Help with Decoder and Rule

46 views
Skip to first unread message

Miran Ul Haq

unread,
Jun 23, 2026, 6:27:23 AM (5 days ago) Jun 23
to Wazuh | Mailing List
Hi Community,

We have setup postfix as local smtp relay and need its logging on Wazuh.

My log is "Jun 23 09:09:28 ARP-KS3-LTOOLS postfix/smtpd[267785]: NOQUEUE: reject: RCPT from unknown[192.168.10.1]: 454 4.7.1 <email.local>: Relay access denied; from=<email.local> to=<email.local> proto=ESMTP helo=<hostname>"

I need have a decoder and Rule for it.
I have tried modifying a decoder to this:

<decoder name="postfix-reject">
  <use_own_name>true</use_own_name>
  <parent>postfix</parent>
  <prematch>^NOQUEUE: reject: \w\w\w\w from </prematch>
  <regex offset="after_prematch">[(\S+)]: \d+\s(\d+) \p(\w+)\p: (\w+);\.+ to=\p(\w+)\p</regex>
  <order>srcip,id,from,status,to</order>
</decoder>

But this is not working.

Would appreciate any help in fixing this as well as guiding me what I did wrong here.

Best Regards,
Miran

Md. Nazmur Sakib

unread,
Jun 23, 2026, 7:22:06 AM (5 days ago) Jun 23
to Wazuh | Mailing List
Hi Miran,

There are already decoders for the log you have shared.

2026-06-23 16 58 00.png

You can write a custom rule based on 3300 to trigger an alert on the dashboard, or overwrite the 3300 rule with a level higher than 3 to reflect it on the dashboard.

<group name="syslog,postfix,">

  <rule id="3300" level="4" overwrite="yes">

    <decoded_as>postfix-reject</decoded_as>

    <description>Grouping of the postfix reject rules.</description>

  </rule>

</group>

Check this doc on how to change existing rules.

Let me know if you need any further help.

Miran Ul Haq

unread,
Jun 23, 2026, 9:31:34 AM (5 days ago) Jun 23
to Wazuh | Mailing List
Hi Nazmur,

Thanks for getting back on this.

The issue in this is that there are only 2 fields; id and srcip.
I need the keyword as a field "Relay access denied" to create a rule out of this.

Thanks,
Miran

Md. Nazmur Sakib

unread,
Jun 24, 2026, 2:03:59 AM (4 days ago) Jun 24
to Wazuh | Mailing List

You can address the issue by modifying the existing decoders.


To do this, SSH to your Wazuh Manager's server.


Copy the default decoder file to the custom decoder folder

cp /var/ossec/ruleset/decoders/0220-postfix_decoders.xml /var/ossec/etc/decoders/local_postfix_decoders.xml


Open the file with the text editor

/var/ossec/etc/decoders/local_postfix_decoders.xml

Update this postfix-reject decoder
<decoder name="postfix-reject">

—--------
</decoder>

With this.
<decoder name="postfix-reject">

  <use_own_name>true</use_own_name>

  <parent>postfix</parent>

  <prematch>^NOQUEUE: reject: \w\w\w\w from </prematch>

  <regex offset="after_prematch">[(\S+)]: (\d+) \.+: (\.+); from=(\.*) to=(\.*) |[(\S+)]:\d+: (\d+) \.+: (\.+); from=(\.*) to=(\.*) </regex>

  <order>srcip,id,status,from,to</order>

</decoder>




Change file permission.

chmod 660 /var/ossec/etc/decoders/local_postfix_decoders.xml
chown wazuh:wazuh /var/ossec/etc/decoders/local_postfix_decoders.xml



Go to the manager’s ossec.conf

/var/ossec/etc/ossec.conf


Under the

<ruleset>


Add this line

<decoder_exclude>ruleset/decoders/0220-postfix_decoders.xml</decoder_exclude>



Now restart the Wazuh manager.

systemctl restart wazuh-manager



Check the screenshot of the test result.

2026-06-24 12 03 41.png


Check this document to learn more about modifying default decoders.


Check these documents to learn more about decoder syntax and regex.

Decoders Syntax
Regular Expression Syntax


Let me know if this works for you.

Miran Ul Haq

unread,
Jun 24, 2026, 5:20:05 AM (4 days ago) Jun 24
to Wazuh | Mailing List
Hi Nazmur,

Thanks a lot.
That worked and cleared some concepts as well.

Best Regards,
Miran

Reply all
Reply to author
Forward
0 new messages