Ubiquiti decoder error
Julian Jorge
<decoder name="unifi_02">
<type>syslog</type>
<prematch type="pcre2">UAP-AC-Pro-Gen2</prematch>
</decoder>
<decoder name="unifi_log2">
<prematch type="pcre2">UAP-AC-Pro-Gen2</prematch>
<regex type="pcre2">(.*?)\s(UAP.*?)\s(.*?)\,.*?\s(.*?)\:\s(.*?)\:.*?\s.*?\s(.*?)\s(.*?)\:\s(.*)</regex>
<order>AP_Date, AP_type, AP_MAC, AP_service, AP_interface, AP_client_MAC, AP_standard_type, AP_message</order>
</decoder>
Here you are the complete decoding:
**Phase 1: Completed pre-decoding. full event: 'Jan 17 11:07:00 UAP-AC-Pro-Gen2 802aa8967335,UAP-AC-Pro-Gen2-6.5.62+14788: hostapd[1678]: ath4: STA 7e:70:94:96:a0:08 MLME: MLME-DEAUTHENTICATE.indication(7e:70:94:96:a0:08, 15)' timestamp: 'Jan 17 11:07:00' hostname: 'UAP-AC-Pro-Gen2'**Phase 2: Completed decoding. name: 'unifi_02'
There aren´t fields in the test.
Could someone help us?
Thanks you.
Luis Enrique Chico Capistrano
Thanks for using Wazuh.
For the "unifi_log2" decoder, the regex is trying to match the AP_Date and AP_type, but that data is already part of the prematch.
<type>syslog</type>
<prematch type="pcre2">UAP-AC-Pro-Gen2</prematch>
</decoder>
<decoder name="unifi_log2">
<regex type="pcre2">(.*?)\,.*?\s(.*?)\:\s(.*?)\:.*?\s.*?\s(.*?)\s(.*?)\:\s(.*)</regex>
<order>AP_MAC, AP_service, AP_interface, AP_client_MAC, AP_standard_type, AP_message</order>
</decoder>
Note: In addition, I changed the prematch to use the "unifi_02" as the parent.
This solution fixes the issue. You can see the output in the attached image.
For more details, you can take a look at this documentation.
If you have any questions, please let me know.
Best,