Decoder/Rule stopped working

George Xristop

unread,

Jan 7, 2026, 7:30:20 AM (3 days ago) Jan 7

to Wazuh | Mailing List

So i followed the wazuh blog post about the Windows Performance Counters and everything turned out fine.

But today i noticed that no alerts are being showed in the dashboard , a little look and i notice that the data that all the commands send arent being decoded/rule filtere properly.

A little head's about the set up :

All-In-One installation version 4.14.1 on Ubuntu Server 24.04LTS

A modified pipeline so that events that come from the command location to be saved in another index.

To ensure compatability i had modified the powershell command in the wodle command to be like this : Powershell -ExecutionPolicy Bypass -c "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; @{ winCounter = (Get-Counter '\Memory\Available MBytes').CounterSamples[0] } | ConvertTo-Json -compress"

I have placed my agents on a group so that i can 'push' the configuration remotly and here is a example block :


<wodle name="command">
<disabled>no</disabled>
<tag>MEMUsage</tag>
<command>Powershell -ExecutionPolicy Bypass -c "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; @{ winCounter = (Get-Counter '\Memory\Available MBytes').CounterSamples[0] } | ConvertTo-Json -compress"</command>
<interval>30s</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>

Now i have copy/paste the rule xml file from the blog post from wazuh blog and have proper permissions to that file.

Every thing when smoothly and today i noticed that the events where missing. I did run wazuh-logtest and got this output :

{"winCounter":{"Path":"\\\\desktop-f2rl06m\\network interface(realtek pcie gbe family controller)\\bytes sent/sec","InstanceName":"realtek pcie gbe family controller","CookedValue":7492.5052630534892,"RawValue":19436140508,"SecondValue":30208226216842,"MultipleCount":1,"CounterType":272696576,"Timestamp":"\/Date(1767787862598)\/","Timestamp100NSec":134122686625980000,"Status":0,"DefaultScale":4294967292,"TimeBase":10000000}}

**Phase 1: Completed pre-decoding.
full event: '{"winCounter":{"Path":"\\\\desktop-f2rl06m\\network interface(realtek pcie gbe family controller)\\bytes sent/sec","InstanceName":"realtek pcie gbe family controller","CookedValue":7492.5052630534892,"RawValue":19436140508,"SecondValue":30208226216842,"MultipleCount":1,"CounterType":272696576,"Timestamp":"\/Date(1767787862598)\/","Timestamp100NSec":134122686625980000,"Status":0,"DefaultScale":4294967292,"TimeBase":10000000}}'

**Phase 2: Completed decoding.
name: 'json'

**Phase 3: Completed filtering (rules).
id: '301000'
level: '0'
description: 'Windows Performance Counter: '
groups: '['WinCounter']'
firedtimes: '2'
mail: 'False'

As you can see the field winCounter.Path isnt being recognized and i dont know what else to do.

Here is some data from the wazuh from the alert.log file :

2026 Jan 07 12:15:08 (DESKTOP-F2RL06M) any->command_CPUUsage {"winCounter":{"Path":"\\\\desktop-f2rl06m\\processor(_total)\\% processor time","InstanceName":"_total","CookedValue":53.975300887327634,"RawValue":25220070390625,"SecondValue":134122614629090240,"MultipleCount":1,"CounterType":558957824,"Timestamp":"\/Date(1767787862909)\/","Timestamp100NSec":134122686629090000,"Status":0,"DefaultScale":0,"TimeBase":10000000}}
2026 Jan 07 12:15:08 (DESKTOP-F2RL06M) any->command_DiskFree {"winCounter":{"Path":"\\\\desktop-f2rl06m\\logicaldisk(harddiskvolume1)\\free megabytes","InstanceName":"harddiskvolume1","CookedValue":50,"RawValue":50,"SecondValue":0,"MultipleCount":1,"CounterType":65536,"Timestamp":"\/Date(1767787863377)\/","Timestamp100NSec":134122686633770000,"Status":0,"DefaultScale":0,"TimeBase":10000000}}

Any feedback is much appreciated .Also sorry for any spelling mistake Thank you.

