no decoder matched.

21 views
Skip to first unread message

sahithi

unread,
Jun 19, 2024, 4:17:48 AM6/19/24
to Wazuh | Mailing List
Hey there, 

This is the sample log from zscaler . I wanna match the log using this part as a prematch.

2024-06-07T00:00:03.375203+00:00 Fri Jun  7 00:00:03 2024 User Activity zpa-lss:

This is the sample log

2024-06-07T00:00:03.375203+00:00 Fri Jun  7 00:00:03 2024 User Activity zpa-lss: ,Softeon,WBxjU8TwGSuDIqeH7E1A,WBxjU8TwGSuDIqeH7E1A,accdi9AfJVPM4/RDp+n/,BRK_MT_SETUP_FAIL_SAML_EXPIRED,close,6,0, rando...@sliftean.com,443,50.37.219.126,192.145.29.49,12.899600,80.220900,IN,AP-IN-2637,0,0,0,,0,kspuat.softeon.com,AWS-us-east-2-VPC1-KSP-AppAccess,AWS-us-east-2-VPC1-KSP-SegmentGroup,0,,443,0,0,2024-06-07T00:00:03.195Z,2024-06-07T00:00:03.195Z,,,,,,,,,,,,,0,0,0,0,0,0,0,0,Softeon Azure AD,0,Coimi,0,0

This is my syntax.

/var/ossec/etc/decoders# cat zpa-lss_decoder.xml
<decoder name="zpa-lss_decoder">
<program_name>zscaler</program_name>
  <prematch>^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d\d\d\d\d\d+\d\d:\d\d \w\w\w \w\w\w \d \d\d:\d\d:\d\d \d\d\d\d User Activity zpa=lss:\s</prematch>
</decoder>


lmk where I am going wrong

Stuti Gupta

unread,
Jun 19, 2024, 6:19:59 AM6/19/24
to Wazuh | Mailing List
Hi sahithi

In this type of log you can create decoders like:

<decoder name="zpa-lss">
        <prematch>zpa-lss:</prematch>
</decoder>

<decoder name="zpa-lss:child">
        <parent>zpa-lss</parent>
        <regex offset="after_parent"> ,(\.+),(\.+),\.+,\.+,(\.+),(\.+),\d,\d, (\.+),(\d+),\.+,(\.+),\.+,\.+,(\w+,\S+),\d,\d,\d,,\d,(\.+),(\.+),(\.+),\.+Softeon (\.+),\d,(\.+),\d,\d</regex>
        <order>Event_source, session_ID, Error_code,status,User,port,dstip,region_network, Server_domain,AWS,Aws_segment,cloud,city</order>
</decoder>

However, make sure the log you provided is from archives.json. As, we recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis. Probably, your events do not match the decoders because the log for which your decoders are written differs from the full_log field log.

Screenshot_9.png
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/


Hope this helps
Regards
Reply all
Reply to author
Forward
0 new messages