Help with IBM TS4300 decoder
29 views
Skip to first unread message
Joaquim António
Nov 19, 2025, 12:38:18 PM (4 days ago) Nov 19
to Wazuh | Mailing List
Hello Wazuh team,
I'm having trouble parsing logs from the IBM tape library. After many attempts, the current iteration looks like this:
<decoder name="ibm-ts4300">
<program_name>^RSYSLOG</program_name>
</decoder>
<decoder name="ibm-ts4300-informational">
<parent>ibm-ts4300</parent>
<regex> Informational Event, Event Code: (\d+-\d+), Event Description: (\w+), Detailed Information: ~USER_NAME\pAUDIT\p=(\w+)~USER_REMOTE_IP\pAUDIT\p=(\d+.\d+.\d+.\d+)~USER_ROLE\pAUDIT\p=(\w+)~LOGIN_USER_METHOD\pAUDIT\p=\S+~LOGIN_INTERFACE\pAUDIT\p=RMI~TYPE\pAUDIT\p=(\w+)</regex>
<order>event_code,event_description,user,srcip,user_role,event_type</order>
</decoder>
<program_name>^RSYSLOG</program_name>
</decoder>
<decoder name="ibm-ts4300-informational">
<parent>ibm-ts4300</parent>
<regex> Informational Event, Event Code: (\d+-\d+), Event Description: (\w+), Detailed Information: ~USER_NAME\pAUDIT\p=(\w+)~USER_REMOTE_IP\pAUDIT\p=(\d+.\d+.\d+.\d+)~USER_ROLE\pAUDIT\p=(\w+)~LOGIN_USER_METHOD\pAUDIT\p=\S+~LOGIN_INTERFACE\pAUDIT\p=RMI~TYPE\pAUDIT\p=(\w+)</regex>
<order>event_code,event_description,user,srcip,user_role,event_type</order>
</decoder>
Here is an example of a log to go from:
Nov 19 13:17:03 TS4300 RSYSLOG: Informational Event, Event Code: 0400001-9013, Event Description: A user logged in at the Web GUI interface, Detailed Information: ~USER_NAME(AUDIT)=username~USER_REMOTE_IP(AUDIT)=123.123.123.123~USER_ROLE(AUDIT)=ADMINISTRATOR~LOGIN_USER_METHOD(AUDIT)=LOCAL_CUSTOM~LOGIN_INTERFACE(AUDIT)=RMI~TYPE(AUDIT)=ACCESS
It only matches the 1st decoder. Does anyone know how to parse a log like this?
Thank you in advance.
Best regards,
Joaquim Antonio
Lucio Donda
Nov 19, 2025, 1:21:35 PM (4 days ago) Nov 19
to Wazuh | Mailing List
Hi Joaquin,
Have you tried using pcre2 ? here (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax) on features, but I think that you might having some issues on spaces (e.g. after Event Description)
should look something like this:
<decoder name="ibm-ts4300">
<program_name>^RSYSLOG</program_name>
</decoder>
<decoder name="ibm-ts4300-informational">
<parent>ibm-ts4300</parent>
<regex type="pcre2">> Informational Event, Event Code: (\d+-\d+), Event Description: (.*), Detailed Information: ~USER_NAME\(AUDIT\)=(.*)~USER_REMOTE_IP\(AUDIT\)=(\d+.\d+.\d+.\d+)~USER_ROLE\(AUDIT\)=(.*)~LOGIN_USER_METHOD\(AUDIT\)=\S+~LOGIN_INTERFACE\(AUDIT\)=RMI~TYPE\(AUDIT\)=(.*)</regex>
<order>event_code,event_description,user,srcip,user_role,event_type</order>
</decoder>
I didn't test the decoder but the regex as you can see is matching checked with https://regex101.com/ :
Have you tried using pcre2 ? here (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax) on features, but I think that you might having some issues on spaces (e.g. after Event Description)
should look something like this:
<decoder name="ibm-ts4300">
<program_name>^RSYSLOG</program_name>
</decoder>
<decoder name="ibm-ts4300-informational">
<parent>ibm-ts4300</parent>
<order>event_code,event_description,user,srcip,user_role,event_type</order>
</decoder>
I didn't test the decoder but the regex as you can see is matching checked with https://regex101.com/ :
Joaquim António
Nov 20, 2025, 4:42:59 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Hello Lucio,
Thank you for your answer, using pcre2 helped fix my issue! I also removed an extra space from the beginning and now it parses everything great. Here is the working solution, just in case anyone else may be facing the same problem:
<decoder name="ibm-ts4300">
<program_name>^RSYSLOG</program_name>
</decoder>
<decoder name="ibm-ts4300-informational">
<parent>ibm-ts4300</parent>
<regex type="pcre2"> Informational Event, Event Code: (\d+-\d+), Event Description: (.*), Detailed Information: ~USER_NAME\(AUDIT\)=(.*)~USER_REMOTE_IP\(AUDIT\)=(\d+.\d+.\d+.\d+)~USER_ROLE\(AUDIT\)=(.*)~LOGIN_USER_METHOD\(AUDIT\)=\S+~LOGIN_INTERFACE\(AUDIT\)=RMI~TYPE\(AUDIT\)=(.*)</regex>
<order>event_code,event_description,user,srcip,user_role,event_type</order>
</decoder>
<program_name>^RSYSLOG</program_name>
</decoder>
<decoder name="ibm-ts4300-informational">
<parent>ibm-ts4300</parent>
<regex type="pcre2"> Informational Event, Event Code: (\d+-\d+), Event Description: (.*), Detailed Information: ~USER_NAME\(AUDIT\)=(.*)~USER_REMOTE_IP\(AUDIT\)=(\d+.\d+.\d+.\d+)~USER_ROLE\(AUDIT\)=(.*)~LOGIN_USER_METHOD\(AUDIT\)=\S+~LOGIN_INTERFACE\(AUDIT\)=RMI~TYPE\(AUDIT\)=(.*)</regex>
<order>event_code,event_description,user,srcip,user_role,event_type</order>
</decoder>
Best regards,
Joaquim Antonio
Lucio Donda
Nov 20, 2025, 6:39:18 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Awesome, glad to hear that!
Reply all
Reply to author
Forward
0 new messages