"1514\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"-v\",\"a2\":\"grep\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5803615, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2498. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223041cd70, ext:59049656701, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5803615},"message":"{\"timestamp\":\"2020-05-27T16:29:59.155+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: \",\"id\":\"80792\",\"firedtimes\":409,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5252836\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.217:123784): arch=c000003e syscall=59 per=400000 success=yes exit=0 a0=5645f36c1c90 a1=5645f36beed0 a2=5645f36bd850 a3=8 items=2 ppid=1503 pid=1516 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"lotus-slave-min\\\" exe=\\\"/tank1/devnet/bin/lotus-slave-miner\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.217:123784): argc=2 a0=\\\"/home/devnet/bin/lotus-slave-miner\\\" a1=\\\"info\\\" type=CWD msg=audit(1590568201.217:123784): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.217:123784): item=0 name=\\\"/home/devnet/bin/lotus-slave-miner\\\" inode=896729129 dev=08:00 mode=0100750 ouid=1006 ogid=1002 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.217:123784): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.217:123784): proctitle=2F686F6D652F6465766E65742F62696E2F6C6F7475732D736C6176652D6D696E657200696E666F\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123784\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/home/devnet/bin/lotus-slave-miner\",\"a1\":\"info\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/home/devnet/bin/lotus-slave-miner\",\"inode\":\"896729129\",\"mode\":\"0100750\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5805443, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2499. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223043314c, ext:59049747801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5805443},"message":"{\"timestamp\":\"2020-05-27T16:29:59.157+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/getconf\",\"id\":\"80792\",\"firedtimes\":410,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5254435\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.225:123785): arch=c000003e syscall=59 success=yes exit=0 a0=c000052b00 a1=c0001e4b80 a2=c0000ba8c0 a3=8 items=2 ppid=1516 pid=1522 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"getconf\\\" exe=\\\"/usr/bin/getconf\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.225:123785): argc=2 a0=\\\"/usr/bin/getconf\\\" a1=\\\"CLK_TCK\\\" type=CWD msg=audit(1590568201.225:123785): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.225:123785): item=0 name=\\\"/usr/bin/getconf\\\" inode=1048667 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.225:123785): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.225:123785): proctitle=2F7573722F62696E2F676574636F6E6600434C4B5F54434B\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123785\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1516\",\"pid\":\"1522\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"getconf\",\"exe\":\"/usr/bin/getconf\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/usr/bin/getconf\",\"a1\":\"CLK_TCK\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/getconf\",\"inode\":\"1048667\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5807428, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2500. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba72230444640, ext:59049818701, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5807428},"message":"{\"timestamp\":\"2020-05-27T16:29:59.159+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":411,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5256248\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123786): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2050 a1=5645f36c2390 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1529 pid=1531 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123786): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit1\\\" type=CWD msg=audit(1590568201.285:123786): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123786): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123786): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123786): proctitle=6772657000507265436F6D6D697431\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123786\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1529\",\"pid\":\"1531\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit1\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5809353, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2501. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722304543c4, ext:59049883601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5809353},"message":"{\"timestamp\":\"2020-05-27T16:29:59.162+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":412,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5258001\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123787): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c1f40 a1=5645f36c2290 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1529 pid=1532 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123787): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024327D type=CWD msg=audit(1590568201.285:123787): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123787): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123787): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123787): proctitle=61776B007B207072696E742024327D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123787\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1529\",\"pid\":\"1532\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5811282, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2502. 