OpenVPN: decoder customization and rule not working
39 views
Skip to first unread message
Giuseppe Ruberto
Nov 20, 2025, 7:47:33 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Hello everyone,
I would like to monitor this log produced by the OPNSense (OpenVPN module). Specifically, I would like to extract and monitor the username, public IP, and IP that is associated with the user by the VPN server.
I would like to monitor this log produced by the OPNSense (OpenVPN module). Specifically, I would like to extract and monitor the username, public IP, and IP that is associated with the user by the VPN server.
****
Nov 4 09:56:15 vpnserver.abcd.it opnsense-openvpn: <29>1 2025-11-04T09:56:15+01:00 vpnserver.abcd.it openvpn_server1 45179 - [meta sequenceId="13857"] user_test/217.202.95.187:57040 MULTI_sva: pool returned IPv4=192.168.15.17, IPv6=(Not enabled)****
I created a decoder in this form:
****
<decoder name="openvpn-internal-ip">
<program_name>^opnsense-openvpn$</program_name>
<prematch>MULTI_sva: pool returned IPv4=</prematch>
<regex type="pcre2" offset="after_prematch">(\S+)\/(\S+):(\d+) MULTI_sva: pool returned IPv4=(\S+)</regex>
<order>srcuser, srcip, dstip</order>
</decoder>
<program_name>^opnsense-openvpn$</program_name>
<prematch>MULTI_sva: pool returned IPv4=</prematch>
<regex type="pcre2" offset="after_prematch">(\S+)\/(\S+):(\d+) MULTI_sva: pool returned IPv4=(\S+)</regex>
<order>srcuser, srcip, dstip</order>
</decoder>
****
and afterwards this rule:
****
<rule id="100501" level="3">
<if_matched_sid>81800</if_matched_sid>
<decoded_as>openvpn-internal-ip</decoded_as>
<description>OpenVPN (OPNsense): assegnato IP interno $(dstip) all’utente $(srcuser)</description>
<group>vpn_ip_assignment,openvpn,opnsense</group>
</rule>
<if_matched_sid>81800</if_matched_sid>
<decoded_as>openvpn-internal-ip</decoded_as>
<description>OpenVPN (OPNsense): assegnato IP interno $(dstip) all’utente $(srcuser)</description>
<group>vpn_ip_assignment,openvpn,opnsense</group>
</rule>
****
Now, when testing the decoder and the rule, the result is this:
**Messages:
INFO: (7202): Session initialized with token 'a67e346c'
**Phase 1: Completed pre-decoding.
full event: 'Nov 4 09:56:15 vpnserver.abcd.it opnsense-openvpn: <29>1 2025-11-04T09:56:15+01:00 vpnserver.abcd.it openvpn_server1 45179 - [meta sequenceId="13857"] user_test/217.202.95.187:57040 MULTI_sva: pool returned IPv4=192.168.15.17, IPv6=(Not enabled)'
timestamp: 'Nov 4 09:56:15'
hostname: 'vpnserver.abcd.it'
program_name: 'opnsense-openvpn'
**Phase 2: Completed decoding.
name: 'openvpn'
parent: 'openvpn'
**Phase 3: Completed filtering (rules).
id: '81800'
level: '0'
description: 'OpenVPN messages grouped.'
groups: '["openvpn"]'
firedtimes: '1'
mail: 'false'
It would appear that the log is being decoded by Wazuh's default decoder and not by the decoder-rule pair I created.What do you recommend I change?
Thank you all for your help and have a good day.
It would appear that the log is being decoded by Wazuh's default decoder and not by the decoder-rule pair I created.What do you recommend I change?
Thank you all for your help and have a good day.
Luis Enrique Chico Capistrano
Nov 20, 2025, 8:48:46 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Hi Giuseppe Ruberto,
I'm not sure if you want the decoder to extract the srcuser, srcip, and dstip, OR if you just want to change the event level of the alert from 0 to 3, as you have in your rule.
If you just want to change the alert rule, here's what you can do:
```
<rule id="100501" level="3">
<if_sid>81800</if_sid>
<match>MULTI_sva: pool returned IPv4=</match>
<description>OpenVPN (OPNsense): assegnato IP interno </description>
<group>vpn_ip_assignment,openvpn,opnsense</group>
</rule>
<match>MULTI_sva: pool returned IPv4=</match>
<description>OpenVPN (OPNsense): assegnato IP interno </description>
<group>vpn_ip_assignment,openvpn,opnsense</group>
</rule>
```
The result:
````
bash-5.2# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.0
Type one log per line
Starting wazuh-logtest v4.14.0
Type one log per line
Nov 4 09:56:15 vpnserver.abcd.it opnsense-openvpn: <29>1 2025-11-04T09:56:15+01:00 vpnserver.abcd.it openvpn_server1 45179 - [meta sequenceId="13857"] user_test/217.202.95.187:57040 MULTI_sva: pool returned IPv4=192.168.15.17, IPv6=(Not enabled)