Federico Gustavo Galland

unread,

Jan 7, 2026, 7:54:51 AM (3 days ago) Jan 7

to Wazuh | Mailing List

Hi George,

If the events are reaching /var/ossec/logs/alerts/alerts.log, it means that events are indeed being processed and decoded properly. The wazuh-logtest tool will sometimes fail to parse logs with complex escaping sequences like these, so let's ignore its results for now.

Since you are not seeing alerts in your dashboard, even though the engine is writing them to alerts.log, we can assume the filebeat pipeline is the culprit.

Now, in order to help you troubleshoot this, it would help to have a copy of the alerts from /var/ossec/logs/alerts/alerts.json (the json one, not the syslog type you shared already), the modified filebeat pipeline files and a copy of your filebeat log at /var/log/filebeat/filbeat

Regards,

Fede

George Xristop

unread,

Jan 7, 2026, 8:50:17 AM (3 days ago) Jan 7

to Wazuh | Mailing List

So i think i send the reply email wrong so let me try to rewrite it.

From my search i couldnt find any events/alerts in the alert.json log file that have the command alerts/rule matching so i may did a oopsie and mistakenly wrote alert.log instead of archived.log /archive.json So my bad here.

But here is the logs from the archive.json that i had enabled.

{"timestamp":"2026-01-07T12:57:06.092+0000","agent":{"id":"001","name":"DESKTOP-F2RL06M","ip":"192.168.2.80"},"manager":{"name":"wazuhsrv"},"id":"1767790626.17085798","full_log":"{\"winCounter\":{\"Path\":\"\\\\\\\\desktop-f2rl06m\\\\network interface(realtek pcie gbe family controller)\\\\bytes received/sec\",\"InstanceName\":\"realtek pcie gbe family controller\",\"CookedValue\":2520.202815281938,\"RawValue\":32264057835,\"SecondValue\":30233405182275,\"MultipleCount\":1,\"CounterType\":272696576,\"Timestamp\":\"\\/Date(1767790380487)\\/\",\"Timestamp100NSec\":134122711804870000,\"Status\":0,\"DefaultScale\":4294967292,\"TimeBase\":10000000}}\r","decoder":{"name":"json"},"location":"command_NetworkTrafficIn"}
{"timestamp":"2026-01-07T12:57:06.546+0000","agent":{"id":"001","name":"DESKTOP-F2RL06M","ip":"192.168.2.80"},"manager":{"name":"wazuhsrv"},"id":"1767790626.17085798","full_log":"{\"winCounter\":{\"Path\":\"\\\\\\\\desktop-f2rl06m\\\\network interface(realtek pcie gbe family controller)\\\\bytes sent/sec\",\"InstanceName\":\"realtek pcie gbe family controller\",\"CookedValue\":11169.445278284877,\"RawValue\":19452146606,\"SecondValue\":30233410038073,\"MultipleCount\":1,\"CounterType\":272696576,\"Timestamp\":\"\\/Date(1767790380972)\\/\",\"Timestamp100NSec\":134122711809720000,\"Status\":0,\"DefaultScale\":4294967292,\"TimeBase\":10000000}}\r","decoder":{"name":"json"},"location":"command_NetworkTrafficOut"}
{"timestamp":"2026-01-07T12:57:06.778+0000","agent":{"id":"001","name":"DESKTOP-F2RL06M","ip":"192.168.2.80"},"manager":{"name":"wazuhsrv"},"id":"1767790626.17085798","full_log":"{\"winCounter\":{\"Path\":\"\\\\\\\\desktop-f2rl06m\\\\logicaldisk(harddiskvolume1)\\\\free megabytes\",\"InstanceName\":\"harddiskvolume1\",\"CookedValue\":50,\"RawValue\":50,\"SecondValue\":0,\"MultipleCount\":1,\"CounterType\":65536,\"Timestamp\":\"\\/Date(1767790381204)\\/\",\"Timestamp100NSec\":134122711812040000,\"Status\":0,\"DefaultScale\":0,\"TimeBase\":10000000}}\r","decoder":{"name":"json"},"location":"command_DiskFree"}