2020-05-27T16:30:01.819+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722304636bc, ext:59049945801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5811282},"message":"{\"timestamp\":\"2020-05-27T16:29:59.164+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":413,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5259750\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123788): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2070 a1=5645f36c23b0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1533 pid=1535 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123788): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit1\\\" type=CWD msg=audit(1590568201.285:123788): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123788): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123788): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123788): proctitle=6772657000507265436F6D6D697431\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123788\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1533\",\"pid\":\"1535\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit1\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5813207, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2503. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba72230472f90, ext:59050009501, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5813207},"message":"{\"timestamp\":\"2020-05-27T16:29:59.167+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":414,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5261503\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.285:123789): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c1f60 a1=5645f36c22b0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1533 pid=1536 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.285:123789): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024347D type=CWD msg=audit(1590568201.285:123789): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.285:123789): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.285:123789): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.285:123789): proctitle=61776B007B207072696E742024347D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123789\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1533\",\"pid\":\"1536\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5815136, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2504. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223048b5cc, ext:59050109401, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5815136},"message":"{\"timestamp\":\"2020-05-27T16:29:59.169+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":415,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5263252\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.289:123790): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2310 a1=5645f36c2670 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1537 pid=1539 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.289:123790): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit1\\\" type=CWD msg=audit(1590568201.289:123790): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.289:123790): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.289:123790): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.289:123790): proctitle=6772657000507265436F6D6D697431\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123790\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1537\",\"pid\":\"1539\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit1\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5817061, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2505. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722304a2d30, ext:59050205501, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5817061},"message":"{\"timestamp\":\"2020-05-27T16:29:59.171+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":416,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5265005\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.289:123791): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2340 a1=5645f36c2620 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1537 pid=1540 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.289:123791): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024357D type=CWD msg=audit(1590568201.289:123791): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.289:123791): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.289:123791): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.289:123791): proctitle=61776B007B207072696E742024357D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123791\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1537\",\"pid\":\"1540\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5818990, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2506. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722304b7e4c, ext:59050291801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5818990},"message":"{\"timestamp\":\"2020-05-27T16:29:59.173+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/tr\",\"id\":\"80792\",\"firedtimes\":417,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5266754\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.289:123792): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2170 a1=5645f36c2700 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1537 pid=1541 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"tr\\\" exe=\\\"/usr/bin/tr\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.289:123792): argc=3 a0=\\\"tr\\\" a1=\\\"-cd\\\" a2=\\\"[0-9]\\\" type=CWD msg=audit(1590568201.289:123792): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.289:123792): item=0 name=\\\"/usr/bin/tr\\\" inode=1048852 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.289:123792): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.289:123792): proctitle=7472002D6364005B302D395D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123792\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1537\",\"pid\":\"1541\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"tr\",\"exe\":\"/usr/bin/tr\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"tr\",\"a1\":\"-cd\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/tr\",\"inode\":\"1048852\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5820910, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2507. