Issue with Custom Log Decoder in Wazuh SIEM
Кирилл Коробкин
I am facing an issue configuring a custom decoder in Wazuh. The agent successfully collects logs and sends them to the Wazuh Manager — they appear in /var/ossec/logs/archives/archives.log, but they do not show up in the Wazuh Dashboard.
1. Wazuh Agent is installed on a server running a VPN service.
2. Logs are stored in the following files:
• /usr/local/x-ui/error.log
• /usr/local/x-ui/access.log
3. The logs appear in /var/ossec/logs/archives/archives.log, confirming that they are being sent from the agent to the manager.
4. A custom decoder has been added:
<decoder name="xray_connection_decoder">
<prematch>from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d+ accepted tcp:</prematch>
<regex type="pcre2">from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+) accepted tcp:([^:]+):(\d+) \[.*?\]</regex>
<order>srcip,srcport,dsthost,dstport</order>
</decoder>
When testing with ossec-logtest, I receive “No decoder matched”. Here is example log:
2025 Feb 05 00:00:02 (hyde.handh.ru) any->/usr/local/x-ui/access.log 2025/02/05 00:00:01 from 5.227.10.178:55965 accepted tcp:itunes.apple.com:443 [inbound-185.147.1>
Why is ossec-logtest not applying the decoder?
Thank you for your assistance. Looking forward to your response.
Olamilekan Abdullateef Ajani
<decoder name="xray_connection_decoder">
<prematch type="pcre2">from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d+ accepted tcp:</prematch>
</decoder>
<decoder name="xray_connection_decoder_child">
<parent>xray_connection_decoder</parent>
<regex type="pcre2">from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+) accepted tcp:([^:]+):(\d+) \[.*?\></regex>
<order>srcip,srcport,dsthost,dstport</order>
</decoder>
