Prematch and regex difference

[July Vegas]

Hi team,

I'm trying to create a custom decoder following the tutorial in https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/. I've seen there's a regex on the prematch section and on the regex section. My question is: when should I use prematch and when should I use regex? What's the difference?

BR,

July Vegas

[Asunción Gómez Castro]

Hi July!

The prematch field is useful for log matching. It will help your decoder identify which logs are supposed to process. However, it will not extract any information from it. You can see the prematch option like a query: it looks for matches, but it doesn't really process their information.

On the other hand, the regex field does extract information. Every expression between parentheses will be extracted into a field. The name of the fields must be defined on the order field.

In the example you just linked, the prematch field is defined as:

<decoder name="fortigate-custom">

  <prematch>^date=\d\d\d\d-\d\d-\d\d time=\d\d:\d\d:\d\d devname="\S+"</prematch>

</decoder>

This will simply look for logs that match that regular expression. If you check the regex field in the example, you'll see it comes with an order field:

<decoder name="fortigate-custom1">

  <parent>fortigate-custom</parent>

  <regex>^date=(\d\d\d\d-\d\d-\d\d) time=(\d\d:\d\d:\d\d) devname="(\S+)"</regex>

  <order>date, time, devname</order>

</decoder>

It will extract information between parentheses (I've marked it in red) into the fields listed in the order field:

• date: First parentheses group (\d\d\d\d-\d\d-\d\d)
• time: Second parentheses group (\d\d:\d\d:\d\d)
• devname: Third parentheses group (\S+)

For the following log:

date=2019-10-10 time=17:01:31 devname="FG111E-INFT2" devid="FG201E4Q17901611" 

It will decode the fields matching the regex expression:

• date: 2019-10-10
• time: 17:01:31
• devname: FG111E-INFT2 

I hope this explanation was helpful!

Best regards,

Asun Gómez