[BUG] Unable to get teler to see log input

[0xjmux]

Describe the bug

I'm trying to follow this guide: https://wazuh.com/blog/detecting-web-attacks-using-wazuh-and-teler/, and have configured teler as mentioned there. I also attempted the curl teler.app install method mentioned on the wiki, no improvement there. No matter what I try, I cannot get teler to see the logs I want it to ingest.

To Reproduce

I have a vulnerable LAMP webapp (DVWA) configured on an Ubuntu 22.04LTS server. Logs from this vulnerable instance show up in /var/log/apache2/access.log, and the tail command that preceeds teler when I run

tail -f /var/log/apache2/access.log | teler -c /root/telerdir/teler.yaml 

works as expected. When I run that above command, I get the teler "analyzing" prompt and a mention of the dashboard (which I also can't access, although I'm not accessing that site as localhost from the machine so that might be expected behavior).

This is the whole teler config. I've only removed sections that weren't being used (commented or active:false, but I directly followed the guide mentioned above when creating it.

Your teler config file...
# To write log format, see https://www.notion.so/kitabisa/Configuration-d7c8fab40366406591875bac631bef3f
log_format: |
 # $remote_addr $remote_user - [$time_local] "$request_method $request_uri $request_protocol" 
  $remote_addr - $remote_user [$time_local] "$request_method $request_uri $request_protocol" $status $body_bytes_sent "$http_referer" "$http_user_agent" 

rules:
  cache: true
  threat:
    excludes:
      # - "Common Web Attack"
      # - "CVE"
      # - "Bad IP Address"
      # - "Bad Referrer"
      # - "Bad Crawler"
      # - "Directory Bruteforce"

dashboard:
  active: true
  host: "localhost"
  port: 9080
  username: "wew"
  password: "w0w!"
  endpoint: "/events"

metrics:
  prometheus:
    active: false
    host: "localhost"
    port: 9099
    endpoint: "/metrics"

logs:
  file:
    active: true
    json: true
    path: "/var/log/teler/output.log"

Expected behavior

Teler alerts to show up either in console or in the log file I created for teler at /var/log/teler/output.log

Environment (please complete the following information):

• OS: Ubuntu 22.04LTS
• teler Version v2.0.0-rc.3

Additional context I would add output logs, but I can't find any. Let me know if you can spot something I'm doing wrong, or if this really is a bug. Thanks.

Edit: I should mention that you likely do not need to replicate the wazuh side of that guide - from my testing the problem is narrowed down to teler itself, since wazuh would read from the /var/log/teler/output.log file that teler's supposed to be writing to. Thanks.

[dwisiswant0]

and the tail command that preceeds teler when I run

tail -f /var/log/apache2/access.log | teler -c /root/telerdir/teler.yaml 

works as expected.

Since you're analyzing logs with stream buffers, you should try attack emulation at that point. Because if the log format you wrote is wrong, the teler CLI will output "No logs analyzed, did you write log format correctly?".

[0xjmux]

Thanks for the response! I thought I mentioned it in the post, but I guess I didn't; I'm already running a nikto scan from a kali VM against this endpoint, which is what I was trying to say with "Logs from this vulnerable instance show up in /var/log/apache2/access.log".

I'm getting that error when I exit, but my log format (as seen above) is directly copied off the teler wiki for parsing apache logs. Any ideas?

[0xjmux]

Ok, so turns out it was an error on my part.

I commented out the original log format in the response and then added the apache one (as you can see above). however, that commented line was in between the line_format: tag and the line format, which was causing issues.

I fixed my error, and logs are showing up now.

Thanks for your help!

[dwisiswant0]

No prob!