Decoder and rules for Comware 7 switch not working.

[MS Mum]

Hello

I created the following decoder after passing the log via sudo /var/ossec/bin/wazuh-logtest

<decoder name="hp_events">
 <prematch>^%</prematch>
 </decoder>
 <decoder name="hp_events1">
 <parent>hp_events</parent>
 <regex>SSH user (\.+) (\.+) of (\.+) connected to the server successfully (\.+)</regex>
 <order>user,event_message,console,ip</order>
 </decoder>

**Phase 1: Completed pre-decoding.
      full event: '%Nov 14 17:05:35:572 2025 HPRoutr SSHS/6/SSHS_CONNECT: SSH user manager (IP: 10.x.x.x) connected to the server successfully.'

**Phase 2: Completed decoding.
        name: 'hp_events'



**Phase 3: Completed filtering (rules).
        id: '130001'
        level: '6'
        description: ' (IP:$ip) connected to the server successfully '
        groups: '['hp_events']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

I have created few rules but they are not working well. I know this (IP:$ip) is not correct as I was testing it.


<group name="hp_events,">
         
<rule id="130000" level="0">
  <decoded_as>hp_events</decoded_as>
  <description>hp_events</description>
  </rule>

<rule id="130001" level="6">
  <if_sid>130000</if_sid>
  <match>SSH user</match>
  <description>$(dstuser) (IP:$ip) connected to the server successfully </description>
  </rule>

<rule id="130002" level="5">
  <if_sid>130000</if_sid>
  <match>logged out from</match>
  <description>$(dstuser) logged out from  $(ip) via $(event_message)</description>
</rule>

<rule id="130003" level="6">
  <if_sid>130000</if_sid>
  <match>Accepted password</match>
  <description>$(dstuser) Accepted password for  $(ip) via $(event_message)</description>
</rule>
</group>

I am looking for the following alerts.

%Nov 14 17:05:35:572 2025 HPRoutr SSHS/6/SSHS_CONNECT: SSH user manager (IP: 10.x.x.x) connected to the server successfully.
%Nov 14 22:34:51:137 2025 HPRoutr SSHS/6/SSHS_LOG: Authentication failed for sdafa from 10.x.x.x port 29738 because of invalid username or wrong password  ssh2.
%Nov 14 17:04:52:881 2025 HPRoutr SHELL/5/SHELL_LOGOUT: manager logged out from 10.x.x.x

If someone can help with this.

Thanks

[hasitha.u...@wazuh.com]

Hi MS Mum,

I reviewed the custom decoders and rules you created for the sample logs. In your match condition, the segment “SSH user (.+) (.+) of (.+)” does not match the actual logs, as the logs do not contain the word “of”.
Your sample used for building the decoder was: SSH user manager (IP: 10.x.x.x) connected to the server successfully.

Based on this, I recreated the decoder in a more organized and readable way. It correctly captures values from all three logs you shared. I also used the | operator to match multiple possible patterns.

You can safely replace your existing decoder with these updated ones.

Custom decoder creation path: /var/ossec/etc/decoders/

1. <decoder name="hp_events">
2.  <prematch>^%</prematch>
3.  </decoder>
4.  
5. <decoder name="hp_events1">
6.  <parent>hp_events</parent>

1.  <regex>SSH user (\S+)|failed for (\S+)|SHELL_LOGOUT: (\S+)</regex>
2.  <order>user</order>

1. </decoder>
2.  
3. <decoder name="hp_events1">
4.  <parent>hp_events</parent>

1.  <regex>\.+\S+/\d+/\S+: (\.+)</regex>
2.  <order>event_message</order>

1. </decoder>
2.  
3. <decoder name="hp_events1">
4.  <parent>hp_events</parent>

1.  <regex>\.+\pIP: (\d+.\d+.\d+.\d+)\p|from (\d+.\d+.\d+.\d+)</regex>
2.  <order>srcip</order>
3. </decoder>

I have also updated the custom rules to produce the expected output. You can replace your existing rules with these improved versions.

