Audit log parse and convert EPOCH timestamp to readeable format
49 views
Skip to first unread message
Isaac S.
May 14, 2026, 2:18:27 PMMay 14
to Wazuh | Mailing List
Hello Wazuh Team
Is there a decoder in the wazuh default rules that extract EPOCH from audit logs and convert in a redeable format ?
=== DECODING===
AUDIT LOG
type=SYSCALL msg=audit(1778776059.726:230239): arch=c000003e syscall=59 success=yes exit=0 a0=55fa73375820 a1=55fa733741d0 a2=55fa7336e9d0 a3=8 items=2 ppid=3368964 pid=3368966 auid=5014 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=35928 comm="awk" exe="/usr/bin/gawk" key="user-commands"ARCH=x86_64 SYSCALL=execve AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
DECODE
**Phase 1: Completed pre-decoding.
full event: 'type=SYSCALL msg=audit(1778776059.726:230239): arch=c000003e syscall=59 success=yes exit=0 a0=55fa73375820 a1=55fa733741d0 a2=55fa7336e9d0 a3=8 items=2 ppid=3368964 pid=3368966 auid=5014 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=35928 comm="awk" exe="/usr/bin/gawk" key="user-commands"ARCH=x86_64 SYSCALL=execve AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
**Phase 2: Completed decoding.
name: 'auditd'
parent: 'auditd'
audit.arch: 'c000003e'
audit.auid: '5014'
audit.command: 'awk'
audit.egid: '0'
audit.euid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.fsuid: '0'
audit.gid: '0'
audit.id: '230239'
audit.key: 'user-commands'
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
full event: 'type=SYSCALL msg=audit(1778776059.726:230239): arch=c000003e syscall=59 success=yes exit=0 a0=55fa73375820 a1=55fa733741d0 a2=55fa7336e9d0 a3=8 items=2 ppid=3368964 pid=3368966 auid=5014 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=35928 comm="awk" exe="/usr/bin/gawk" key="user-commands"ARCH=x86_64 SYSCALL=execve AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
**Phase 2: Completed decoding.
name: 'auditd'
parent: 'auditd'
audit.arch: 'c000003e'
audit.auid: '5014'
audit.command: 'awk'
audit.egid: '0'
audit.euid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.fsuid: '0'
audit.gid: '0'
audit.id: '230239'
audit.key: 'user-commands'
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
audit.euid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.gid: '0'
audit.id: '230239'
audit.key: 'user-commands'
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
audit.suid: '0'
audit.syscall: '59'
audit.tty: 'pts1'
audit.type: 'SYSCALL'
audit.uid: '0'
**Phase 3: Completed filtering (rules).
id: '80700'
level: '3'
description: 'Audit: Messages grouped.'
groups: '['audit', 'audit-log']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
audit.suid: '0'
audit.syscall: '59'
audit.tty: 'pts1'
audit.type: 'SYSCALL'
audit.uid: '0'
**Phase 3: Completed filtering (rules).
id: '80700'
level: '3'
description: 'Audit: Messages grouped.'
groups: '['audit', 'audit-log']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
NOTE: The default wazuh rule was modified for increasing severity from 0 to 3
=== COMMENTS ===
- WAZUH VERSION: 4.14.1
- Theres no field for parsing EPOCH timestamp .
- Wazuh could extract EPOCH timestamp and convert to redeable format ?
Thanks
Isaac
Olamilekan Abdullateef Ajani
May 14, 2026, 3:35:28 PMMay 14
to Wazuh | Mailing List
Hello Isaac,
This is possible, you just need 2 things, modify the decoder to reflect the new field and edit the Filebeat processor pipeline to reflect the change.
Modify the 0040-auditd_decoders.xml decoder and edit the auditd-syscall decoder to reflect the changes below:
<decoder name="auditd-syscall">
<parent>auditd</parent>
<prematch offset="after_parent">^SYSCALL|^EXECVE</prematch>
<regex offset="after_parent">^(\S+) msg=audit\((\d+.\d+):(\d+)\): </regex>
<order>audit.type,audit.epoch,audit.id</order>
</decoder>
This means we have added the field audit.epoch to carry the epoch timestamp only.
