EasyNAC Decoders and Rules
14 views
Skip to first unread message
Domenica Wairimu
Apr 7, 2026, 10:19:12 AM (2 days ago) Apr 7
to Wazuh | Mailing List
Hello ,
Kindly help me compose Wazuh decoders and logs for the following Network Access Log.
2026 Apr 01 09:01:01 (PICS0017) any->/var/log/syslog 2026-04-01T12:01:00+03:00 pics0026 {"type": "application","timestamp":"Apr 1 2026 12:01:00","time":"2026-04-01T09:01:00.159Z","source":"core-npe","name":"change-access","msg":"New access guest-access assigned to device 192.168.100.52/00:68:EB:3E:D4:7A","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Guest-Employee-Phones","rolereason":"Employee Mobile Phone or BYOD Device","role":"guest","destinationMac":"00:68:EB:3E:D4:7A","destinationAddress":"192.168.100.52","accessgroup":"guest-access"}}
2026 Apr 01 09:01:01 (PICS0017) any->/var/log/syslog 2026-04-01T12:01:00.504969+03:00 192.168.0.235 {"userid":"system","type":"notification","time":"2026-04-01T09:01:00.429Z","source":"role-access","name":"notification-event","msg":"Guest - Access Device Detected","hostname":"pics0026","hostip":"192.168.0.235","data":{"vendor":"Private","flag":"ip-conflict, guest","deviceHostName":"Corry-s-A13","destinationMac":"B2:B3:C8:4F:74:B7","destinationAddress":"192.168.106.47"}}
Regards,
Domenica Wairimu
Kindly help me compose Wazuh decoders and logs for the following Network Access Log.
2026 Apr 01 09:01:01 (PICS0017) any->/var/log/syslog 2026-04-01T12:01:00+03:00 pics0026 {"type": "application","timestamp":"Apr 1 2026 12:01:00","time":"2026-04-01T09:01:00.159Z","source":"core-npe","name":"change-access","msg":"New access guest-access assigned to device 192.168.100.52/00:68:EB:3E:D4:7A","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Guest-Employee-Phones","rolereason":"Employee Mobile Phone or BYOD Device","role":"guest","destinationMac":"00:68:EB:3E:D4:7A","destinationAddress":"192.168.100.52","accessgroup":"guest-access"}}
2026 Apr 01 09:01:01 (PICS0017) any->/var/log/syslog 2026-04-01T12:01:00.504969+03:00 192.168.0.235 {"userid":"system","type":"notification","time":"2026-04-01T09:01:00.429Z","source":"role-access","name":"notification-event","msg":"Guest - Access Device Detected","hostname":"pics0026","hostip":"192.168.0.235","data":{"vendor":"Private","flag":"ip-conflict, guest","deviceHostName":"Corry-s-A13","destinationMac":"B2:B3:C8:4F:74:B7","destinationAddress":"192.168.106.47"}}
Regards,
Domenica Wairimu
Olamilekan Abdullateef Ajani
Apr 7, 2026, 10:40:58 AM (2 days ago) Apr 7
to Wazuh | Mailing List
Hello Domenica,
To best understand this, I will need you to share these same sample logs from archives.json file. I can see headers with the log, this is to help ensure we capture the actual log as ingested by Wazuh.
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
----
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager: systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
Verify that you have the log, and share the sample complete log line, then disable archiving by setting the values to no.
Please let me know what you find.
<ossec_config>
<global>
----
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager: systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
Verify that you have the log, and share the sample complete log line, then disable archiving by setting the values to no.
Please let me know what you find.
You can also refer to the documentation below on creating decoders:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Reply all
Reply to author
Forward
0 new messages