**Phase 1: Completed pre-decoding.
full event: 'Nov 4 09:56:15 vpnserver.abcd.it opnsense-openvpn: <29>1 2025-11-04T09:56:15+01:00 vpnserver.abcd.it openvpn_server1 45179 - [meta sequenceId="13857"] user_test/217.202.95.187:57040 MULTI_sva: pool returned IPv4=192.168.15.17, IPv6=(Not enabled)'
timestamp: 'Nov 4 09:56:15'
hostname: 'vpnserver.abcd.it'
program_name: 'opnsense-openvpn'
**Phase 2: Completed decoding.
name: 'openvpn'
parent: 'openvpn'
**Phase 3: Completed filtering (rules).
full event: 'Nov 4 09:56:15 vpnserver.abcd.it opnsense-openvpn: <29>1 2025-11-04T09:56:15+01:00 vpnserver.abcd.it openvpn_server1 45179 - [meta sequenceId="13857"] user_test/217.202.95.187:57040 MULTI_sva: pool returned IPv4=192.168.15.17, IPv6=(Not enabled)'
timestamp: 'Nov 4 09:56:15'
hostname: 'vpnserver.abcd.it'
program_name: 'opnsense-openvpn'
**Phase 2: Completed decoding.
name: 'openvpn'
parent: 'openvpn'
**Phase 3: Completed filtering (rules).
id: '100501'
level: '3'
description: 'OpenVPN (OPNsense): assegnato IP interno '
groups: '['adfs', 'localvpn_ip_assignment', 'openvpn', 'opnsense']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
level: '3'
description: 'OpenVPN (OPNsense): assegnato IP interno '
groups: '['adfs', 'localvpn_ip_assignment', 'openvpn', 'opnsense']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
```
Luis Enrique Chico Capistrano
Nov 20, 2025, 8:53:52 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Some useful reference materials:
- https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules
<description>OpenVPN (OPNsense): assegnato IP interno $(dstip) all’utente $(srcuser)</description>
- https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules
If you need to include the variables dstip and srcuser in the description, we will need to implement a decoder.
The description would then look like this:
The description would then look like this:
<description>OpenVPN (OPNsense): assegnato IP interno $(dstip) all’utente $(srcuser)</description>
Giuseppe Ruberto
Nov 21, 2025, 4:43:32 AM (yesterday) Nov 21
to Wazuh | Mailing List
Thanks for your reply.
My goal is to capture these logs and mainly extract the following information: srcip, dstip, and scruser.
My goal is to capture these logs and mainly extract the following information: srcip, dstip, and scruser.
I created this decoder and this rule:
<decoder name="openvpn-internal-ip">
<parent>openvpn</parent>
<program_name>opnsense-openvpn</program_name>
<prematch type="pcre2">^(\S+)\/(\S+):(\d+) MULTI_sva: pool returned IPv4=</prematch>
<regex type="pcre2">^(\S+)\/(\S+):(\d+) MULTI_sva: pool returned IPv4=(\S+)</regex>
<order>srcuser, srcip, srcport, dstip</order>
</decoder>
<parent>openvpn</parent>
<program_name>opnsense-openvpn</program_name>
<prematch type="pcre2">^(\S+)\/(\S+):(\d+) MULTI_sva: pool returned IPv4=</prematch>
<regex type="pcre2">^(\S+)\/(\S+):(\d+) MULTI_sva: pool returned IPv4=(\S+)</regex>
<order>srcuser, srcip, srcport, dstip</order>
</decoder>
<rule id="100501" level="3">
<decoded_as>openvpn-internal-ip</decoded_as>-->
<description>OpenVPN (OPNsense): assegnato IP interno $(dstip) all’utente $(srcuser) con $(srcip)</description>-->
<group>vpn_ip_assignment,openvpn,opnsense</group>-->
</rule>
<description>OpenVPN (OPNsense): assegnato IP interno $(dstip) all’utente $(srcuser) con $(srcip)</description>-->
<group>vpn_ip_assignment,openvpn,opnsense</group>-->
</rule>
However, when performing the test:
Nov 4 09:56:15 vpnserver.abcd.it opnsense-openvpn: <29>1 2025-11-04T09:56:15+01:00 vpnserver. abcd .it openvpn_server1 45179 - [meta sequenceId="13857"] user_test/217.202.95.187:57040 MULTI_sva: pool returned IPv4=192.168.15.17, IPv6=(Not enabled)
it is still not captured by this decoder-rule pair, but rather by the original “openvpn” decoder.
Nov 4 09:56:15 vpnserver.abcd.it opnsense-openvpn: <29>1 2025-11-04T09:56:15+01:00 vpnserver. abcd .it openvpn_server1 45179 - [meta sequenceId="13857"] user_test/217.202.95.187:57040 MULTI_sva: pool returned IPv4=192.168.15.17, IPv6=(Not enabled)
it is still not captured by this decoder-rule pair, but rather by the original “openvpn” decoder.
What do you suggest?
Thanks for your support.
Thanks for your support.
Reply all
Reply to author
Forward
0 new messages