Unable to add or edit decoders
807 views
Skip to first unread message
Matt
Oct 14, 2024, 12:32:40 AM10/14/24
to Wazuh | Mailing List
Hello,
Running v4.9.0 on Ubuntu 22.0, tried adding a custom decoder via the GUI. When trying to save it throws the error shown below. If create the decoder on the server in `/var/ossec/etc/decoders/` then restart `wazuh-manager.service` it won't start. After removing the decoder it will start again. If I try editing an existing decoders we have the same problem.
GUI:
Error: Could not upload decoder (1113) - XML syntax error
at WzRequest.returnErrorInstance (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.plugin.js:1:207836)
at WzRequest.apiReq (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.plugin.js:1:206978)
at async resources_handler_ResourcesHandler.updateFile (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2377378)
at async file_editor_WzFileEditor.save (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2446875)
at WzRequest.returnErrorInstance (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.plugin.js:1:207836)
at WzRequest.apiReq (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.plugin.js:1:206978)
at async resources_handler_ResourcesHandler.updateFile (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2377378)
at async file_editor_WzFileEditor.save (https://1.2.3.4/49007/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2446875)
Error when restarting the service from the server:
Oct 11 14:22:16 w3274z8u systemd[1]: Starting Wazuh manager...
Oct 11 14:22:17 w3274z8u env[26990]: 2024/10/11 14:22:17 wazuh-analysisd: ERROR: (2107): Decoder configuration error: 'ftp_ignore_date'.
Oct 11 14:22:17 w3274z8u env[26990]: 2024/10/11 14:22:17 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/mw.xml'.
Oct 11 14:22:17 w3274z8u env[26962]: wazuh-analysisd: Configuration error. Exiting
Oct 11 14:22:17 w3274z8u systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Oct 11 14:22:17 w3274z8u systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Oct 11 14:22:17 w3274z8u systemd[1]: Failed to start Wazuh manager.
Oct 11 14:22:17 w3274z8u env[26990]: 2024/10/11 14:22:17 wazuh-analysisd: ERROR: (2107): Decoder configuration error: 'ftp_ignore_date'.
Oct 11 14:22:17 w3274z8u env[26990]: 2024/10/11 14:22:17 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/mw.xml'.
Oct 11 14:22:17 w3274z8u env[26962]: wazuh-analysisd: Configuration error. Exiting
Oct 11 14:22:17 w3274z8u systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Oct 11 14:22:17 w3274z8u systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Oct 11 14:22:17 w3274z8u systemd[1]: Failed to start Wazuh manager.
Custom decoder I'm trying to create that monitors syslog for logs that start with FTP after the date/time entry that are being shipped to the syslog server:
<decoder name="ftp_ignore_date">
<parent>syslog</parent>
<regex>.*\bFTP\b.*</regex>
<prematch>FTP</prematch>
<program_name>FTP</program_name>
</decoder>
<parent>syslog</parent>
<regex>.*\bFTP\b.*</regex>
<prematch>FTP</prematch>
<program_name>FTP</program_name>
</decoder>
The server is processing syslog data from other systems fine.
Thanks,
Matt
Message has been deleted
Md. Nazmur Sakib
Oct 14, 2024, 2:46:23 AM10/14/24
to Wazuh | Mailing List
Hi Matt,
Based on the information you have provided it seems the decoder you were using might have some syntax errors.
The decoder format is not correct. Also, it seems the regex is not correct
This can be a sample decoder
<decoder name="ftp_ignore_date">
<prematch>FTP</prematch>
<program_name>FTP</program_name>
<regex>\.*FTP\.*</regex>
<order>message_content</order>
</decoder>
If you need further assistance with your decoder please share some sample logs.
I hope you find this information helpful.
Based on the information you have provided it seems the decoder you were using might have some syntax errors.
The decoder format is not correct. Also, it seems the regex is not correct
This can be a sample decoder
<decoder name="ftp_ignore_date">
<prematch>FTP</prematch>
<program_name>FTP</program_name>
<order>message_content</order>
</decoder>
I am sharing the documents on how to write custom decoders.
Decoders Syntax
Regular Expression Syntax
If you need further assistance with your decoder please share some sample logs.
I hope you find this information helpful.
On Monday, October 14, 2024 at 12:36:15 PM UTC+6 Md. Nazmur Sakib wrote:
Hi Matt,
Based on the information you have provided it seems the decoder you were using might have some syntax errors.
Can you share your decoders so that I can check from my end and guide you properly?
Additionally, I am sharing the documents on how to write custom decoders.
Decoders Syntax
Regular Expression Syntax
Looking forward to your update on the issue.
Matt
Oct 17, 2024, 12:04:38 AM10/17/24
to Wazuh | Mailing List
Hello,
Thank you! The decoder format was accepted and I was able to save a custom decoder. Using the wazuh-logtest tool to tweak and run the decoders made things a lot easier.
Thanks,
Matt
Reply all
Reply to author
Forward
0 new messages