├── local_rules.xml
├── 1001-mikrotik_decoders.xml
├── script.rsc
└── README.md


/local_rules.xml:
--------------------------------------------------------------------------------
 1 | <group name="mikrotik">
 2 |   <rule id="100001" level="10">
 3 |     <decoded_as>mikrotik_log</decoded_as>
 4 |     <description>Mikrotik log: $(type) $(target) $(action) by $(username) from $(srcip): $(rule_details)</description>
 5 |   </rule>
 6 |   
 7 |   <rule id="100002" level="12">
 8 |     <decoded_as>user_login</decoded_as>
 9 |     <description>Mikrotik log: User $(username) logged $(action) from $(srcip) via $(access_method)</description>
10 |   </rule>
11 |   
12 |   <rule id="100003" level="11">
13 |     <decoded_as>user_login_failure</decoded_as>
14 |     <description>Mikrotik log: Login failure for user $(username) from $(srcip) via $(access_method)</description>
15 |   </rule>
16 | 
17 |   <rule id="100004" level="10">
18 |     <decoded_as>wireguard</decoded_as>
19 |     <description>Mikrotik log: Wireguard user $(username) logged $(action) from $(srcip)</description>
20 |   </rule>
21 | 
22 |   <rule id="100005" level="10">
23 |     <decoded_as>ovpn</decoded_as>
24 |     <description>Mikrotik log: $(action) logged, $(localip) from $(srcip)</description>
25 |   </rule>
26 | 
27 |   <rule id="100006" level="12">
28 |     <decoded_as>filter_rule_change</decoded_as>
29 |     <description>Mikrotik log: Filter rule $(action) by $(username) from $(srcip): $(rule_details)</description>
30 |   </rule>
31 | 
32 |   <rule id="100007" level="12">
33 |     <decoded_as>raw_rule_change</decoded_as>
34 |     <description>Mikrotik log: Raw rule $(action) by $(username) from $(srcip): $(rule_details)</description>
35 |   </rule>
36 | 
37 |   <rule id="100008" level="12">
38 |     <decoded_as>user_change</decoded_as>
39 |     <description>Mikrotik log: User $(newuser) $(action) by $(username) from $(srcip): $(rule_details)</description>
40 |   </rule>
41 | </group>
42 | 


--------------------------------------------------------------------------------
/1001-mikrotik_decoders.xml:
--------------------------------------------------------------------------------
 1 | <decoder name="user_login">
 2 |   <prematch>user (\S+) logged (\S+) from (\S+) via (\S+)</prematch>
 3 |   <regex type="pcre2">user (\S+) logged (\S+) from (\S+) via (\S+)</regex>
 4 |   <order>username, action, srcip, access_method</order>
 5 | </decoder>
 6 | 
 7 | <decoder name="user_login_failure">
 8 |   <prematch>login failure for user (\S+) from (\S+) via (\S+)</prematch>
 9 |   <regex type="pcre2">login failure for user (\S+) from (\S+) via (\S+)</regex>
10 |   <order>username, srcip, access_method</order>
11 | </decoder>
12 | 
13 | <decoder name="wireguard">
14 |   <prematch>wireguard user (\S+) logged (\S+) from (\S+)</prematch>
15 |   <regex type="pcre2">wireguard user (\S+) logged (\S+) from (\S+)</regex>
16 |   <order>username, action, srcip</order>
17 | </decoder>
18 | 
19 | <decoder name="ovpn">
20 |   <prematch>(\S+) logged (\S+), (\S+) from (\S+)</prematch>
21 |   <regex type="pcre2">(\S+) logged (\S+), (\S+) from (\S+)</regex>
22 |   <order>username, action, localip, srcip</order>
23 | </decoder>
24 | 
25 | <decoder name="filter_rule_change">
26 |   <prematch type="pcre2">filter rule (changed|removed|added) by</prematch>
27 |   <regex type="pcre2">filter rule (changed|removed|added) by tcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
28 |   <order>action, username, srcip, rule_details</order>
29 | </decoder>
30 | 
31 | <decoder name="raw_rule_change">
32 |   <prematch type="pcre2">raw rule (changed|removed|added) by</prematch>
33 |   <regex type="pcre2">raw rule (changed|removed|added) by tcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
34 |   <order>action, username, srcip, rule_details</order>
35 | </decoder>
36 | 
