Decoder Pre-match issue

[Muhammad Ali Khan]

I’m testing our Wazuh Meraki decoders and facing an overlap issue.

 MX decoder (works fine):

• Prematch: ^\d+\.\d+\s+\S*_MX\S+
  This correctly matches only all MX logs because the device name contains _MX.

 Non-MX / AP decoder (problem):

• Prematch: ^\d+\.\d+\s+\S+
  This prematch is too generic (\S+ matches anything), so it caputres all logs and also captures MX logs, causing both decoders to match the same MX events and resulting in mixed/incorrect decoding.

Could you please guide me on the best approach to keep MX logs strictly decoded only by the MX decoder, while decoding all other Meraki logs separately without overlap?

[Muhammad Ali Khan]

For MX logs

<decoder name="meraki-mx">
    <prematch>\d+.\d+\s+\w+_MX\S+</prematch>
    <type>syslog</type>
</decoder>

For other logs except MX

<decoder name="meraki-ap">
    <prematch>\d+.\d+\s+\S+</prematch>
    <type>syslog</type>
</decoder>


:both are working good but issue is that MX logs also decoding with  <prematch>\d+.\d+\s+\S+</prematch> , so how i fixed it

[Hossam El Amraoui]

Hello Muhammad Ali Khan,

I have successfully reproduced your case using your decoders and example logs:

```
root@wazuh-manager:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.2
Type one log per line

1675249005.987654 Meeting_Room_AP events type=association radio='0' vap='1' channel='11' rssi='25'

**Phase 1: Completed pre-decoding.
        full event: '1675249005.987654 Meeting_Room_AP events type=association radio='0' vap='1' channel='11' rssi='25''

**Phase 2: Completed decoding.
        name: 'meraki-ap'

1675249001.123456 My_Office_MX64 flows src=192.168.1.55 dst=8.8.8.8 mac=AA:BB:CC:DD:EE:FF protocol=udp sport=49321 dport=53

**Phase 1: Completed pre-decoding.
        full event: '1675249001.123456 My_Office_MX64 flows src=192.168.1.55 dst=8.8.8.8 mac=AA:BB:CC:DD:EE:FF protocol=udp sport=49321 dport=53'

**Phase 2: Completed decoding.
        name: 'meraki-ap'
```

The cleanest way to fix this is to use a PCRE2 regular expression. I will modify your generic decoder to specifically say: "Match any string, unless it contains _MX."

You need to change the <prematch> type to pcre2 and use a negative lookahead (?!). It looks ahead at the next word in that position. If that word contains _MX, the match fails immediately. The final decoder should look like the following:

```
<decoder name="meraki-ap">
    <prematch type="pcre2">^\d+\.\d+\s+(?![\S]*_MX)\S+</prematch>
    <type>syslog</type>
</decoder>

<decoder name="meraki-mx">
    <prematch>\d+.\d+\s+\S*_MX\S+</prematch>
    <type>syslog</type>
</decoder>
```

`wazuh-logtest` output:

```
root@wazuh-manager:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.2
Type one log per line

1675249005.987654 Meeting_Room_AP events type=association radio='0' vap='1' channel='11' rssi='25'

**Phase 1: Completed pre-decoding.
        full event: '1675249005.987654 Meeting_Room_AP events type=association radio='0' vap='1' channel='11' rssi='25''

**Phase 2: Completed decoding.
        name: 'meraki-ap'

1675249001.123456 My_Office_MX64 flows src=192.168.1.55 dst=8.8.8.8 mac=AA:BB:CC:DD:EE:FF protocol=udp sport=49321 dport=53

**Phase 1: Completed pre-decoding.
        full event: '1675249001.123456 My_Office_MX64 flows src=192.168.1.55 dst=8.8.8.8 mac=AA:BB:CC:DD:EE:FF protocol=udp sport=49321 dport=53'

**Phase 2: Completed decoding.
        name: 'meraki-mx'
```

[Muhammad Ali Khan]

Thank dear for guide but no working on my these logs (Mx + others)

1 1768981891.601198295 LPP_K7 urls src=10.111.67.55:55082 dst=10.62.19.45:8088 mac=C0:A5:E8:E8:46:0D agent='Java/11.0.18' request: POST http://10.62.19.45:8088/system/gateway


1 1768981891.492999447 CHENSSC_MR46_10 urls src=10.5.6.33:6530 dst=2.13.14.12:43 mac=0:4:15:D:9F:8 request: UNKNOWN https://us-prod.asyncgw.teams.microsoft.com/...

1 1768981891.492999447 NSSC_MR6_5 urls src=10.5.6.3:6430 dst=52.13.14.12:3 mac=F0:D4:5:BD:F:48 request: UNKNOWN https://us-prod.asyncgw.teams.microsoft.com/...