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722304cc414, ext:59050375201, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5820910},"message":"{\"timestamp\":\"2020-05-27T16:29:59.175+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":418,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5268523\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123793): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2320 a1=5645f36c2680 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1542 pid=1544 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123793): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit2\\\" type=CWD msg=audit(1590568201.293:123793): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123793): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123793): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123793): proctitle=6772657000507265436F6D6D697432\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123793\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1542\",\"pid\":\"1544\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit2\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5822835, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2508. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722304dba90, ext:59050438301, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5822835},"message":"{\"timestamp\":\"2020-05-27T16:29:59.177+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/tr\",\"id\":\"80792\",\"firedtimes\":419,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5270276\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123794): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2180 a1=5645f36c2710 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1542 pid=1546 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"tr\\\" exe=\\\"/usr/bin/tr\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123794): argc=3 a0=\\\"tr\\\" a1=\\\"-cd\\\" a2=\\\"[0-9]\\\" type=CWD msg=audit(1590568201.293:123794): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123794): item=0 name=\\\"/usr/bin/tr\\\" inode=1048852 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123794): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123794): proctitle=7472002D6364005B302D395D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123794\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1542\",\"pid\":\"1546\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"tr\",\"exe\":\"/usr/bin/tr\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"tr\",\"a1\":\"-cd\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/tr\",\"inode\":\"1048852\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5824755, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2509. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722304eb7b0, ext:59050503101, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5824755},"message":"{\"timestamp\":\"2020-05-27T16:29:59.179+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":420,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5272045\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123795): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2350 a1=5645f36c2630 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1542 pid=1545 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123795): argc=2 a0=\\\"awk\\\" a1=7B207072696E742024327D type=CWD msg=audit(1590568201.293:123795): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123795): item=0 name=\\\"/usr/bin/awk\\\" inode=1048722 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123795): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123795): proctitle=61776B007B207072696E742024327D\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123795\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1542\",\"pid\":\"1545\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"awk\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/bin/awk\",\"inode\":\"1048722\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5826684, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2510. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba722305008cc, ext:59050589401, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5826684},"message":"{\"timestamp\":\"2020-05-27T16:29:59.182+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/grep\",\"id\":\"80792\",\"firedtimes\":421,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5273794\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123796): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2340 a1=5645f36c26a0 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1547 pid=1549 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"grep\\\" exe=\\\"/bin/grep\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.293:123796): argc=2 a0=\\\"grep\\\" a1=\\\"PreCommit2\\\" type=CWD msg=audit(1590568201.293:123796): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.293:123796): item=0 name=\\\"/bin/grep\\\" inode=5111871 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.293:123796): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.293:123796): proctitle=6772657000507265436F6D6D697432\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123796\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1547\",\"pid\":\"1549\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"grep\",\"exe\":\"/bin/grep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"grep\",\"a1\":\"PreCommit2\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/grep\",\"inode\":\"5111871\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5828609, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2511. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba72230510970, ext:59050655101, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5828609},"message":"{\"timestamp\":\"2020-05-27T16:29:59.183+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/mawk\",\"id\":\"80792\",\"firedtimes\":422,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5275547\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123797): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c2370 a1=5645f36c2650 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1547 pid=1550 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"awk\\\" exe=\\\"/usr/bin/mawk\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123797\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1547\",\"pid\":\"1550\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"awk\",\"exe\":\"/usr/bin/mawk\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5829728, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2512. