Decoder
19 views
Skip to first unread message
I love Wazuh
4:33 AM (12 hours ago) 4:33 AM
to Wazuh | Mailing List
Hello wazuh team! I ran into a problem, my new log decodes the built-in windows_eventchannel decoder. But the problem is that it doesn't decode all the fields I need, unfortunately I couldn't write a decoder for the fields I need on my own, I'd be happy if you could help. {"win":{"system":{"providerName":"csp","eventID":"100","version":"0","level":"0","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2025-11-11T04:26:01.8665798Z","eventRecordID":"49729","processID":"5248","threadID":"0","channel":"Application","computer":"NB1.nat.ru","severityValue":"UNKNOWN","message":"\"CryptoPro CSP. <csp>0x1480:0x2074:CPCAcquireContext (pszContainer=REGISTRY\\\\98563895@2025-10-10-Name - Copy, dwFlags=0x0). Result=1, Err=0x0. hProv=0x7e10008b. (:517)\""},"eventdata":{"data":"<csp>0x1480:0x2074:CPCAcquireContext (pszContainer=REGISTRY\\\\\\\\98563895@2025-10-10-Name - Copy, dwFlags=0x0). Result=1, Err=0x0. hProv=0x7e10008b. (:517)"}}} here is the log itself and the field that I want to decode normally 2025-10-10-Name , that is, I want it to output pszContainer = 2025-10-10-Name, so that it can be clearly seen in the rule later, and the corresponding rule for it, thank you in advance
hasitha.u...@wazuh.com
4:43 AM (12 hours ago) 4:43 AM
to Wazuh | Mailing List
Hi, I love Wazuh
Please allow me some time. I'm working on this and will get back to you with an update as soon as possible.
Please allow me some time. I'm working on this and will get back to you with an update as soon as possible.
hasitha.u...@wazuh.com
5:24 AM (12 hours ago) 5:24 AM
to Wazuh | Mailing List
Hi I love Wazuh
There is no Windows EventChannel XML decoder, as it is embedded inside Wazuh’s code. That is why you can’t find it along with the Wazuh installation files if you have already checked. Wazuh’s decoder engine does not support re-decoding a nested Windows event channel string natively as a structured object. Therefore, if you want to create a custom rule based on nested field values, you can use regex as I shared.
However, instead of creating another decoder, I suggest you create a custom rule to match the relevant details in the win.system.message field using a regex.
For example:
You can add this rule in the custom rule creation file: /var/ossec/etc/rules/local_rules.xml
There is no Windows EventChannel XML decoder, as it is embedded inside Wazuh’s code. That is why you can’t find it along with the Wazuh installation files if you have already checked. Wazuh’s decoder engine does not support re-decoding a nested Windows event channel string natively as a structured object. Therefore, if you want to create a custom rule based on nested field values, you can use regex as I shared.
However, instead of creating another decoder, I suggest you create a custom rule to match the relevant details in the win.system.message field using a regex.
For example:
You can add this rule in the custom rule creation file: /var/ossec/etc/rules/local_rules.xml
- <group name="test_windows">
- <rule id="160210" level="3">
- <if_sid>60003</if_sid>
- <field name="win.system.message" type="pcre2">^.*pszContainer=[^,]*?2025-10-10-Name[^,]*.*$</field>
- <description>Test pszcontainer alert</description>
- </rule>
- </group>
Explanation:
-
^ → start of line
-
.* → match anything before
-
pszContainer= → literal
-
[^,]*?2025-10-10-Name[^,]* → the key section
-
.* → anything after
-
$ → end of line
This will match the whole log line, for example:
- CryptoPro CSP. <csp>0x1480:0x2074:CPCAcquireContext (pszContainer=REGISTRY\98563895@2025-10-10-Name - Copy, dwFlags=0x0). Result=1, Err=0x0. hProv=0x7e10008b. (:517)
Reply all
Reply to author
Forward
0 new messages