Custom decoder and No decoder matched.

[mariano hinjos]

Hi

I can't find in the decoder that allows me to filter the log that I need

example of my decoder:

<decoder name="oracle_miles">
    <prematch type="pcre2">^\[\d+] \w+ \[\d+ \d+:\d+:\d+]</prematch>
</decoder>


<decoder name="oracle_mileslog">
  <parent>oracle_miles</parent>
  <regex offset="after_parent">[(\d+)] (\w+) [(\d+) (\d+:\d+:\d+)]</regex>
  <order>miles.session,miles.type,miles.fecha,miles.hora</order>
</decoder>

and a example of log

/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line

[00000001] INFO  [20230327 15:16:55] - 15574 WSLogOn(CMD) : user=yaiza.garcia, webClient

**Phase 1: Completed pre-decoding.
        full event: '[00000001] INFO  [20230327 15:16:55] - 15574 WSLogOn(CMD) : user=yaiza.garcia, webClient'

**Phase 2: Completed decoding.
        No decoder matched.

any idea. thanks

[Luis González Romero]

Hello Mariano, hope you’re great.

The issue you’re facing is that your regex does not contain the right spaces. After the log type INFO, in this case, there are two spaces instead of one. If you place your decoders like these you will be fine.

This also applies to PCRE2, but I used OS_Regex for these samples.

<decoder name="oracle_miles"> <prematch>^[\d+] \w+ [\d+ \d+:\d+:\d+]</prematch> </decoder> <decoder name="oracle_miles"> <parent>oracle_miles</parent> <regex>[(\d+)] (\w+) [(\d+) (\d+:\d+:\d+)]</regex> <order>miles.session,miles.type,miles.fecha,miles.hora</order> </decoder>

You should remove the after_parent offset, because you won’t be able to collect the data from the prematch as you want.

As you can see, they have the same name. You can check this sibling decoders if you want to learn more about this approach.

If you need help with something else or have any doubts, do not hesitate and ask us!

Hope this helps you,
Luis.

​

[mariano hinjos]

thanks by help

with your changes the decoder does not recognize me either

**Phase 1: Completed pre-decoding.
        full event: '[00000001] INFO  [20230327 15:16:55] - 15574 WSLogOn(CMD) : user='

**Phase 2: Completed decoding.
        No decoder matched.

[06111229] DEBUG [20230328 11:22:44] - 64314 SelectionMgr.generateSelection ended

**Phase 1: Completed pre-decoding.
        full event: '[06111229] DEBUG [20230328 11:22:44] - 64314 SelectionMgr.generateSelection ended'

**Phase 2: Completed decoding.
        No decoder matched.

[06111229] INFO  [20230328 11:22:44] - 64315 SofPreparedStmtBuilder.getPreparedStatementInte

**Phase 1: Completed pre-decoding.
        full event: '[06111229] INFO  [20230328 11:22:44] - 64315 SofPreparedStmtBuilder.getPreparedStatementInte'

**Phase 2: Completed decoding.
        No decoder matched.

I have added \s+ to contemplate one or more occurrences

[Luis González Romero]

Hello again.

Where are you placing your custom decoders? Did you place them in /var/ossec/etc/decoders/local_decoder.xml? If not, you should.

Then, using the decoders I shared within the previous message, you should be able to match them.

Also, the logs you are sharing have different formats. For example, [06111229] DEBUG [20230328 11:22:44] - 64314 SelectionMgr.generateSelection ended has just one space instead of two.

You can modify the decoders like follows:

Replacing the space by one or more spaces using \s+

<decoder name="oracle_miles"> <prematch>^[\d+] \w+\s+[\d+ \d+:\d+:\d+]</prematch> </decoder> <decoder name="oracle_miles"> <parent>oracle_miles</parent> <regex>[(\d+)] (\w+)\s+[(\d+) (\d+:\d+:\d+)]</regex> <order>miles.session,miles.type,miles.fecha,miles.hora</order> </decoder>

​