How to parse CSV file

[Jeremy Dannenmuller]

Hello,

I'm surprised not to see a basic feature to parse a simple CSV on wazuh.

I have such a CSV for my tests:

actionregister,20240423,myname,myadress,mycode

actionregister,20240423,myname2,myadress2,mycode2

Using the GUI functionality, I test with:

<decoder name="csv-decoder">

<prematch>^actionregister,</prematch>

</decoder>

<decoder name="csv-decoder-fields">

<parent>csv-decoder</parent>

<regex offset="after_parent">([^,]+),([^,]+),([^,]+),([^,]+)$</regex>

<order>field1,field2,field3,field4</order>

</decoder>

Then in the test area, I put my 2 lines of CSV.

But Wazuh can't parse the thing.

I've tested my regex and it works well.

Do you have some ideas?

Regards

[Samson Olugbenga Idowu]

Hello Jeremy, thank you for choosing Wazuh.

You can configure the Wazuh agent to read your CSV file while adding a predefined header for the decoder prematch to function correctly. An example would be the following:

Configuration:

<localfile> <log_format>syslog</log_format> <location>/var/log/data.csv</location> <target>agent</target> <out_format>CSVData : $(log)</out_format> </localfile>
Decoder:

Assuming that the fields are separated with `,`  and you have 4 fields:

<decoder name="csv-decoder"> <prematch>^CSVData : </prematch> </decoder>

<decoder name="csv-decoder-fields">
  <parent>csv-decoder</parent>

  <regex offset="after_parent">(\.*),(\.*),(\.*),(\.*)$</regex>
  <order>field1, field2, field3, field4</order>
</decoder>

Rule:

<rule id="120500" level="3"> <decoded_as>csv-decoder</decoded_as> <description>CSV grouping.</description> </rule>

I hope this helps.

Regards,
Samson.

[Jeremy Dannenmuller]

Dear Samson,

Do I need to use Wazuh GUI to create decoder and rules.

or Do I need to copy paste all stenza (as per your example) into /var/ossec/etc/ossec.conf

This part is not clear for me.

For the moment, I tried to play with the GUI to create the decoder and by using the Test button with log sample but without success.

By chance, do you have a step by step example?

Regards

Jeremy

[Jeremy Dannenmuller]

I made some test again using Wazuh GUI:

With the decoder:

<decoder name="csv-decoder">
    <prematch>^actionregister,</prematch>
</decoder>

<decoder name="csv-decoder-fields">
  <parent>csv-decoder</parent>

  <regex offset="after_parent">(\.*),(\.*),(\.*),(\.*)$</regex>
  <order>field1, field2, field3, field4</order>
</decoder>

But When I test with the GUI as you can see Wazuh says No decoder matched....

[Jeremy Dannenmuller]

I cannot find in the documentation a step by step guide explaining:

Where to configure the decoder and the rules.

Tried from the GUI it doesn't work :/

I would like to test directly by modifying Wazuh files but I don't see what file I ned to modify in agent side and server side..

Regards,

[Samson Olugbenga Idowu]

Hello Jeremy,

You can create a decoder and rule on the dashboard, or using the CLI.

1. To create the decoders and rules using the Wazuh dashboard, navigate to  Wazuh > Management > Decoders > Add new decoders file  and  Wazuh > Management > Rules > Add new rules file.
   
   
2. To create a decoder and rule using the CLI:
   1. Create a custom decoder file in the  /var/ossec/etc/decoders/ directory and popuate the file with the decoder provided earlier.
   2. The custom rule should be written into a custom file created in the  /var/ossec/etc/rules/  directory.

You can also refer to our ruleset documentation for more information regarding this.