Also the filebeat pipeline from the GET /_inject/pipeline is (the my-performance-counter index is for the windows events) :

{
"filebeat-7.10.2-wazuh-alerts-pipeline": {
"description": "Wazuh alerts pipeline",
"processors": [
{
"json": {
"field": "message",
"add_to_root": true
}
},
{
"set": {
"ignore_failure": true,
"ignore_empty_value": true,
"field": "data.aws.region",
"value": "{{data.aws.awsRegion}}",
"override": false
}
},
{
"set": {
"field": "data.aws.accountId",
"value": "{{data.aws.aws_account_id}}",
"override": false,
"ignore_failure": true,
"ignore_empty_value": true
}
},
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.win.eventdata.ipAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"ignore_failure": true,
"field": "data.aws.sourceIPAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true
}
},
{
"geoip": {
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true,
"field": "data.aws.client_ip"
}
},
{
"geoip": {
"field": "data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.aws.httpRequest.clientIp",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.gcp.jsonPayload.sourceIP",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.office365.ClientIP",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"date": {
"field": "timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": false
}
},
{
"date_index_name": {
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{
"date_index_name": {
"if": "ctx.location != null && (ctx.location == 'command_CPUUsage' || ctx.location == 'command_MEMUsage' || ctx.location == 'command_DiskFree' || ctx.location == 'command_NetworkTrafficIn' || ctx.location == 'command_NetworkTrafficOut')",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "my-performance-counter-1.x-",
"index_name_format": "yyyy.MM.dd"
}
},
{
"date_index_name": {
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "my-performance-counter-linux-1.x-",
"index_name_format": "yyyy.MM.dd",
"if": "ctx?.rule?.groups != null && ctx.rule.groups.contains('linux_performance_metric')"
}
},
{
"remove": {
"field": "message",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"ignore_missing": true,
"ignore_failure": true,
"field": "ecs"
}
},
{
"remove": {
"field": "beat",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "input_type",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "tags",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "count",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "@version",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "log",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "offset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"ignore_failure": true,
"field": "type",
"ignore_missing": true
}
},
{
"remove": {
"field": "host",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fields",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "event",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fileset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "service",
"ignore_missing": true,
"ignore_failure": true
}
}
],
"on_failure": [
{
"drop": {}
}
]
}
}

The logs from the filebeat log file that is in debug mode is( it has a alert from the linux event of performance metric) :

