Wazuh custom decoder and rules

[Mihir]

1. Hello is there prebuilt decoder or ruleset for OpenStack?
2. and if i want to make it how can i make it is there any website or something like which i should refer. As official documentation contains too many instructions and based on that i made decoders and rules but that are always giving error so can anyone suggest me the way i can built decoder and rules

[Bony V John]

Hi,

Currently, there are no built-in decoders or rules for OpenStack logs in Wazuh. If the OpenStack log format is JSON, it should be decoded by the default JSON decoder. If it is not in JSON format, then custom decoders and rules will need to be created. For creating custom decoders, I suggest referring to the to understand the syntax and how to build them properly. You can also refer to the for creating regex patterns based on the log format. After creating the custom decoder, you can then create custom rules based on the same log format. For that, you can refer to the . Once the decoder and rules are created, you can run a log test to verify that they are working correctly. You can also refer to the related for that. I would not recommend using AI tools or random online pages to create decoders and rules, because they may generate incorrect syntax and could break your Wazuh server if you upload them directly through the CLI. Creating custom decoders and rules is a trial-and-error process, and while it may take some time, it will help you better understand how they work. I also strongly recommend adding custom decoders and rules through the Wazuh dashboard, because it helps validate the syntax before saving. If there is any issue, it will show an error or warning and prevent the file from being saved, which helps avoid bringing the server down.

If you share sample OpenStack logs with us, we can also help you create custom decoders and rules based on the actual log format. You can then use that as a reference and build on it further. For that, please share sample OpenStack logs from the archives.json file. For taking logs from archives.json, first you need to enable logall_json on Wazuh manager.

1. Enable logall_json on Wazuh Manager

Update the ossec.conf file on the .

2. Reproduce the Event

Trigger the event again to capture the relevant logs.

3. Extract Relevant Logs

Run the following command on the Wazuh manager:

cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"

Replace <related string> with a relevant value from the log to filter the specific entries.

4. Disable logall_json

After capturing the logs, disable logall_json in the ossec.conf file to prevent excessive storage usage. Share the sample log that you have taken from archives.json with us.

You can share the logs to my DM instead of posting them on a public forum. You may also mask any sensitive information such as IP addresses or other critical values before sharing

I have shared a reply for the same requirement on the Discord community. You can check it here if you have access:
https://discordapp.com/channels/1049711339578331186/1260899381087834163/1490671166057353367