37 | <decoder name="user_change">
38 |   <prematch type="pcre2">user (\S+) (added|password changed|removed) by</prematch>
39 |   <regex type="pcre2">user (\S+) (added|password changed|removed) by tcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
40 |   <order>action, newuser, username, srcip, rule_details</order>
41 | </decoder>
42 | 
43 | <decoder name="mikrotik_log">
44 |   <prematch type="pcre2">(\S+) (\S+) (\S+) by</prematch>
45 |   <regex type="pcre2">(\S+) (\S+) (\S+) by tcp-msg\(winbox\):(\S+)@(\S+) \((.*)\)</regex>
46 |   <order>type, target, action, username, srcip, rule_details</order>
47 | </decoder>
48 | 


--------------------------------------------------------------------------------
/script.rsc:
--------------------------------------------------------------------------------
 1 | # Wireguard Online Status
 2 | /system script
 3 | add dont-require-permissions=no name=WGPeerStatus owner=admin policy=\
 4 |     ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
 5 |     local interfaceName \"Wireguard\"\r\
 6 |     \n\r\
 7 |     \n:global OfflinePeerList\r\
 8 |     \n:global OnlinePeerList\r\
 9 |     \n\r\
10 |     \n:local OfflinePeerListTmp [ :toarray \"\" ]\r\
11 |     \n:local OnlinePeerListTmp [ :toarray \"\" ]\r\
12 |     \n\r\
13 |     \n#:log info \"Avvio script per monitorare i peer dell'interfaccia \$inter\
14 |     faceName\"\r\
15 |     \n\r\
16 |     \n:foreach peer in=[/interface wireguard peers find interface=\$interfaceN\
17 |     ame] do={\r\
18 |     \n    :set \$peerAddress [/interface wireguard peer get \$peer allowed-add\
19 |     res]\r\
20 |     \n    :set \$peerAddress  [:pick \$peerAddress 0 [:find \$peerAddress \"/\
21 |     \"]]\r\
22 |     \n    :local peerName [/interface wireguard peers get \$peer comment]\r\
23 |     \n    :local remoteIpAddress [/interface wireguard peers get \$peer curren\
24 |     t-endpoint-address]\r\
25 |     \n\r\
26 |     \n:if ( ([/interface wireguard peers get \$peer last-handshake] > 180) || \
27 |     ([:len [/interface/wireguard/peers/get \$peer last-handshake]] = 0)) do={ \
28 |     \r\
29 |     \n               :if ( \$OfflinePeerList~\"\$peerAddress(;|\\\$)\" ) do={\
30 |     \r\
31 |     \n                   #:log info \"\$peerName - \$peerAddress still Offline\
32 |     \"\r\
33 |     \n                   :set OfflinePeerListTmp ( \$OfflinePeerListTmp, \$pee\
34 |     rAddress );\r\
35 |     \n                } else={\r\
36 |     \n                    :log info \"wireguard user \$peerName logged out fro\
37 |     m \$remoteIpAddress\"\r\
38 |     \n                    :set OfflinePeerListTmp ( \$OfflinePeerListTmp, \$pe\
39 |     erAddress );\r\
40 |     \n                }\r\
41 |     \n            } else {\r\
42 |     \n              :if ( \$OnlinePeerList~\"\$peerAddress(;|\\\$)\" ) do={\r\
43 |     \n                   #:log info \"\$peerName - \$peerAddress still Online\
44 |     \"\r\
45 |     \n                   :set OnlinePeerListTmp ( \$OnlinePeerListTmp, \$peerA\
46 |     ddress );\r\
47 |     \n                } else={\r\
48 |     \n                    :log info \"wireguard user \$peerName logged in from\
49 |     \_\$remoteIpAddress\"\r\
50 |     \n                    :set OnlinePeerListTmp ( \$OnlinePeerListTmp, \$peer\
51 |     Address );\r\
52 |     \n                }\r\
53 |     \n            }\r\
54 |     \n}\r\
55 |     \n\r\
56 |     \n:set \$OfflinePeerList \$OfflinePeerListTmp\r\
57 |     \n:set \$OnlinePeerList \$OnlinePeerListTmp"
58 | 
59 | /system scheduler
60 | add interval=30s name=WGPeerCheck on-event="/system script run WGPeerStatus;" \
61 |     policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
62 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # WazuhMikrotik
 2 | 
 3 | This repository provides Wazuh decoders for Mikrotik and a script for monitoring Wireguard peers' login/logout activities.