2026-01-07T13:45:19.554Z DEBUG [processors] processing/processors.go:203 Publish event: {
"@timestamp": "2026-01-07T13:45:19.554Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.10.2",
"pipeline": "filebeat-7.10.2-wazuh-alerts-pipeline"
},
"fileset": {
"name": "alerts"
},
"service": {
"type": "wazuh"
},
"ecs": {
"version": "1.6.0"
},
"host": {
"name": "wazuhsrv"
},
"agent": {
"ephemeral_id": "e9e37f1d-b0e4-4c67-8c15-4f444bc0f0e0",
"id": "04641ba4-08fc-4b64-b80f-05ef8b7c2667",
"name": "wazuhsrv",
"type": "filebeat",
"version": "7.10.2",
"hostname": "wazuhsrv"
},
"message": "{\"timestamp\":\"2026-01-07T13:45:15.305+0000\",\"rule\":{\"level\":3,\"description\":\"Disk metrics\",\"id\":\"310060\",\"firedtimes\":91,\"mail\":false,\"groups\":[\"linux_performance_metric\"]},\"agent\":{\"id\":\"005\",\"name\":\"oracleLinux\",\"ip\":\"172.22.165.142\",\"labels\":{\"group\":\"org1\"}},\"manager\":{\"name\":\"wazuhsrv\"},\"id\":\"1767793515.18635877\",\"full_log\":\"Jan 7 15:41:09 DESKTOP-F2RL06M linux_disk_check: ossec: output: 'linux_disk_metrics':\\n1321447424 1024787374080\",\"predecoder\":{\"program_name\":\"linux_disk_check\",\"timestamp\":\"Jan 7 15:41:09\",\"hostname\":\"DESKTOP-F2RL06M\"},\"decoder\":{\"parent\":\"linux_disk_check\",\"name\":\"linux_disk_check\"},\"data\":{\"disk_used_bytes\":\"1321447424\",\"disk_free_bytes\":\"1024787374080\"},\"location\":\"linux_disk_metrics\"}",
"event": {
"module": "wazuh",
"dataset": "wazuh.alerts"
},
"input": {
"type": "log"
},
"fields": {
"index_prefix": "wazuh-alerts-4.x-"
},
"log": {
"offset": 13832411,
"file": {
"path": "/var/ossec/logs/alerts/alerts.json"
}
}
}
2026-01-07T13:45:19.555Z DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
2026-01-07T13:45:20.555Z DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
2026-01-07T13:45:20.563Z DEBUG [elasticsearch] elasticsearch/client.go:230 PublishEvents: 4 events have been published to elasticsearch in 9.801894ms.
2026-01-07T13:45:20.563Z DEBUG [publisher] memqueue/ackloop.go:160 ackloop: receive ack [783: 0, 4]
2026-01-07T13:45:20.564Z DEBUG [publisher] memqueue/eventloop.go:535 broker ACK events: count=4, start-seq=3285, end-seq=3288
2026-01-07T13:45:20.564Z DEBUG [acker] beater/acker.go:59 stateful ack {"count": 4}
2026-01-07T13:45:20.564Z DEBUG [publisher] memqueue/ackloop.go:128 ackloop: return ack to broker loop:4
2026-01-07T13:45:20.564Z DEBUG [publisher] memqueue/ackloop.go:131 ackloop: done send ack
2026-01-07T13:45:20.565Z DEBUG [registrar] registrar/registrar.go:264 Processing 4 events
2026-01-07T13:45:20.565Z DEBUG [registrar] registrar/registrar.go:231 Registrar state updates processed. Count: 4
2026-01-07T13:45:20.565Z DEBUG [registrar] registrar/registrar.go:201 Registry file updated. 1 active states.
2026-01-07T13:45:22.556Z DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.
2026-01-07T13:45:25.211Z DEBUG [input] input/input.go:139 Run input
2026-01-07T13:45:25.212Z DEBUG [input] log/input.go:205 Start next scan
2026-01-07T13:45:25.212Z DEBUG [input] log/input.go:439 Check file for harvesting: /var/ossec/logs/alerts/alerts.json
2026-01-07T13:45:25.212Z DEBUG [input] log/input.go:530 Update existing file for harvesting: /var/ossec/logs/alerts/alerts.json, offset: 13833138
2026-01-07T13:45:25.213Z DEBUG [input] log/input.go:582 Harvester for file is still running: /var/ossec/logs/alerts/alerts.json
2026-01-07T13:45:25.213Z DEBUG [input] log/input.go:226 input states cleaned up. Before: 1, After: 1, Pending: 0

2026-01-07T13:45:26.557Z DEBUG [harvester] log/log.go:107 End of file reached: /var/ossec/logs/alerts/alerts.json; Backoff now.

