Extract value from CDB list

54 views
Skip to first unread message

CRiaks

unread,
Feb 26, 2026, 4:11:18 AM (7 days ago) Feb 26
to Wazuh | Mailing List
Hello,

I am trying to figure out how to extract data from a cdb list which contains ssh fingerprints and usernames. (fingerprint:username)
When a connection log triggers a custom rule, I would like to match the fingerprint in the list and extract the username in the description of the alert.
The decoder works but not the value extraction. 
I searched a lot in the documentation but I could not find anything.

Thanks for your help,
Regards

Md. Nazmur Sakib

unread,
Feb 26, 2026, 5:22:13 AM (7 days ago) Feb 26
to Wazuh | Mailing List

Hello,
 I believe I have not understood your issue correcly but I will share a resposne based on what I have understood. You have a field like this fingerprint:username, which you want to use in the CDB list.
You need to add the exact decoded field value in the CDB list.

If the field value contains : you need to add the value using a comma.

If your field is like this 

fingerprint:username

The CDB list key should be like this.

"fingerprint:username":

Make sure this is a single field value. You cannot accommodate two different fields using the CDB list.


You can share with me a sample alert. So that I can have a look and share with you more accurate information for your usecase.

Read this document to learn more: Using CDB lists

Looking forward to your update.

CRiaks

unread,
Feb 26, 2026, 7:25:18 AM (7 days ago) Feb 26
to Wazuh | Mailing List
Hi Nazmur,

Thank you for reply.
I rephrase my issue.
Context: 
Several users use the same account to log on a server.
The only way I have to know who initiated the connection is with the fingerprint displayed is the log connection, such as
"Feb 25 17:14:48 hostname sshd[100757]: Accepted publickey for user from 192.168.1.2 port 33646 ssh2: RSA SHA256:EcPPXCXFx4qKXg7iVJLPrrTYGSDuXQlUkjykZsw"

The last part of this log is the fingerprint of a publickey, I have a list of all fingerprints that can connect on this server.
With this list, I created a CDB list, such as:
EcPPXCXFx4qKXg7iVJLPrrTYGSDuXQlUkjykZsw:user1
EcPPXCXFx4qKXg7iVJLPrUYJKYFuXQlUkjykZsw:user2
EcPPXCXFx4qKXg7iVJLPrrTYGSDuERTYHjykZsw:user3

The decoder works, I can get the fingerprint as a dynamic field and use it in an alert description:
<description>SSHD: Successful login using $(fingerprint)</description>

What I try to do is match the CDB list with the key and get the value in the description:
<list field="fingerprint" lookup="match_key">etc/liss/list-fingerprints</fingerprint>
<description>SSHD: Successful login for $(returned_value) using $(fingerprint)</description>

I hope this is more clear with this explanation
Reply all
Reply to author
Forward
0 new messages