Issue with the Plugin Decoder

19 views

Skip to first unread message

Mithun Haridas

unread,

Sep 19, 2025, 3:26:19 AM (2 days ago) Sep 19

to Wazuh | Mailing List

I have created a custom decoder for Azure JSON logs using the <plugin_decoder>JSON_Decoder</plugin_decoder> feature:

Custom Decoder:

<decoder name="azure_child">
<parent>json</parent>
<prematch>"azure_tag": "azure-storage", "azure_storage_tag": "azure-aks"</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

<decoder name="azure_child">
<parent>json</parent>
<regex>"log":"{\\"kind\\":\\"(\.+)\\",</regex>
<order>properties_log_kind</order>
</decoder>

<decoder name="azure_child">
<parent>json</parent>
<regex>\\"requestURI\\":\\"(\.+)",</regex>
<order>properties_log_requestURI</order>
</decoder>

These decoders allow me to successfully extract the additional fields I require, on top of the default JSON parsing. However, after implementing them, I noticed that my Office 365 (O365) logs are no longer being decoded properly in JSON format.

Objective

I need to create a custom decoder that can extract additional fields from specific Azure logs that are not decoded by the default JSON decoder — while ensuring that other JSON-based logs (such as O365 logs) remain unaffected.

Reply all

Reply to author

Forward

0 new messages