Modify the 0040-auditd_decoders.xml decoder and edit the auditd-syscall decoder to reflect the changes below:
<decoder name="auditd-syscall">
<parent>auditd</parent>
<prematch offset="after_parent">^SYSCALL|^EXECVE</prematch>
<regex offset="after_parent">^(\S+) msg=audit\((\d+.\d+):(\d+)\): </regex>
<order>audit.type,audit.epoch,audit.id</order>
</decoder>
This means we have added the field audit.epoch to carry the epoch timestamp only.
Then modify the Filebeat pipeline file: /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json and add the epoch date field.
{
"date": {
"field": "data.audit.epoch",
"target_field": "data.audit.readable_time",
"formats": ["UNIX"],
"ignore_failure": true
}
},
Just search for "date" and add the column below it, screenshot for reference.
Reload the pipeline: filebeat setup --pipelines
Restart filebeat: systemctl restart filebeat
{
"date": {
"field": "data.audit.epoch",
"target_field": "data.audit.readable_time",
"formats": ["UNIX"],
"ignore_failure": true
}
},
Just search for "date" and add the column below it, screenshot for reference.
Reload the pipeline: filebeat setup --pipelines
Restart filebeat: systemctl restart filebeat
Then you should have the date converted, you can check the dashboard for reflected changes and the attached image for reference.
Please note, modifying default decoders is not advisable, as changes may be wiped when there is an update, so it is best to always copy them to the custom directory. You can refer to the documentation below on that.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
Please let me know if you require further clarification on this.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
Please let me know if you require further clarification on this.
Isaac S.
May 26, 2026, 2:36:56 PM (12 days ago) May 26
to Wazuh | Mailing List
Hello Olamilekan
Sorry for my late response.
I applied the before configurations but recently the field "data.audit.time" (field's name that it was configured ) appears like conflict field, first like a date, all ok, then in recent index like a keyword.
Olamilekan Abdullateef Ajani
Jun 5, 2026, 11:10:31 AM (2 days ago) Jun 5
to Wazuh | Mailing List
Hello Isaac,
Once the reindex completes and you verify the data is correct, delete the old index and create an alias pointing to the fixed one:
Apologies for the late response. Are you still experiencing this issue? What you need to do is to update the index template to explicitly map data.audit.readable_time as a date field, so new indices inherit the correct mapping from the start.
Run this in the Dev Tools to see the conflicting mapping types:
GET wazuh-alerts-*/_mapping/field/data.audit.readable_time
GET wazuh-alerts-*/_mapping/field/data.audit.readable_time
Then update the index template to explicitly declare data.audit.readable_time as a date type. This ensures every new index created from today gets that mapping:
PUT _index_template/wazuh
{
"index_patterns": ["wazuh-alerts-4.x-*"],
"priority": 1,
"template": {
"mappings": {
"properties": {
"data": {
"properties": {
"audit": {
"properties": {
"readable_time": {
"type": "date"
},
"epoch": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
{
"index_patterns": ["wazuh-alerts-4.x-*"],
"priority": 1,
"template": {
"mappings": {
"properties": {
"data": {
"properties": {
"audit": {
"properties": {
"readable_time": {
"type": "date"
},
"epoch": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
Reindex each conflicting index into a temporary index with a corrected name, then swap back. Repeat this for each affected index you mentioned
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2026.05.25"
},
"dest": {
"index": "wazuh-alerts-4.x-2026.05.25-fixed"
}
}
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2026.05.25"
},
"dest": {
"index": "wazuh-alerts-4.x-2026.05.25-fixed"
}
}
Once the reindex completes and you verify the data is correct, delete the old index and create an alias pointing to the fixed one:
DELETE wazuh-alerts-4.x-2026.05.25
POST _aliases
{
"actions": [
{
"add": {
"index": "wazuh-alerts-4.x-2026.05.25-fixed",
"alias": "wazuh-alerts-4.x-2026.05.25"
}
}
]
}
POST _aliases
{
"actions": [
{
"add": {
"index": "wazuh-alerts-4.x-2026.05.25-fixed",
"alias": "wazuh-alerts-4.x-2026.05.25"
}
}
]
}
Reload and verify this:
filebeat setup --pipelines
systemctl restart filebeat
Please let me how this goes.
systemctl restart filebeat
Please let me how this goes.
Regards
Reply all
Reply to author
Forward
0 new messages