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba72230526edc, ext:59050746601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5829728},"message":"{\"timestamp\":\"2020-05-27T16:29:59.185+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/bin/tr\",\"id\":\"80792\",\"firedtimes\":423,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5276477\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.293:123798): arch=c000003e syscall=59 success=yes exit=0 a0=5645f36c21a0 a1=5645f36c2730 a2=5645f36bd850 a3=5645f36b5010 items=2 ppid=1547 pid=1551 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"tr\\\" exe=\\\"/usr/bin/tr\\\" key=\\\"audit-wazuh-c\\\"\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123798\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1547\",\"pid\":\"1551\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"tr\",\"exe\":\"/usr/bin/tr\",\"key\":\"audit-wazuh-c\"}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5830839, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2513. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223053a75c, ext:59050826601, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5830839},"message":"{\"timestamp\":\"2020-05-27T16:29:59.208+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/sbin/sendmail\",\"id\":\"80792\",\"firedtimes\":424,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5277399\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.297:123799): arch=c000003e syscall=59 success=yes exit=0 a0=7ffc70cf4b30 a1=7ffc70cf45a0 a2=7ffc70cf64e0 a3=7faa9d714330 items=2 ppid=1501 pid=1552 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4370 comm=\\\"sendmail\\\" exe=\\\"/usr/sbin/sendmail\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.297:123799): argc=6 a0=\\\"/usr/sbin/sendmail\\\" a1=\\\"-i\\\" a2=\\\"-FCronDaemon\\\" a3=\\\"-B8BITMIME\\\" a4=\\\"-oem\\\" a5=\\\"devnet\\\" type=CWD msg=audit(1590568201.297:123799): cwd=\\\"/tank1/devnet\\\" type=PATH msg=audit(1590568201.297:123799): item=0 name=\\\"/usr/sbin/sendmail\\\" inode=1063910 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.297:123799): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.297:123799): proctitle=2F7573722F7362696E2F73656E646D61696C002D69002D4643726F6E4461656D6F6E002D42384249544D494D45002D6F656D006465766E6574\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123799\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1501\",\"pid\":\"1552\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"sendmail\",\"exe\":\"/usr/sbin/sendmail\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/usr/sbin/sendmail\",\"a1\":\"-i\",\"a2\":\"-FCronDaemon\",\"a3\":\"-B8BITMIME\",\"a4\":\"-oem\",\"a5\":\"devnet\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/usr/sbin/sendmail\",\"inode\":\"1063910\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5833041, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2514. 2020-05-27T16:30:01.820+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfaba7223054c54c, ext:59050899801, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","hostname":"ssl","id":"a68a467d-986d-4ce6-8bd1-6df07e58045b","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":5833041},"message":"{\"timestamp\":\"2020-05-27T16:29:59.210+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /usr/sbin/postdrop\",\"id\":\"80792\",\"firedtimes\":425,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590568199.5279461\",\"full_log\":\"type=SYSCALL msg=audit(1590568201.301:123800): arch=c000003e syscall=59 success=yes exit=0 a0=55e2c4a13cd0 a1=55e2c4a13d00 a2=55e2c4a143a0 a3=e items=2 ppid=1552 pid=1553 auid=1006 uid=1006 gid=1002 euid=1006 suid=1006 fsuid=1006 egid=115 sgid=115 fsgid=115 tty=(none) ses=4370 comm=\\\"postdrop\\\" exe=\\\"/usr/sbin/postdrop\\\" key=\\\"audit-wazuh-c\\\" type=EXECVE msg=audit(1590568201.301:123800): argc=2 a0=\\\"/usr/sbin/postdrop\\\" a1=\\\"-r\\\" type=CWD msg=audit(1590568201.301:123800): cwd=\\\"/var/spool/postfix\\\" type=PATH msg=audit(1590568201.301:123800): item=0 name=\\\"/usr/sbin/postdrop\\\" inode=1063894 dev=103:02 mode=0102555 ouid=0 ogid=115 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1590568201.301:123800): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=6291858 dev=103:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1590568201.301:123800): proctitle=2F7573722F7362696E2F706F737464726F70002D72\",\"decoder\":{\"parent\":\"auditd\",\"name\":\"auditd\"},\"data\":{\"audit\":{\"type\":\"SYSCALL\",\"id\":\"123800\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"1552\",\"pid\":\"1553\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"115\",\"sgid\":\"115\",\"fsgid\":\"115\",\"tty\":\"(none)\",\"session\":\"4370\",\"command\":\"postdrop\",\"exe\":\"/usr/sbin/postdrop\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"/usr/sbin/postdrop\",\"a1\":\"-r\"},\"cwd\":\"/var/spool/postfix\",\"file\":{\"name\":\"/usr/sbin/postdrop\",\"inode\":\"1063894\",\"mode\":\"0102555\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000417ba0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:5835038, Timestamp:time.Time{wall:0xbfaba715ef4fabe4, ext:10033788501, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x4071abe, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.27||/d{yyyy.MM.dd|UTC}}>"}
  2515. 2020-05-27T16:30:01.821+0800 DEBUG [publisher] memqueue/ackloop.go:160 ackloop: receive ack [3: 0, 27]
  2516. 2020-05-27T16:30:01.821+0800 DEBUG [publisher] memqueue/eventloop.go:535 broker ACK events: count=27, start-seq=25, end-seq=51
  2517.  
  2518. 2020-05-27T16:30:01.821+0800 DEBUG [publisher] memqueue/ackloop.go:128 ackloop: return ack to broker loop:27
  2519. 2020-05-27T16:30:01.821+0800 DEBUG [publisher] memqueue/ackloop.go:131 ackloop: done send ack
  2520. 2020-05-27T16:30:01.821+0800 DEBUG [acker] beater/acker.go:64 stateful ack {"count": 27}
  2521. 2020-05-27T16:30:01.821+0800 DEBUG [registrar] registrar/registrar.go:356 Processing 27 events
  2522. 2020-05-27T16:30:01.821+0800 DEBUG [registrar] registrar/registrar.go:326 Registrar state updates processed. Count: 27
  2523. 2020-05-27T16:30:01.821+0800 DEBUG [registrar] registrar/registrar.go:411 Write registry file: /var/lib/filebeat/registry/filebeat/data.json (1)
  2524. 2020-05-27T16:30:01.831+0800 DEBUG [registrar] registrar/registrar.go:404 Registry file updated. 1 states written.
