CEF Format Decoder Needed_Safeguard log
12 views
Skip to first unread message
Slavica SL
7:40 AM (2 hours ago) 7:40 AM
to Wazuh | Mailing List
Hello all, I have a safeguard log for which I need to create a wazuh decoder, but I only manage to decode the header. I also want to decode cs1, cs2, cs3..etc..so that I can later make rules using these.
Can you help me with the decoder?
This is the log. Can it be broken into header, cs3, cs4, cs2, cs5...or even maybe decoded to each fiels: header, cs3, start, end, cs4, spid, filepath...etc?
CEF:0|XYPRO|NONSTOP|XMA|SOFTWARE-NORM-MSGS|SAFEGUARD-NORMAL-MESSAGES|2|cs3= FFFF02F2FF5A35F858F9 start= N end= N cs4= sproc= \DON.$X82V spid= filePath= \DON.$SYSTEM.JON02.TACL src= 11.22.33.44 sourceDnsDomain= dst= 11.22.33.44 dhost= \DON cs2= $B7.SAFE deviceCustomDate1= 2026-01-02 12:42:23.260437 rt= 2026-01-02 13:42:23.260437 externalId= 000000002 outcome= 1 cs6= N / N cn1= A deviceFacility= SAFEGUARD suid= 300 , 355 duid= 355 , 355 suser= pmJohn shost= \DON duser= SuperJohn fileType= ALIAS fname= SuperJohn 255.255 act= VERIFYUSER cs5= \DON.$ZPTX3.#ZWN9597 cat= 54 reason= 400 cs1= msg= Last Logon Time 2026-01-01 09:07:40.343101 to 2026-01-02 13:42:23.238433 cn1Label=ALERTEDcs1Label=Rulenamecs2Label=ProductLocationcs3Label=SessionIDcs4Label=SessionNamecs5Label=Terminalcs6Label=Test/Warn
Can you help me with the decoder?
This is the log. Can it be broken into header, cs3, cs4, cs2, cs5...or even maybe decoded to each fiels: header, cs3, start, end, cs4, spid, filepath...etc?
CEF:0|XYPRO|NONSTOP|XMA|SOFTWARE-NORM-MSGS|SAFEGUARD-NORMAL-MESSAGES|2|cs3= FFFF02F2FF5A35F858F9 start= N end= N cs4= sproc= \DON.$X82V spid= filePath= \DON.$SYSTEM.JON02.TACL src= 11.22.33.44 sourceDnsDomain= dst= 11.22.33.44 dhost= \DON cs2= $B7.SAFE deviceCustomDate1= 2026-01-02 12:42:23.260437 rt= 2026-01-02 13:42:23.260437 externalId= 000000002 outcome= 1 cs6= N / N cn1= A deviceFacility= SAFEGUARD suid= 300 , 355 duid= 355 , 355 suser= pmJohn shost= \DON duser= SuperJohn fileType= ALIAS fname= SuperJohn 255.255 act= VERIFYUSER cs5= \DON.$ZPTX3.#ZWN9597 cat= 54 reason= 400 cs1= msg= Last Logon Time 2026-01-01 09:07:40.343101 to 2026-01-02 13:42:23.238433 cn1Label=ALERTEDcs1Label=Rulenamecs2Label=ProductLocationcs3Label=SessionIDcs4Label=SessionNamecs5Label=Terminalcs6Label=Test/Warn
Olamilekan Abdullateef Ajani
8:53 AM (1 hour ago) 8:53 AM
to Wazuh | Mailing List
Dear Slavica,
I made a sample decoder below for your reference as requested.
<decoder name="test">
<prematch>SAFEGUARD-NORMAL-MESSAGES</prematch>
</decoder>
<decoder name="test-body">
<parent>test</parent>
<regex type="pcre2">.*\|cs3=\s*([^\s]+).*?start=\s*([^\s]+).*?end=\s*([^\s]+).*?cs4=\s*([^\s]*).*?spid=\s*([^\s]*).*?filePath=\s*([^\s]+).*?src=\s*([^\s]+).*?dst=\s*([^\s]+).*?suser=\s*([^\s]+).*?duser=\s*([^\s]+).*?fileType=\s*([^\s]+).*?fname=\s*([^\s]+).*?act=\s*([^\s]+).*?msg=\s*(.+?)(?=\s+\w+Label=)</regex>
<order>cs3,start,end,cs4,spid,filepath,srcip,dstip,suser,duser,filetype,filename,action,message</order>
</decoder>
<prematch>SAFEGUARD-NORMAL-MESSAGES</prematch>
</decoder>
<decoder name="test-body">
<parent>test</parent>
<regex type="pcre2">.*\|cs3=\s*([^\s]+).*?start=\s*([^\s]+).*?end=\s*([^\s]+).*?cs4=\s*([^\s]*).*?spid=\s*([^\s]*).*?filePath=\s*([^\s]+).*?src=\s*([^\s]+).*?dst=\s*([^\s]+).*?suser=\s*([^\s]+).*?duser=\s*([^\s]+).*?fileType=\s*([^\s]+).*?fname=\s*([^\s]+).*?act=\s*([^\s]+).*?msg=\s*(.+?)(?=\s+\w+Label=)</regex>
<order>cs3,start,end,cs4,spid,filepath,srcip,dstip,suser,duser,filetype,filename,action,message</order>
</decoder>
You can test this with the Wazuh logtest engine /var/ossec/bin/wazuh-logtest then parse the shared log.
Please see attached for the result after testing. You can learn more about writing decoders from the documentation below:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax
Please let me know if you require further assistance on this.
Reply all
Reply to author
Forward
0 new messages