Decoder stuck on second phase.
122 views
Skip to first unread message
Atul Chadha
Jan 18, 2023, 7:28:28 AM1/18/23
to Wazuh mailing list
I am trying to report on the below log file and looks like its not able to get decoded by second phase
Log:
Jan 18 03:38:39 HOSTNAME wzh-CMD:[2963]: root TEST [2884]: cat /etc/sysconfig/network-scripts/ifcfg-eth0 22
Decoder:
Logtest:
Cedrick Foko
Jan 18, 2023, 9:33:33 AM1/18/23
to Wazuh mailing list
Hello Atulshadha,
Thank you for using Wazuh.
You probably have some problems with your rule because your log was successfully decoded by your decoder but the phase 3 in which rules are used gets stuck.
I used the following rule with your decoder and it worked fine.
<group name="wzh-cmd,">
<rule id="100101" level="3">
<program_name>wzh-CMD</program_name>
<description>Wazuh command executed...</description>
</rule>
</group>
Let me know if you have any other question.
Thank you for using Wazuh.
You probably have some problems with your rule because your log was successfully decoded by your decoder but the phase 3 in which rules are used gets stuck.
I used the following rule with your decoder and it worked fine.
<group name="wzh-cmd,">
<rule id="100101" level="3">
<program_name>wzh-CMD</program_name>
<description>Wazuh command executed...</description>
</rule>
</group>
Let me know if you have any other question.
Atul Chadha
Jan 18, 2023, 10:25:16 AM1/18/23
to Wazuh mailing list
HI Cedrick!
Appreciate the quick response, i have not configured the rule yet. I am trying to break down the log into order elements which i intent to use in my rule as variable.
For sake of testing i did configured the rule however i could not get the order elements from the decoder which i could use in rule.
Atul Chadha
Jan 18, 2023, 11:19:38 PM1/18/23
to Wazuh mailing list
Checking if there are any suggestions ?
Atul Chadha
Jan 19, 2023, 12:58:28 AM1/19/23
to Wazuh mailing list
I managed to fix it by adding prefix to the value in the log and recreating the decoder
Reply all
Reply to author
Forward
0 new messages