Decoder Needed for Barracuda Servermon Log Type

35 views
Skip to first unread message

Mithun Haridas

unread,
Oct 31, 2025, 12:44:31 AM (4 days ago) Oct 31
to Wazuh | Mailing List

We need to create a decoder for the following Barracuda log. Some of the fields are already being parsed by the predecoder. Please help in creating a parent decoder that specifically matches this log type.

Additionally, the decoder should uniquely match logs where the hostname is “barracuda” and the program name is “servermon” to ensure accurate identification.

Sample Log:

Oct 30 18:12:07 barracuda servermon: [ALERT:10] SERVER_FAILED my_home_laptop/xx.xx.x.xx_yyy: Connection error: ( errno: 111 )

Fields decoded by the predecoder:

  • predecoder.hostname: barracuda

  • predecoder.program_name: servermon

  • predecoder.timestamp: Oct 30 18:12:07

Regards,

Bony V John

unread,
Oct 31, 2025, 1:51:08 AM (4 days ago) Oct 31
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Oct 31, 2025, 2:22:56 AM (4 days ago) Oct 31
to Wazuh | Mailing List
Hi,

Based on the sample log you shared, I created a custom decoder and it works on my end. Please try the decoder below:  

Decoder:
<decoder name="barracuda">
  <program_name>servermon</program_name>
  <regex>[ALERT:(\d+)] (\S*) (\S*): (\.*): \( errno: (\d*) \)</regex>
  <order>severity_code,event_type,target,event_message,error_code</order>
</decoder>

  • The log is already pre-decoded with program_name=servermon, so I used the <program_name> tag to match the decoder to those events.

  • You can refer to the Wazuh decoder syntax documentation for more details on tags like <program_name>, <regex>, and <order>.

  • For the pattern itself, see the Wazuh regex documentation. You can adjust the regex to fit any variations in your logs.


I have attached a screenshot of my testing for your reference.
Screenshot 2025-10-31 115226.png

Mithun Haridas

unread,
Oct 31, 2025, 3:50:01 AM (4 days ago) Oct 31
to Wazuh | Mailing List
Hi,

Thanks for the quick response. 

Is it possible to include the word “barracuda”, which is decoded as the hostname in predecoding, within our parent decoder?

Bony V John

unread,
Oct 31, 2025, 6:20:32 AM (4 days ago) Oct 31
to Wazuh | Mailing List
Hi,

This log is in syslog format, and Wazuh pre-decodes syslog fields automatically. Because of that, we cannot decode this field again using a custom decoder — it is already processed by the Wazuh pre-decoder.

However, the field will still appear in the Wazuh Dashboard when an alert is triggered. It will be available under the field name: predecoder.hostname

So, you can filter alerts in the dashboard using this field value. I’ve attached a screenshot showing how it appears when an alert is triggered.  

Screenshot 2025-10-31 154741.png


If you specifically need to decode this field using your own custom decoder (instead of using the pre-decoded value), then you would need to add a prefix or marker in front of each log before sending it to the Wazuh Manager.
This changes the log format so that Wazuh will not treat it as standard syslog, allowing you to create a custom decoder to process all fields from start to end as needed.

Screenshot 2025-10-31 154858.png

If this is your requirement and you'd like assistance, please let me know how you are forwarding the logs to Wazuh (e.g., Wazuh agent localfile, rsyslog, syslog-ng etc.), and I can guide you with the exact configuration.

Reply all
Reply to author
Forward
0 new messages