Audit log parse and convert EPOCH timestamp to readeable format
18 views
Skip to first unread message
Isaac S.
May 14, 2026, 2:18:27 PM (3 days ago) May 14
to Wazuh | Mailing List
Hello Wazuh Team
Is there a decoder in the wazuh default rules that extract EPOCH from audit logs and convert in a redeable format ?
=== DECODING===
AUDIT LOG
type=SYSCALL msg=audit(1778776059.726:230239): arch=c000003e syscall=59 success=yes exit=0 a0=55fa73375820 a1=55fa733741d0 a2=55fa7336e9d0 a3=8 items=2 ppid=3368964 pid=3368966 auid=5014 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=35928 comm="awk" exe="/usr/bin/gawk" key="user-commands"ARCH=x86_64 SYSCALL=execve AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
DECODE
**Phase 1: Completed pre-decoding.
full event: 'type=SYSCALL msg=audit(1778776059.726:230239): arch=c000003e syscall=59 success=yes exit=0 a0=55fa73375820 a1=55fa733741d0 a2=55fa7336e9d0 a3=8 items=2 ppid=3368964 pid=3368966 auid=5014 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=35928 comm="awk" exe="/usr/bin/gawk" key="user-commands"ARCH=x86_64 SYSCALL=execve AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
**Phase 2: Completed decoding.
name: 'auditd'
parent: 'auditd'
audit.arch: 'c000003e'
audit.auid: '5014'
audit.command: 'awk'
audit.egid: '0'
audit.euid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.fsuid: '0'
audit.gid: '0'
audit.id: '230239'
audit.key: 'user-commands'
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
full event: 'type=SYSCALL msg=audit(1778776059.726:230239): arch=c000003e syscall=59 success=yes exit=0 a0=55fa73375820 a1=55fa733741d0 a2=55fa7336e9d0 a3=8 items=2 ppid=3368964 pid=3368966 auid=5014 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=35928 comm="awk" exe="/usr/bin/gawk" key="user-commands"ARCH=x86_64 SYSCALL=execve AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
**Phase 2: Completed decoding.
name: 'auditd'
parent: 'auditd'
audit.arch: 'c000003e'
audit.auid: '5014'
audit.command: 'awk'
audit.egid: '0'
audit.euid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.fsuid: '0'
audit.gid: '0'
audit.id: '230239'
audit.key: 'user-commands'
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
audit.euid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.exe: '/usr/bin/gawk'
audit.exit: '0'
audit.fsgid: '0'
audit.gid: '0'
audit.id: '230239'
audit.key: 'user-commands'
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
audit.suid: '0'
audit.syscall: '59'
audit.tty: 'pts1'
audit.type: 'SYSCALL'
audit.uid: '0'
**Phase 3: Completed filtering (rules).
id: '80700'
level: '3'
description: 'Audit: Messages grouped.'
groups: '['audit', 'audit-log']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
audit.pid: '3368966'
audit.ppid: '3368964'
audit.session: '35928'
audit.sgid: '0'
audit.success: 'yes'
audit.suid: '0'
audit.syscall: '59'
audit.tty: 'pts1'
audit.type: 'SYSCALL'
audit.uid: '0'
**Phase 3: Completed filtering (rules).
id: '80700'
level: '3'
description: 'Audit: Messages grouped.'
groups: '['audit', 'audit-log']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
NOTE: The default wazuh rule was modified for increasing severity from 0 to 3
=== COMMENTS ===
- WAZUH VERSION: 4.14.1
- Theres no field for parsing EPOCH timestamp .
- Wazuh could extract EPOCH timestamp and convert to redeable format ?
Thanks
Isaac
Olamilekan Abdullateef Ajani
May 14, 2026, 3:35:28 PM (3 days ago) May 14
to Wazuh | Mailing List
Hello Isaac,
This is possible, you just need 2 things, modify the decoder to reflect the new field and edit the Filebeat processor pipeline to reflect the change.
Modify the 0040-auditd_decoders.xml decoder and edit the auditd-syscall decoder to reflect the changes below:
<decoder name="auditd-syscall">
<parent>auditd</parent>
<prematch offset="after_parent">^SYSCALL|^EXECVE</prematch>
<regex offset="after_parent">^(\S+) msg=audit\((\d+.\d+):(\d+)\): </regex>
<order>audit.type,audit.epoch,audit.id</order>
</decoder>
This means we have added the field audit.epoch to carry the epoch timestamp only.
Modify the 0040-auditd_decoders.xml decoder and edit the auditd-syscall decoder to reflect the changes below:
<decoder name="auditd-syscall">
<parent>auditd</parent>
<prematch offset="after_parent">^SYSCALL|^EXECVE</prematch>
<regex offset="after_parent">^(\S+) msg=audit\((\d+.\d+):(\d+)\): </regex>
<order>audit.type,audit.epoch,audit.id</order>
</decoder>
This means we have added the field audit.epoch to carry the epoch timestamp only.
Then modify the Filebeat pipeline file: /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json and add the epoch date field.
{
"date": {
"field": "data.audit.epoch",
"target_field": "data.audit.readable_time",
"formats": ["UNIX"],
"ignore_failure": true
}
},
Just search for "date" and add the column below it, screenshot for reference.
Reload the pipeline: filebeat setup --pipelines
Restart filebeat: systemctl restart filebeat
{
"date": {
"field": "data.audit.epoch",
"target_field": "data.audit.readable_time",
"formats": ["UNIX"],
"ignore_failure": true
}
},
Just search for "date" and add the column below it, screenshot for reference.
Reload the pipeline: filebeat setup --pipelines
Restart filebeat: systemctl restart filebeat
Then you should have the date converted, you can check the dashboard for reflected changes and the attached image for reference.
Please note, modifying default decoders is not advisable, as changes may be wiped when there is an update, so it is best to always copy them to the custom directory. You can refer to the documentation below on that.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
Please let me know if you require further clarification on this.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders
Please let me know if you require further clarification on this.
Reply all
Reply to author
Forward
0 new messages