Wazuh: Custom Rules For Ubiquiti WiFi Log Monitoring

Aug 7, 2025 by Sebastian Müller 53 views

Custom Decoder and Rules for Ubiquiti WiFi Log Events in Wazuh

Hey guys! Let's dive into setting up a custom decoder and rules in Wazuh for Ubiquiti WiFi log events. This is super useful for monitoring your network's security and spotting potential issues, like excessive WPA authentication failures. We'll break down the process step by step, making it easy to follow along.

Understanding the Goal

So, the main objective here is to create a Wazuh setup that can detect when there are two or more WPA authentication failures within a minute. To achieve this, we'll need to:

Parse the Logs: Use a custom decoder to extract relevant information from the Ubiquiti WiFi logs, specifically the wpa_auth_failures field.
Create a Rule: Develop a Wazuh rule that triggers an alert when the number of wpa_auth_failures meets our threshold (two or more) within the specified timeframe (one minute).

Step-by-Step Guide

1. Analyzing the Ubiquiti WiFi Logs

First things first, let's take a look at those Ubiquiti WiFi logs. Understanding the log format is crucial for writing an effective decoder. From the provided log file (Wifi.logs.txt), we can see that the logs contain key-value pairs. This is excellent news because Wazuh decoders are fantastic at parsing this kind of data. Key-value pairs make it easier to extract specific fields, like the number of WPA authentication failures. Identifying the structure of these logs is the first step to creating a robust monitoring system.

Let’s consider a sample log entry. A typical log entry might look something like this:

<134>Oct 26 10:00:00 UAP-AC-LR-1 kernel: [1387451.234567] event_type=wpa_auth_failures event_description=WPA authentication failure count=2 mac=xx:xx:xx:xx:xx:xx

From this, we can identify key fields such as event_type, event_description, count, and mac. Our decoder will need to extract these fields to make them available for rule processing. It’s essential to pinpoint the specific fields you want to monitor. In this case, wpa_auth_failures and the associated count are crucial for our objective. By carefully examining the logs, we can create a decoder that accurately parses the information.

2. Crafting the Custom Decoder

Now, let's create a custom decoder in Wazuh to parse these logs. Decoders are like the translators of Wazuh, taking raw log data and turning it into something Wazuh can understand. We'll create an XML file for our decoder. This file will define how to extract the wpa_auth_failures field from the logs. The decoder works by matching patterns in the log messages and extracting the relevant data. It's like setting up a specific filter that only catches the information we need.

Create a new decoder file, for example, ubiquiti_wifi_decoder.xml, in the /var/ossec/etc/decoders/ directory. Here’s an example of what the decoder might look like:

<!-- /var/ossec/etc/decoders/ubiquiti_wifi_decoder.xml -->
<decoder name="ubiquiti-wifi">
  <prematch>UAP-AC-LR-1 kernel:.*event_type=wpa_auth_failures</prematch>
</decoder>

<decoder name="ubiquiti-wifi-auth-fail">
  <parent>ubiquiti-wifi</parent>
  <regex>event_type=wpa_auth_failures event_description=WPA authentication failure count=(\d+) mac=([^\s]+)</regex>
  <order>failures_count,mac</order>
</decoder>

Let's break this down:

The first decoder, ubiquiti-wifi, uses a <prematch> tag. This tag quickly filters log messages to identify potentially relevant events. It checks for logs originating from UAP-AC-LR-1 that also contain event_type=wpa_auth_failures. This prematching step significantly reduces the workload on the more complex regex decoder.
The second decoder, ubiquiti-wifi-auth-fail, is a child decoder. It inherits the results from the parent decoder (ubiquiti-wifi). This is crucial for a streamlined process. The <regex> tag defines a regular expression that extracts the failure count and MAC address from the log message. Regular expressions are powerful tools for pattern matching, allowing us to target specific parts of the log message.
The <order> tag specifies the names for the extracted fields, failures_count and mac. This is how we label the captured data, making it easier to reference in our Wazuh rules.

3. Developing the Wazuh Rule

With the decoder in place, we can now create a Wazuh rule to trigger an alert when the number of wpa_auth_failures is two or more within one minute. Rules are the brains of the operation, telling Wazuh what to look for and how to react. We'll define a rule that monitors the failures_count field extracted by our decoder and triggers an alert if it meets our criteria. This involves creating an XML rule file that specifies the conditions for triggering an alert.

Create a new rule file, for example, ubiquiti_wifi_rules.xml, in the /var/ossec/etc/rules/ directory. Here’s an example rule that achieves this:

<!-- /var/ossec/etc/rules/ubiquiti_wifi_rules.xml -->
<group name="ubiquiti_wifi,">
  <rule id="100100" level="3">
    <decoded_as>ubiquiti-wifi-auth-fail</decoded_as>
    <field name="failures_count" type="integer" between="2,100"></field>
    <description>Multiple WPA authentication failures detected.</description>
  </rule>

  <rule id="100101" level="7" frequency="2" timeframe="60">
    <if_matched>100100</if_matched>
    <description>Multiple WPA authentication failures within 1 minute.</description>
  </rule>
</group>

Let's break this rule down:

The first rule, with `id=