1 1744718318.170241122 BIGR_STEEL_08 flows allow src=10.65.6.11 dst=52.12.13.29 mac=0:9:F:D9:9:F2 protocol=tcp sport=62350 dport=443



1 1744719438.203090780 BIGR_MX100_P urls src=10.65.7.86:46850 dst=10.62.17.110:8088 mac=C:A6:2D:B:19:1 agent='Java/11.0.10' request: POST http://10.2.7.10:8088/system/gateway

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/d4505ea8-55b6-42f6-aac8-a863ca99e2bcn%40googlegroups.com.

[Hossam El Amraoui]

I have modified the decoders to adapt them well. The decoders should look like this:
```
<decoder name="meraki-ap">
    <prematch type="pcre2">^\d*\s*\d+\.\d+\s+(?![\S]*_MX)\S+</prematch>

    <type>syslog</type>
</decoder>

<decoder name="meraki-mx">
    <prematch>\d+.\d+\s+\S*_MX\S+</prematch>
    <type>syslog</type>
</decoder>
```

As you can see in the following output, all these logs should match correctly:

```
root@wazuh-manager:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.2
Type one log per line

1 1768981891.601198295 LPP_K7 urls src=10.111.67.55:55082 dst=10.62.19.45:8088 mac=C0:A5:E8:E8:46:0D agent='Java/11.0.18' request: POST http://10.62.19.45:8088/system/gateway

**Phase 1: Completed pre-decoding.
        full event: '1 1768981891.601198295 LPP_K7 urls src=10.111.67.55:55082 dst=10.62.19.45:8088 mac=C0:A5:E8:E8:46:0D agent='Java/11.0.18' request: POST http://10.62.19.45:8088/system/gateway'

**Phase 2: Completed decoding.
        name: 'meraki-ap'

1 1768981891.492999447 CHENSSC_MR46_10 urls src=10.5.6.33:6530 dst=2.13.14.12:43 mac=0:4:15:D:9F:8 request: UNKNOWN https://us-prod.asyncgw.teams.microsoft.com/...

**Phase 1: Completed pre-decoding.
        full event: '1 1768981891.492999447 CHENSSC_MR46_10 urls src=10.5.6.33:6530 dst=2.13.14.12:43 mac=0:4:15:D:9F:8 request: UNKNOWN https://us-prod.asyncgw.teams.microsoft.com/...'

**Phase 2: Completed decoding.
        name: 'meraki-ap'

1 1768981891.492999447 NSSC_MR6_5 urls src=10.5.6.3:6430 dst=52.13.14.12:3 mac=F0:D4:5:BD:F:48 request: UNKNOWN https://us-prod.asyncgw.teams.microsoft.com/...

**Phase 1: Completed pre-decoding.
        full event: '1 1768981891.492999447 NSSC_MR6_5 urls src=10.5.6.3:6430 dst=52.13.14.12:3 mac=F0:D4:5:BD:F:48 request: UNKNOWN https://us-prod.asyncgw.teams.microsoft.com/...'

**Phase 2: Completed decoding.
        name: 'meraki-ap'

1 1744718318.170241122 BIGR_STEEL_08 flows allow src=10.65.6.11 dst=52.12.13.29 mac=0:9:F:D9:9:F2 protocol=tcp sport=62350 dport=443

**Phase 1: Completed pre-decoding.
        full event: '1 1744718318.170241122 BIGR_STEEL_08 flows allow src=10.65.6.11 dst=52.12.13.29 mac=0:9:F:D9:9:F2 protocol=tcp sport=62350 dport=443'

**Phase 2: Completed decoding.
        name: 'meraki-ap'

1 1744719438.203090780 BIGR_MX100_P urls src=10.65.7.86:46850 dst=10.62.17.110:8088 mac=C:A6:2D:B:19:1 agent='Java/11.0.10' request: POST http://10.2.7.10:8088/system/gateway

**Phase 1: Completed pre-decoding.
        full event: '1 1744719438.203090780 BIGR_MX100_P urls src=10.65.7.86:46850 dst=10.62.17.110:8088 mac=C:A6:2D:B:19:1 agent='Java/11.0.10' request: POST http://10.2.7.10:8088/system/gateway'

**Phase 2: Completed decoding.
        name: 'meraki-mx'



1675249005.987654 Meeting_Room_AP events type=association radio='0' vap='1' channel='11' rssi='25'

**Phase 1: Completed pre-decoding.
        full event: '1675249005.987654 Meeting_Room_AP events type=association radio='0' vap='1' channel='11' rssi='25''

**Phase 2: Completed decoding.
        name: 'meraki-ap'



1675249001.123456 My_Office_MX64 flows src=192.168.1.55 dst=8.8.8.8 mac=AA:BB:CC:DD:EE:FF protocol=udp sport=49321 dport=53

**Phase 1: Completed pre-decoding.
        full event: '1675249001.123456 My_Office_MX64 flows src=192.168.1.55 dst=8.8.8.8 mac=AA:BB:CC:DD:EE:FF protocol=udp sport=49321 dport=53'

**Phase 2: Completed decoding.
        name: 'meraki-mx'
```