T-Pot integration with Wazuh issue
56 views
Skip to first unread message
3
Dec 4, 2025, 1:21:14 PM (3 days ago) Dec 4
to Wazuh | Mailing List
I did custom decoder for dionaea honeypot and also custom rule.
But wazuh dashboard does not ingest neither show the logs!
Example of json file and decoder and rule:
{
"connection": {"protocol": "smbd", "transport": "tcp", "type": "accept"},
"dst_ip": "172.27.0.2",
"dst_port": 445,
"src_hostname": "",
"src_ip": "113.163.202.37",
"src_port": 58865,
"timestamp": "2025-12-04T01:59:00.231347"
}
Decoder:
<decoder name="dionaea-decoder">
<prematch>^{"connection</prematch>
</decoder>
<decoder name="dionaea-decoder-1">
<parent>dionaea-decoder</parent>
<regex>protocol="(\S+)"</regex>
<order>protocol</order>
</decoder>
<decoder name="dionaea-decoder-1">
<parent>dionaea-decoder</parent>
<regex>src_ip="(\S+)" src_port="(\S+)"</regex>
<order>src_ip, src_port</order>
</decoder>
<decoder name="dionaea-decoder-1">
<parent>dionaea-decoder</parent>
<regex>dst_ip="(\S+)" dst_port="(\S+)"</regex>
<order>dst_ip, dst_port</order>
</decoder>
Rules:
<group name="Dionaeasniffer">
<rule id="106666" level="6">
<decoded_as>dionaea-decoder</decoded_as>
<description>Meowdottest.</description>
</rule>
</group>
But wazuh dashboard does not ingest neither show the logs!
Example of json file and decoder and rule:
{
"connection": {"protocol": "smbd", "transport": "tcp", "type": "accept"},
"dst_ip": "172.27.0.2",
"dst_port": 445,
"src_hostname": "",
"src_ip": "113.163.202.37",
"src_port": 58865,
"timestamp": "2025-12-04T01:59:00.231347"
}
Decoder:
<decoder name="dionaea-decoder">
<prematch>^{"connection</prematch>
</decoder>
<decoder name="dionaea-decoder-1">
<parent>dionaea-decoder</parent>
<regex>protocol="(\S+)"</regex>
<order>protocol</order>
</decoder>
<decoder name="dionaea-decoder-1">
<parent>dionaea-decoder</parent>
<regex>src_ip="(\S+)" src_port="(\S+)"</regex>
<order>src_ip, src_port</order>
</decoder>
<decoder name="dionaea-decoder-1">
<parent>dionaea-decoder</parent>
<regex>dst_ip="(\S+)" dst_port="(\S+)"</regex>
<order>dst_ip, dst_port</order>
</decoder>
Rules:
<group name="Dionaeasniffer">
<rule id="106666" level="6">
<decoded_as>dionaea-decoder</decoded_as>
<description>Meowdottest.</description>
</rule>
</group>
Olamilekan Abdullateef Ajani
Dec 4, 2025, 2:14:55 PM (3 days ago) Dec 4
to Wazuh | Mailing List
Hello,
Based on the log you shared above, you do not need to write an additional decoder to extract fields. The log is in the standard JSON format, which would match the Wazuh inbuilt JSON decoder, the only thing needed is the rules to trigger an alert. Please see the attachment for reference.
My follow-up question would be, how do you intend to ingest the logs into Wazuh? Do you have a file with JSON logs or an application that writes its logs as JSON, and you want to parse it to the Wazuh manager. Well, what you can do is have the Wazuh agent installed on the log source server and read from the file. Please check out the documentation below regarding log collection.
Also, json log collection and breakdown: https://documentation.wazuh.com/current/user-manual/ruleset/decoders/json-decoder.html
How log collection works: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html
That being said, when working on log ingestion, it is best to enable the archives temporarily so you are able to see how the raw logs look like, that way, you can use this for testing so when you are done, the logs will match the decoders as they should. It always points in the right direction.
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
Please let me know what you find.
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
Please let me know what you find.
3
Dec 4, 2025, 4:16:11 PM (2 days ago) Dec 4
to Wazuh | Mailing List
Hello
I already did enable the archive log.
And I do intend to send and ingest logs into wazuh by installing the wazuh agent within T-Pot Honeypot(Cowrie, Dionaea).
What I witness is that cowrie logs appear in both alerts.json and archives.json but when it comes to Dionaea and the rest
of honeypot they only appear with archives.json.
Outpot of tail -f archives.json | grep -i "dionaea" :
I already did enable the archive log.