  2525. 2020-05-27T16:30:03.818+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  2526. 2020-05-27T16:30:07.819+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  2527. 2020-05-27T16:30:11.795+0800 DEBUG [input] input/input.go:152 Run input
  2528. 2020-05-27T16:30:11.795+0800 DEBUG [input] log/input.go:191 Start next scan
  2529. 2020-05-27T16:30:11.795+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  2530. 2020-05-27T16:30:11.795+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5835038
  2531. 2020-05-27T16:30:11.795+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  2532. 2020-05-27T16:30:11.795+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  2533. 2020-05-27T16:30:15.819+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  2534. 2020-05-27T16:30:21.795+0800 DEBUG [input] input/input.go:152 Run input
  2535. 2020-05-27T16:30:21.796+0800 DEBUG [input] log/input.go:191 Start next scan
  2536. 2020-05-27T16:30:21.796+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  2537. 2020-05-27T16:30:21.796+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5835038
  2538. 2020-05-27T16:30:21.796+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  2539. 2020-05-27T16:30:21.796+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  2540. 2020-05-27T16:30:25.819+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  2541. 2020-05-27T16:30:31.801+0800 DEBUG [input] input/input.go:152 Run input
  2542. 2020-05-27T16:30:31.801+0800 DEBUG [input] log/input.go:191 Start next scan
  2543. 2020-05-27T16:30:31.801+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  2544. 2020-05-27T16:30:31.801+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5835038
  2545. 2020-05-27T16:30:31.801+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  2546. 2020-05-27T16:30:31.801+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
  2547. 2020-05-27T16:30:31.802+0800 INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":10,"time":{"ms":1}},"total":{"ticks":90,"time":{"ms":9},"value":90},"user":{"ticks":80,"time":{"ms":8}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":12},"info":{"ephemeral_id":"28051190-6424-4701-ab5a-f4207bbd229f","uptime":{"ms":90039}},"memstats":{"gc_next":10346144,"memory_alloc":5195144,"memory_total":18092016,"rss":503808},"runtime":{"goroutines":27}},"filebeat":{"events":{"active":-27,"done":27},"harvester":{"files":{"f4dc1e0f-d51b-4b78-a4ed-ecd2b6df521f":{"size":67069}},"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"batches":1,"dropped":27,"total":27}},"pipeline":{"clients":1,"events":{"active":0},"queue":{"acked":27}}},"registrar":{"states":{"current":1,"update":27},"writes":{"success":1,"total":1}},"system":{"load":{"1":0.36,"15":0.34,"5":0.19,"norm":{"1":0.36,"15":0.34,"5":0.19}}}}}}
  2548. 2020-05-27T16:30:35.819+0800 DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
  2549. 2020-05-27T16:30:41.802+0800 DEBUG [input] input/input.go:152 Run input
  2550. 2020-05-27T16:30:41.802+0800 DEBUG [input] log/input.go:191 Start next scan
  2551. 2020-05-27T16:30:41.802+0800 DEBUG [input] log/input.go:421 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
  2552. 2020-05-27T16:30:41.802+0800 DEBUG [input] log/input.go:511 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 5835038
  2553. 2020-05-27T16:30:41.802+0800 DEBUG [input] log/input.go:563 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
  2554. 2020-05-27T16:30:41.802+0800 DEBUG [input] log/input.go:212 input states cleaned up. Before: 1, After: 1, Pending: 0
Advertisement
RAW Paste Data Copied