Custom rule creation path: /var/ossec/etc/rules

1. <group name="hp_events,">
2.  
3. <rule id="130000" level="0">
4.   <decoded_as>hp_events</decoded_as>
5.   <description>hp_events</description>
6.   </rule>
7.  
8. <rule id="130001" level="6">
9.   <if_sid>130000</if_sid>
10.   <match>SSH user</match>

1.   <description>HPRoutr: $(dstuser) $(srcip) connected to the server successfully </description>

1.   </rule>
2.  
3. <rule id="130002" level="5">
4.   <if_sid>130000</if_sid>
5.   <match>logged out from</match>

1.   <description>HPRoutr: $(dstuser) logged out from  $(srcip)</description>

1. </rule>
2.  
3. <rule id="130003" level="6">
4.   <if_sid>130000</if_sid>
5.   <match>Accepted password</match>

1.   <description>HPRoutr: $(dstuser) Accepted password for  $(srcip)</description>
2. </rule>
3.  
4. <rule id="130004" level="6">
5.   <if_sid>130000</if_sid>
6.   <match>Authentication failed</match>
7.   <description>: $(dstuser) Authentication failed from $(srcip)</description>
8. </rule>
9.  
10. </group>

I suggest you check these documents to learn more about how to write custom decoders and rules, and also how to use regex.
Ref: 
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Let me know the update on this.

[MS Mum]

Hello!

Thanks for your help with this.

I am tesing this another HP router with name HP rather than HPRoutr. Everything else is same. 

I can see that the logs are comming in json file but no alert logs. 

This is the decoder output

%Nov 17 10:49:06:458 2025 HPE SSHS/6/SSHS_CONNECT: SSH user xxxx (IP: 10.x.x.) connected to the server successfully.

**Phase 1: Completed pre-decoding.
        full event: '%Nov 17 10:49:06:458 2025 HPE SSHS/6/SSHS_CONNECT: SSH user xxxx (IP: 10.x.x.x) connected to the server successfully.'

**Phase 2: Completed decoding.
        name: 'hp_events'

        dstuser: 'xxxx'
        event_message: 'SSH user xxxx (IP: 10.x.x.x) connected to the server successfully.'
        srcip: '10.x.x.x'

**Phase 3: Completed filtering (rules).
        id: '130001'
        level: '6'

        description: 'HPE: xxxx 10.x.x.xconnected to the server successfully '

        groups: '['hp_events']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

This is archives.json output

{"timestamp":"2025-11-17T10:52:05.896+0000","agent":{"id":"001","name":"sthsyslog","ip":"10.100.0.106"},"Userxxxx":{"name":"wazuh-server"},"id":"1763376725.104850","full_log":"2025-11-17T11:55:10+01:00 2

Thanks

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/f9c4c2f1-5192-4299-968e-0185bdf13d7en%40googlegroups.com.

[hasitha.u...@wazuh.com]

Hey MS Mum

It seems we are not using the correct sample log for testing, could you please share the sample log from archives.json log, because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Ref: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
       cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving

Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager

Therefore, please share a sample log from archives.json log, so we can assist you further. 

Let me know the update on this.

[MS Mum]

Hello!

Here is the json output.

"timestamp":"2025-11-18T07:25:00.225+0000","agent":{"id":"001","name":"syslog","ip":"10.x.x."},"manager":{"name":"wazuh-server"},
"id":"1763450700.1720788","full_log":"2025-11-18T08:24:58+01:00 2025 HPE %%10SSHS/6/SSHS_LOG: Accepted password for manager from
10.x.x.x port 51095 ssh2. ","predecoder":{"timestamp":"2025-11-18T08:24:58+01:00"},
"decoder":{},"location":"/var/log/hp.log"}


{"timestamp":"2025-11-18T07:25:00.278+0000","agent":{"id":"001","name":"syslog","ip":"10.x.x."},
"manager":{"name":"wazuh-server"},"id":"1763450700.1720788","full_log":"2025-11-18T08:24:59+01:00 2025

HPE %%10SSHS/6/SSHS_CONNECT: SSH user manager (IP: 10.x.x.x)
connected to the server successfully.","predecoder":{"timestamp":"2025-11-18T08:24:59+01:00"},"decoder":{},"location":"/var/log/hp.log"}
{"timestamp":"2025-11-18T07:25:00.915+0000","agent":{"id":"001","name":"syslog","ip":"10.x.x."},


"manager":{"name":"wazuh-server"},"id":"1763450700.1720788","full_log":"2025-11-18T08:25:00+01:00 2025
HPE %%10SHELL/5/SHELL_LOGIN: manager logged in from 10.x.x.x.","predecoder":{"timestamp":"2025-11-18T08:25:00+01:00"},
"decoder":{},"location":"/var/log/hp.log"}

I have set Json to no <logall_json>no</logall_json> now.