Also from the windows agents log i dont see any errors from the command execution :

Command started related log entries

2026/01/07 15:43:26 wazuh-modulesd:command[15680] wm_command.c:153 at wm_command_main(): INFO: Starting command 'CPUUsage'.
2026/01/07 15:43:26 wazuh-agent[15680] wm_exec.c:147 at wm_exec(): DEBUG: UTF-8 command: Powershell -ExecutionPolicy Bypass -c "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; @{ winCounter = (Get-Counter '\Processor(_Total)\% Processor Time').CounterSamples[0] } | ConvertTo-Json -compress"
2026/01/07 15:43:26 wazuh-modulesd:command[15680] wm_command.c:153 at wm_command_main(): INFO: Starting command 'MEMUsage'.
2026/01/07 15:43:26 wazuh-agent[15680] wm_exec.c:147 at wm_exec(): DEBUG: UTF-8 command: Powershell -ExecutionPolicy Bypass -c "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; @{ winCounter = (Get-Counter '\Memory\Available MBytes').CounterSamples[0] } | ConvertTo-Json -compress"
Command Finished related log entries
2026/01/07 15:43:30 wazuh-modulesd:command[15680] wm_command.c:190 at wm_command_main(): DEBUG: Command 'CPUUsage' finished.
2026/01/07 15:43:30 wazuh-modulesd:command[15680] wm_command.c:140 at wm_command_main(): DEBUG: Sleeping until: 2026/01/07 15:43:56
2026/01/07 15:43:31 wazuh-modulesd:command[15680] wm_command.c:190 at wm_command_main(): DEBUG: Command 'MEMUsage' finished.
2026/01/07 15:43:31 wazuh-modulesd:command[15680] wm_command.c:140 at wm_command_main(): DEBUG: Sleeping until: 2026/01/07 15:43:5

I want to mention the the linux related alerts for the performance metric are being stored to their index and the data is being showned to the dashboard

Thank you in advance

George Xristop

unread,

Jan 7, 2026, 8:52:40 AM (3 days ago) Jan 7

to Wazuh | Mailing List

Replying because i forgot to question that. Given now that the data is only being written to the archives log file does that mean that the decoding/rule matching isnt being done properly?

Federico Gustavo Galland

unread,

Jan 7, 2026, 10:33:01 AM (3 days ago) Jan 7

to Wazuh | Mailing List

Hey Xristop,

I just tested the events from your archives.json along with the rules from the Wazuh Blog and they actually triggered rules in wazuh-logtest.

Can you share the output of the following command?

grep -R json /var/ossec/etc/decoders

There may be some custom decoder that's interfering with proper parsing of the json event.

Federico Gustavo Galland

unread,

Jan 7, 2026, 10:34:40 AM (3 days ago) Jan 7

to Wazuh | Mailing List

# cat archives.json

{"timestamp":"2026-01-07T12:57:06.092+0000","agent":{"id":"001","name":"DESKTOP-F2RL06M","ip":"192.168.2.80"},"manager":{"name":"wazuhsrv"},"id":"1767790626.17085798","full_log":"{\"winCounter\":{\"Path\":\"\\\\\\\\desktop-f2rl06m\\\\network interface(realtek pcie gbe family controller)\\\\bytes received/sec\",\"InstanceName\":\"realtek pcie gbe family controller\",\"CookedValue\":2520.202815281938,\"RawValue\":32264057835,\"SecondValue\":30233405182275,\"MultipleCount\":1,\"CounterType\":272696576,\"Timestamp\":\"\\/Date(1767790380487)\\/\",\"Timestamp100NSec\":134122711804870000,\"Status\":0,\"DefaultScale\":4294967292,\"TimeBase\":10000000}}\r","decoder":{"name":"json"},"location":"command_NetworkTrafficIn"}
{"timestamp":"2026-01-07T12:57:06.546+0000","agent":{"id":"001","name":"DESKTOP-F2RL06M","ip":"192.168.2.80"},"manager":{"name":"wazuhsrv"},"id":"1767790626.17085798","full_log":"{\"winCounter\":{\"Path\":\"\\\\\\\\desktop-f2rl06m\\\\network interface(realtek pcie gbe family controller)\\\\bytes sent/sec\",\"InstanceName\":\"realtek pcie gbe family controller\",\"CookedValue\":11169.445278284877,\"RawValue\":19452146606,\"SecondValue\":30233410038073,\"MultipleCount\":1,\"CounterType\":272696576,\"Timestamp\":\"\\/Date(1767790380972)\\/\",\"Timestamp100NSec\":134122711809720000,\"Status\":0,\"DefaultScale\":4294967292,\"TimeBase\":10000000}}\r","decoder":{"name":"json"},"location":"command_NetworkTrafficOut"}
{"timestamp":"2026-01-07T12:57:06.778+0000","agent":{"id":"001","name":"DESKTOP-F2RL06M","ip":"192.168.2.80"},"manager":{"name":"wazuhsrv"},"id":"1767790626.17085798","full_log":"{\"winCounter\":{\"Path\":\"\\\\\\\\desktop-f2rl06m\\\\logicaldisk(harddiskvolume1)\\\\free megabytes\",\"InstanceName\":\"harddiskvolume1\",\"CookedValue\":50,\"RawValue\":50,\"SecondValue\":0,\"MultipleCount\":1,\"CounterType\":65536,\"Timestamp\":\"\\/Date(1767790381204)\\/\",\"Timestamp100NSec\":134122711812040000,\"Status\":0,\"DefaultScale\":0,\"TimeBase\":10000000}}\r","decoder":{"name":"json"},"location":"command_DiskFree"}

