Perant decoder
18 views
Skip to first unread message
PD
Sep 26, 2025, 9:29:13 AM (5 days ago) Sep 26
to Wazuh | Mailing List
Hi wazuh team
Has encountered a problem. During pre-decoding, wazuh takes the values that I previously used in the parent decoder.
</decoder> that's how my parent decoder looks.I also attach a photo of the log and outpu. please advise me how to write the parent decoder correctly.![]()
Has encountered a problem. During pre-decoding, wazuh takes the values that I previously used in the parent decoder.
<decoder name="meshcentral">
<prematch>node</prematch></decoder> that's how my parent decoder looks.I also attach a photo of the log and outpu. please advise me how to write the parent decoder correctly.
Olamilekan Abdullateef Ajani
Sep 26, 2025, 10:15:06 AM (5 days ago) Sep 26
to Wazuh | Mailing List
Hello PD,
From the log you shared, I see wazuh already did some pre-decoding in the initial stage, with that, you can modify the parent decoder to reference some of the pre-decoding value as seen below.
<decoder name="meshcentral">
<program_name>C</program_name>
<prematch>node</prematch>
</decoder>
<program_name>C</program_name>
<prematch>node</prematch>
</decoder>
You can also see the attached output.
You can find more configurable options in the ruleset guide
Please let me know if you require further assistance around this.
Reply all
Reply to author
Forward
0 new messages