Custom Decoder fails on phase 2 "No decoder Matched"

41 views
Skip to first unread message

Alessandro Paviotti

unread,
Nov 12, 2025, 6:24:53 AMNov 12
to Wazuh | Mailing List
Hello everyone, i'm trying to ingest the logs from my Aruba HPE switches into my Wazuh local installation.

I wrote a custom decoder (i'm not accustomed to regex usage, so i asked some AI models to help me with this).

My custom decoder looks like this:
<decoder name="aruba-hpe">
  <prematch>hpe</prematch>
  <regex>^([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\\.[0-9]+\\+[0-9]{2}:[0-9]{2})\\s+(\\S+)\\s+hpe-restd\\[([0-9]+)\\]\\s+Event\\|([0-9]+)\\|([A-Z_]+)\\|([A-Z]+)\\|\\-\\|(.+)</regex>
  <order>timestamp,hostname,pid,event_id,log_level,module,message</order>
</decoder>

A sample log is as follows:
2025-11-12T08:46:03.118009+00:00 SW01-UD hpe-restd[6974] Event|4634|LOG_INFO|AMM|-|Connection to Central on location device-eucentral2-d2.central.arubanetworks.com on VRF default and Source IP automatic has been closed by Central. Trying to reconnect.

When i test it with wazuh.logtest i get a successful phase1 but on phase2 i get "no decoder matched".

Any insight on what's wrong? Thanks in advance!

Md. Nazmur Sakib

unread,
Nov 12, 2025, 7:04:00 AMNov 12
to Wazuh | Mailing List

Hello

As the log is matching the program name in the pre-decoding phase, you need to use it in the decoder.

You can use the <program_name> in place of <prematch>


**Phase 1: Completed pre-decoding.


full event: '2025-11-12T08:46:03.118009+00:00—-----------------------

timestamp: '2025-11-12T08:46:03.118009+00:00'

program_name: 'hpe-restd'




The decoder only decodes the part of the log that pre-decdoder does not parse.

So you need to write the decoder for this part only.



Event|4634|LOG_INFO|AMM|-|Connection to Central on location device-eucentral2-d2.central.arubanetworks.com on VRF default and Source IP automatic has been closed by Central. Trying to reconnect.



This part is the syslog header, which is decoded by the pre-decoder.


2025-11-12T08:46:03.118009+00:00 SW01-UD hpe-restd[6974]

Also, the regexes are not accurate the parse the log.

For example, You need to use \| to define |, where you have used \\|

If you want to use PCRE regex, you need to define the type.

<regex type="pcre2">----------</regex>


Ref: Perl-compatible Regular Expressions


I have updated the decoders with the correct syntax.

<decoder name="aruba-hpe">

  <program_name>hpe-restd</program_name>

  <regex>Event\|(\d+)\|(\w+)\|(\w+)\|-\|(\.+)$</regex>

  <order>event_id,log_level,module,message</order>

</decoder>


2025-11-12 17 52 30.png
You can make more decoders and further changes to your decoder following these documents.

Decoders Syntax
Regular Expression Syntax
Custom decoders


Let me know if this works for you.

Alessandro Paviotti

unread,
Nov 13, 2025, 5:08:25 AMNov 13
to Wazuh | Mailing List
Thank you so much, it works like a charm. As i already wrote some custom rules i'm already getting alerts and can easily navigate the data within the discovery section. Thanks for the support, cheers!
Reply all
Reply to author
Forward
0 new messages