# cat /root/xristop/archives.json | jq -c '.full_log | fromjson' | /var/ossec/bin/wazuh-logtest -v 2>&1 | grep -A8 'Phase 3'

**Phase 3: Completed filtering (rules).

id: '302004'
level: '3'
description: 'Windows Counter: Network Traffic In'
groups: '['WinCounter', 'NetworkTrafficIn']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.

--

**Phase 3: Completed filtering (rules).

id: '302005'
level: '3'
description: 'Windows Counter: Network Traffic Out'
groups: '['WinCounter', 'NetworkTrafficOut']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.

--

**Phase 3: Completed filtering (rules).

id: '302003'
level: '3'
description: 'Windows Counter: Disk Space Free'
groups: '['WinCounter', 'DiskFree']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.

George Xristop

unread,

Jan 8, 2026, 4:55:15 AM (yesterday) Jan 8

to Wazuh | Mailing List

Hello again , apologies for the late delay

the output of the grep command :

/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>
/var/ossec/etc/decoders/zeek_decoders.xml: <parent>json</parent>

Took the initiative and moved the zeek_decoders.xml to a /home directory and restarted the manager and everything now works.

But im curious on why did this happend , and if it will happen again with lets say another rule that matches a json alert?

Thank you so much for the help

Federico Gustavo Galland

unread,

Jan 8, 2026, 5:57:32 AM (yesterday) Jan 8

to Wazuh | Mailing List

Hey George,

I've had an issue with the zeek decoder in the past. I fixed this using the attached alternative decoder for it.

Let me know if it helps.

Regards,

Fede

zeek.xml

George Xristop

unread,

Jan 8, 2026, 8:37:13 AM (yesterday) Jan 8

to Wazuh | Mailing List

Hello Federico ,

I used the zeek decoders you attached and everything works fine , so i think the problem is fixed.

I suppose the error was with the zeek decoding the json while the win counter rule was also decoding/filtering that ?

Thank you very much for the support .

Federico Gustavo Galland

unread,

Jan 8, 2026, 8:54:52 AM (yesterday) Jan 8

to George Xristop, Wazuh | Mailing List

George,

I'm not 100% positive of the cause of the issue, but the json decoder is implemented in the C code of the tool, and inheriting from it in your own custom decoders tends to break it, impeding normal evaluation of rules that depend on it.

I'm glad you got it working.

Have a nice rest of the week!

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/-hBKgXRHqAs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/24333d02-af02-4a54-8bd2-491288ecffe9n%40googlegroups.com.

--

Federico Galland Wazuh Indexer Team
+1 (844) 349 2984	wazuh.com
federico...@wazuh.com	f-galland

Reply all

Reply to author

Forward