Decoder problem

[mariano hinjos]

Hi

I have created a new decoder for tomcat log output like this:

WARN  [custom.tfses.pos.TFSESLoginContext] (2021-09-27 17:11:25,858): createUser(): Could not login user manolo...@cordoba.central.es

my decoder in local_decoder.xml is

<decoder name="TFSLINE">

<prematch>^WARN</prematch>

</decoder>

<decoder name="TFSLINE">

  <parent>TFSLINE</parent>

  <regex>^\w*\s\s\[\w*\.\w*\.\w*\.\w*\]\s\((\d+-\d+-\d+)\s(\d+:\d+:\d+)\,\d*\)\:\s\w*\(\)\:\s\w*\s\w*\s\w*\s\w*\s([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-z]{2,3})$</regex>

  <order>full_log,fecha_accion,hora_accion,user_id</order>

</decoder>

and in restart manager

sep 28 10:15:47 wazuh.central.com env[28117]: 2021/09/28 10:15:47 ossec-analysisd: ERROR: (1452): Syntax error on regex: '^\w*\s\s\[\w*\.\w*\.\w*\.\w*\]\s\((\d+-\d+-\d+)\s(\d+:\d+:\d+)\,\d*\)\:\s\w*\(\)\:\s\w*...+\.[a-z]{2,3})$'

sep 28 10:15:47 wazuh.central.com env[28117]: 2021/09/28 10:15:47 ossec-analysisd: ERROR: (2107): Decoder configuration error: 'TFSLINE'.

sep 28 10:15:47 wazuh.central.com env[28117]: 2021/09/28 10:15:47 ossec-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/local_decoder.xml'.

sep 28 10:15:47 wazuh.central.com env[28117]: ossec-analysisd: Configuration error. Exiting

sep 28 10:15:47 wazuh.central.com systemd[1]: wazuh-manager.service: control process exited, code=exited status=1

sep 28 10:15:47 wazuh.central.com systemd[1]: Failed to start Wazuh manager.

sep 28 10:15:47 wazuh.central.com systemd[1]: Unit wazuh-manager.service entered failed state.

sep 28 10:15:47 wazuh.central.com systemd[1]: wazuh-manager.service failed.

any idea?

[Jose Luis Carreras Marin]

Hello,

I have been checking the syntax of your decoder. First of all, the first error I notice is that there are small differences between a normal regex, and the regex used in Wazuh (OS_Regex), you can read everything in detail in the documentation:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

The main difference is that some characters are not used the same, for example the dot:

• . matches a literal dot, whereas \. matches any character

I have been modifying your decoder, with this syntax it works. I have also simplified the way to make the decoder in the email:

<decoder name="TFSLINE">

<prematch>^WARN</prematch>

</decoder>

<decoder name="TFSLINE">

  <parent>TFSLINE</parent>

  <regex>^\w*\s\s[\w*.\w*.\w*.\w*]\s\((\d+-\d+-\d+)\s(\d+:\d+:\d+),\d*\):\s\w*\(\):\s\w*\s\w*\s\w*\s\w*\s(\w+)$</regex>

  <order>full_log,action_date,action_time,user_id</order>.

</decoder>

I hope this helps you, any questions or problems you have feel free to ask me!!!

Regards

[mariano hinjos]

Thank you so much

Indeed, I did not have the correct syntax, but I was unable to see it

The only thing that I can't get is that he gives me the fields that I want in   <order>full_log,action_date,action_time,user_id</order>.

[mariano hinjos]

the problem is when the user is an email address.  in that case the fields are not separated

[Jose Luis Carreras Marin]

Hello, you are right, it is because the "/w+" symbol does not matches with the ".". To collect the whole email you can use "/S+", which implies everything that is not a space.