Hello,
I am sorry for the late response. However, I have found an workaround for your issue. I have created a separate custom decoder for this log and set it to have precedence over the stock json decoder in case of these logs.
- First of all, I would like to let you know that the decoder and rule files in Wazuh are checked in alpha-numeric order during ruleset test. Therefore, if we want some decoders to have precedence over another one, we need to set the alpha-numeric order accordingly.
Therefore, I have created a new decoder file named 00059-mongojson_decoder.xml in the /var/ossec/etc/decoders/ directory and provided the file proper permission with the following commands:
chmod 660 00059-mongojson_decoder.xml
chown wazuh:wazuh 00059-mongojson_decoder.xml
- Added the following decoder script in the 00059-mongojson_decoder.xml file:
<decoder name="mongojson">
<prematch>{"t":{"</prematch>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_parent">date":"(\d+-\d+-\d+)T(\d+:\d+:\d+.\d+)</regex>
<order>date,time</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"c":"(\w+)"</regex>
<order>type</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"id":(\d+)</regex>
<order>id</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"ctx":"(\w+)"</regex>
<order>ctx</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"msg":"(\.+)"</regex>
<order>msg</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"mechanism":"(\S+)"</regex>
<order>mechanism</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"speculative":(\w+)</regex>
<order>speculative</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"principalName":"(\w+)"</regex>
<order>principalName</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"authenticationDatabase":"(\w+)"</regex>
<order>authenticationDatabase</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"remote":"(\d+.\d+.\d+.\d+):(\d+)"</regex>
<order>srcIP, srcPort</order>
</decoder>
<decoder name="mongojson_child">
<parent>mongojson</parent>
<regex offset="after_regex">"error":"(\w+)"}</regex>
<order>error</order>
</decoder>
- Saved the decoder file and restarted the wazuh-manager service.
Now, in the wazuh-logtest the output for this sample log is as following:
As the 00059-mongojson_decoder.xml is ahead in the alpha-numeric order than the 0006-json_decoders.xml file and the prematch of the decoder matches the sample log, it will take precedence for this type of log and decode the fields accordingly.
As the srcIP and srcPort fields are separate here, you can use <same_field> option in your custom rule now for these types of log. You can also update the decoder I have provided according to you need.
I hope it helps. Please let us know how it goes.