Very simple decoder not parsing JSON

[Miguel]

Hi!

I'm trying to parse an example log composed of a prefix and a JSON object, but the fields inside the JSON are not being parsed at all. Here is an example log:

PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs': { "asdadsf" : 1 , "asdffd" : "test112"}

This is the output of ossec-logtest:

2023/01/23 12:54:53 ossec-testrule: INFO: Started (pid: 223592).
ossec-testrule: Type one log per line.

PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs': { "asdadsf" : 1 , "asdffd" : "test112"}


**Phase 1: Completed pre-decoding.
       full event: 'PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs': { "asdadsf" : 1 , "asdffd" : "test112"}'
       timestamp: '(null)'
       hostname: 'svhmsasp04'
       program_name: '(null)'
       log: 'PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs': { "asdadsf" : 1 , "asdffd" : "test112"}'

**Phase 2: Completed decoding.
       decoder: 'PROYXXXX_decoder'

**Phase 3: Completed filtering (rules).
       Rule id: '100111'
       Level: '14'
       Description: 'JSON retrieved for PROY-XXXX'                                                              
       Info - Text: 'PROY-XXXX'                                                                                              
**Alert to be generated.                                                                                                     

As you can see, the decoder matches the event and it even triggers a rule, but the fields inside the JSON are not parsed.

The decoder inside the local_decoder.xml file is as follows:

<decoder name="PROYXXXX_decoder">
  <prematch>^\s*PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs':\s*</prematch>
  <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

I've tried to follow the example in the documentation but I think there might be something I'm missing. Could anyone help me with this? Using Wazuh v4.0.3.

[Christian Borla]

Hi Miguel! 
I hope you are doing fine!
I will try to reproduce and look for more information about it. I will come back as soon as possible.
Regards.

[Christian Borla]

Hi Miguel
Thanks for waiting, I made it works, adding the pcre2 flag to the prematch condition.

Decoder:

<decoder name="PROYXXXX_decoder">
  <prematch type="pcre2">^\s*PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs':\s*</prematch>

  <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

Test: 
/var/ossec/bin/wazuh-logtest
Type one log per line

PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs': { "asdadsf" : 1 , "asdffd" : "test112"}

**Phase 1: Completed pre-decoding.
    full event: 'PROYXXXX-log ossec: output: 'Collect-PROYXXXX-logs': { "asdadsf" : 1 , "asdffd" : "test112"}'

**Phase 2: Completed decoding.
    name: 'PROYXXXX_decoder'
    asdadsf: '1'
    asdffd: 'test112'

As you can see json fields are processed and captured.
Let me know if that works for you.
Regards!

[Miguel Azorin]

Hi Christian,

Oh, I didn't think the problem could be in the prematch, since the decoder was matching the events just fine. Thank you very much for taking the time to help me with this, I don't think I would have been able to spot the problem myself!!

Thank you!!

Best regards,

Miguel

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/6UTZLqVD8c0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d48491b8-3db7-40fe-8e48-8e4851be68ebn%40googlegroups.com.

A2SECURE

QSA auditors - Pentesting - Security Consultancy - Forensic Analysis - PCI Consultancy - Malware Analysis - Incident Response - Security Office - Security Training - Employee Security Awareness

Este mensaje de correo electrónico y sus archivos adjuntos son confidenciales y están legalmente protegidos. Se dirige exclusivamente al destinatario o destinatarios. No está autorizado el acceso a este mensaje por otras personas. Si Vd. no es la persona a la que va dirigido este email, cualquier uso está prohibido y es ilegal. Asimismo, de acuerdo al Reglamento EU 2016/679 sobre Protección de Datos Personales, le informamos que su dirección e-mail forma parte de los ficheros de las empresas de A2secure, S.L. (A2SECURE) con CIF: B65040107, porque en su momento nos autorizó el tratamiento para mantener una relación comercial y/o informativa de nuestros productos y servicios; Usted puede ejercer en cualquier momento sus derechos de acceso, rectificación, supresión, limitación y oposición dirigiéndose por escrito a Avda. Francesc Cambo 21, 10, 08003 Barcelona. Tel.: +34 93 3945600, Email: ar...@a2secure.com. Si ha recibido este mensaje por error, por favor, destrúyalo y notifíquelo. Gracias.

 

This message and its annexed files may contain confidential information which is exclusively for the use of the addressee. Access to this message by other people is not authorized. If you are not the person to whom it is addressed, any use, treatment, information, copy or distribution and any action or omission based on the information contained in this message are strictly forbidden and illegal. According to Regulation EU 2016/679 on Protection of Personal Data, we inform you that your e-mail address is part of the files of the companies of A2secure, S.L. (A2SECURE) with CIF: B65040107, because at some moment you authorized us the treatment to maintain a commercial and / or informative relationship of our products and services; You can exercise your rights of access, rectification, erasure, restriction and object at any time by writing to Avda. Francesc Cambo 21, 10, 08003 Barcelona. Tel .: +34 93 3945600, Email: ar...@a2secure.com. If you have received this message by mistake, please destroy it and notify it. Thank you.

[Christian Borla]

You are welcome!