And I do intend to send and ingest logs into wazuh by installing the wazuh agent within T-Pot Honeypot(Cowrie, Dionaea).
What I witness is that cowrie logs appear in both alerts.json and archives.json but when it comes to Dionaea and the rest
of honeypot they only appear with archives.json.
Outpot of tail -f archives.json | grep -i "dionaea" :
Olamilekan Abdullateef Ajani
Dec 5, 2025, 7:48:57 AM (2 days ago) Dec 5
to Wazuh | Mailing List
Hello,
So I checked the sample logs you shared, and it explains the issue. If you look at the logs in archives, you would notice they do not match any decoder, which is why you were unable to see them on the dashboard, and your decoders were also not working. Apparently, the logs are not in JSON, by the way. I was able to extract a sample log and used it for testing to create a decoder for you as a reference.
A cleaned-up version of the log:
Dec 04 19:38:09 ip-172-31-92-58 docker[1238]: dionaea[232]: "protocal":"ftp","transport":"tcp","type":"accept","src_ip":"84.25.185.76","src_port":"39648","dst_ip":"172.31.92.58","dst_port":"21","commands":[{"arguments":["admin","hello"],"command":"USER"},{"arguments":[],"command":"PASS"},{"arguments":[],"command":"SYST"},{"arguments":[],"command":"FEAT"},{"arguments":[],"command":"QUIT"}]}
Please note you need to use the full_log part of the full log only. Please see the decoder sample below and also the attached result.
<decoder name="dionaea-custom">
<program_name>docker</program_name>
<prematch>dionaea</prematch>
</decoder>
<decoder name="dionaea-child">
<parent>dionaea-custom</parent>
<regex type="pcre2">"protocal":"([^"]+)","transport":"([^"]+)","type":"([^"]+)","src_ip":"([^"]+)","src_port":"([^"]+)","dst_ip":"([^"]+)","dst_port":"([^"]+)"</regex>
<order>dionaea.protocol,dionaea.transport,dionaea.event_type,srcip,srcport,dstip,dstport</order>
</decoder>
<program_name>docker</program_name>
<prematch>dionaea</prematch>
</decoder>
<decoder name="dionaea-child">
<parent>dionaea-custom</parent>
<regex type="pcre2">"protocal":"([^"]+)","transport":"([^"]+)","type":"([^"]+)","src_ip":"([^"]+)","src_port":"([^"]+)","dst_ip":"([^"]+)","dst_port":"([^"]+)"</regex>
<order>dionaea.protocol,dionaea.transport,dionaea.event_type,srcip,srcport,dstip,dstport</order>
</decoder>
Please bear in mind, when working with a custom decoder, it is best to extract a sample log from the archive.json file and use that when testing, this gives you the assurance that you have used the logs exactly how Wazuh would ingest them and also have the correct decoder and a matching rule. And also, the decoder above are highly customizable, you can modify them and also use it as reference point when writing other decoders too.
Please let me know if you need further assistance on this.
3
Dec 5, 2025, 2:12:59 PM (2 days ago) Dec 5
to Wazuh | Mailing List
Thanks for assistance!
<rule id="110001" level="8">
<if_sid>dionaea-child</if_sid>
<description>Dionaea Honeypot Activity Detected - Protocol: $(dionaea.protocol)</description>
</rule>
</group>
Appreciate your efforts.
Now the last thing I need to do is to create custom rules, however, I tried different rules but none triggered the alert.
This is the last one I tried:
<group name="dionaea,"><rule id="110001" level="8">
<if_sid>dionaea-child</if_sid>
<description>Dionaea Honeypot Activity Detected - Protocol: $(dionaea.protocol)</description>
</rule>
</group>
Appreciate your efforts.
Olamilekan Abdullateef Ajani
Dec 5, 2025, 2:50:12 PM (2 days ago) Dec 5
to Wazuh | Mailing List
Hello Again,
<description>Dionaea Honeypot Activity Detected - Protocol: $(dionaea.protocol)</description>
</rule>
</group>
Based on the decoder I shared and what you are trying to achieve, you need to tell the rule to use the decoder by making use of the decoded_as option in the rule as seen below.
<group name="dionaea,">
<rule id="110001" level="8">
<rule id="110001" level="8">
<decoded_as>dionaea-custom</decoded_as>
<description>Dionaea Honeypot Activity Detected - Protocol: $(dionaea.protocol)</description>
</rule>
</group>
The rule above will match the decoder I shared with you, because the name of the decoder is
dionaea-custom, the decoded_as in the rule needs to match that.
You can learn more about decoders and rules syntax in the documentations below:
Please let me know if you require further clarification
Reply all
Reply to author
Forward
0 new messages