 4 | 
 5 | **Tested on:**
 6 | - RouterOS 7.15.1
 7 | - Wazuh 4.8.0
 8 | 
 9 | ## 🚀 Setup Instructions
10 | 
11 | ### Step 1: Configure Wazuh Manager to Receive Syslog Messages
12 | 
13 | Follow the guide at [Wazuh Blog](https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/) to configure your Wazuh manager to receive Syslog messages.
14 | 
15 | ### Step 2: Deploy Mikrotik Decoders and Rules
16 | 
17 | 1. Copy `1001-mikrotik_decoders.xml` to the Wazuh decoders directory:
18 |     ```sh
19 |     cp /path/to/1001-mikrotik_decoders.xml /var/ossec/etc/decoders/1001-mikrotik_decoders.xml
20 |     ```
21 |     or if you are using Docker, run:
22 |     ```sh
23 |     docker cp /path/to/1001-mikrotik_decoders.xml single-node-wazuh.manager-1:/var/ossec/etc/decoders/1001-mikrotik_decoders.xml
24 |     ```
25 | 
26 | 2. Copy `local_rules.xml` to the Wazuh rules directory:
27 |     ```sh
28 |     cp /path/to/local_rules.xml /var/ossec/etc/rules/local_rules.xml
29 |     ```
30 |     or if you are using Docker, run:
31 |     ```sh
32 |     docker cp /path/to/local_rules.xml single-node-wazuh.manager-1:/var/ossec/etc/rules/local_rules.xml
33 |     ```
34 | 
35 | ### Step 3: Restart Wazuh
36 | 
37 | 1. Restart the Wazuh manager to apply the new configurations:
38 |     ```sh
39 |     systemctl restart wazuh-manager
40 |     ```
41 |     or if you are using Docker, run:
42 |     ```sh
43 |     docker restart single-node-wazuh.manager-1
44 |     ```
45 | 
46 | ### Step 4: Configure Mikrotik to Send Logs to Syslog Server (Wazuh)
47 | 
48 | 1. Configure the remote logging server:
49 |     ```sh
50 |     /system logging action add name=remote target=remote remote=YOUR_WAZUH_SERVER_IP
51 |     ```
52 | 
53 | 2. Add a logging rule to send all logs to the remote server:
54 |     ```sh
55 |     /system logging add action=remote topics=system
56 |     /system logging add action=remote topics=info
57 |     ```
58 | 
59 | Make sure to replace `YOUR_WAZUH_SERVER_IP` with the IP address of your Wazuh server.
60 | 
61 | ### Step 5: Monitor Wireguard Peers Activity
62 | 
63 | 1. Copy the script `script.rsc` from the repository to your Mikrotik device.
64 | 
65 | 2. Import and execute the script from the Mikrotik terminal:
66 |     ```sh
67 |     /import script.rsc
68 |     ```
69 | 
70 | ℹ️ **Note:** It is crucial to assign a unique comment to each Wireguard peer configured on your Mikrotik server. This comment acts as an identifier in the monitoring script and ensures accurate tracking of each peer's activity.
71 | 
72 | ## Author
73 | 
74 | 👤 **Giuseppe Trifilio**
75 | 
76 | * Website: https://github.com/angolo40/WazuhMikrotik
77 | * GitHub: [@angolo40](https://github.com/angolo40)
78 |   
79 | ## 🤝 Contributing
80 | 
81 | Contributions, issues, and feature requests are welcome! Feel free to check the [issues page](https://github.com/angolo40/WazuhMikrotik).
82 | 
83 | ## Show your support
84 | 
85 | Give a ⭐️ if this project helped you!
86 | 
87 | - **XMR**: `87LLkcvwm7JUZAVjusKsnwNRPfhegxe73X7X3mWXDPMnTBCb6JDFnspbN8qdKZA6StHXqnJxMp3VgRK7DcS2sgnW3wH7Xhw`
88 | 


--------------------------------------------------------------------------------