Regards,

Sajid

To view this discussion visit https://groups.google.com/d/msgid/wazuh/cf18c595-f958-4a2f-80b9-e4538f0279b0n%40googlegroups.com.

[hasitha.u...@wazuh.com]

Hi MS,

As discussed, you need to use the full_log part to create the decoder and rules.
I can see that some of the logs do not show as a single line once copied. However, I believe your log structure is like this.

1. 2025-11-18T08:24:58+01:00 2025 HPE %%10SSHS/6/SSHS_LOG: Accepted password for manager from 10.12.2.5 port 51095 ssh2.
2. 2025-11-18T08:25:00+01:00 2025 HPE %%10SHELL/5/SHELL_LOGIN: manager logged in from 192.256.5.4.
3. 2025-11-18T08:24:59+01:00 2025 HPE %%10SSHS/6/SSHS_CONNECT: SSH user manager (IP: 10.12.25.36) connected to the server successfully.
4. 2025-11-18T08:24:59+01:00 2025 HPE %%10SSHS/6/SSHS_LOG: Authentication failed for sdafa from 10.45.45.25 port 29738 because of invalid username or wrong password  ssh2.
5. 2025-11-18T08:24:59+01:00 2025 HPE %%10SHELL/5/SHELL_LOGOUT: manager logged out from 10.25.65.23

If yes, you need to replace the custom decoders with this. Make sure to remove the decoder you earlier added and replace it with this.

1. <decoder name="hp_events">
2.  <prematch>HPE</prematch>

1.  </decoder>
2.  
3. <decoder name="hp_events1">
4.  <parent>hp_events</parent>

1.  <regex>\.+SSH user (\S+)|failed for (\S+)|SHELL_LOGOUT: (\S+)|SHELL_LOGIN: (\S+)|Accepted password for (\S+)</regex>

1.  <order>user</order>
2. </decoder>
3.  
4. <decoder name="hp_events1">
5.  <parent>hp_events</parent>
6.  <regex>\.+\S+/\d+/\S+: (\.+)</regex>
7.  <order>event_message</order>
8. </decoder>
9.  
10. <decoder name="hp_events1">
11.  <parent>hp_events</parent>
12.  <regex>\.+\pIP: (\d+.\d+.\d+.\d+)\p|from (\d+.\d+.\d+.\d+)</regex>
13.  <order>srcip</order>
14. </decoder>

Then you need to restart the manager to apply changes.
systemctl restart wazuh-manager

I believe the above decoder resolves your issue; if not, make sure to share a single-line log to replicate on my end.

Let me know the update on this.

Ref: 
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

[MS Mum]

Hi!

It looks good now as I get the alerts.

025-11-19T12:12:47+01:00 2025 HPE %%10SSHS/6/SSHS_DISCONNECT: SSH user manager (IP: 10.x.x.x) disconnected from the server.
event_message: SSH user manager (IP: 10.x.x.x) disconnected from the server.

2025-11-19T12:12:47+01:00 2025 HPE %%10SSHS/6/SSHS_LOG: User manager logged out from 10.x.x.x port 8139.
event_message: User manager logged out from 10.x.x.x port 8139.

The issue is that I have another similar model switch and I am using HPE in the prematch. Do I have to create any decoder for other switch or if there is some way to do it in this one?

Regards,

SA

To view this discussion visit https://groups.google.com/d/msgid/wazuh/8520aa6f-f86b-492e-b1a0-916c687071b8n%40googlegroups.com.

[hasitha.u...@wazuh.com]

Hi MS,

For that, you can modify the prematch section by using macthing relevant keywords of the Router name like below I have created.

1. <decoder name="hp_events">
2.  <prematch>HPE|HPRouter|another_simlar_model_name</prematch>
   </decoder> 

Otherwise, if the same model of HP routers starts with HP<something> then you can use the regex to prematch like this in the parent decoder.

1. <decoder name="hp_events">
2.  <prematch>HP\.*</prematch>
   </decoder>

Ref: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#decoders-prematch

Let me know the update on this.