Wazuh / Symentec Integration
201 views
Skip to first unread message
Yazid
Jan 13, 2026, 2:57:43 AMJan 13
to Wazuh | Mailing List
Hello,
I’m wondering if it’s possible to integrate Wazuh with Symantec. I configured Symantec to send logs to Wazuh, but Wazuh doesn’t seem to understand the log format.
and Thank you for your efforts and this amazing product!
Richmond Aribibia Fimie
Jan 13, 2026, 4:11:48 AMJan 13
to Yazid, Wazuh | Mailing List
Hello Yazid, you need to temporarily enable archives on your Wazuh manager so we can verify that the logs are reaching it. To do this, edit /var/ossec/etc/ossec.conf and add the following inside the section:
<global>
<logall>yes</logall>
</global>
Then restart Wazuh with:
systemctl restart wazuh-manager
After that, you’ll find the raw logs stored in /var/ossec/logs/archives/archives.log. Please share a few sample log lines from there — with those, we can help create or adapt the right decoders so Wazuh can properly parse and categorize the Symantec events.
Reference link
https://documentation.wazuh.com/current/cloud-service/archive-data/configuration.html
<global>
<logall>yes</logall>
</global>
Then restart Wazuh with:
systemctl restart wazuh-manager
After that, you’ll find the raw logs stored in /var/ossec/logs/archives/archives.log. Please share a few sample log lines from there — with those, we can help create or adapt the right decoders so Wazuh can properly parse and categorize the Symantec events.
Reference link
https://documentation.wazuh.com/current/cloud-service/archive-data/configuration.html
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/b927981d-a139-4424-b6e9-299cace09f7an%40googlegroups.com.
Yazid
Jan 13, 2026, 7:03:41 AMJan 13
to Wazuh | Mailing List
Symantec has three types of syslog, and I tried them. Here is an example of each:
RFC 5424 with newline delimiter :
<14>1 2026-01-13T10:00:34.773Z localhost.localdomain SEDR - 8006 [origin ip="192.168.50.91"] {"user_name":"Svc.User","device_domain":"corp-zone.local","uuid":"7a9f1120-a063-21f0-b10a-000000ab912e","edr_enriched_data":{"category_name":"Generic Data to be sent to Symantec EDR","category_id":201,"rule_name":"eChangeDefaultFileAssoc","suspicion_score":50,"rule_description":"Change to default File Association handler detected"},"ref_uid":"AA1CBF2C-A716-49BB-C22F-8113ECC44A1D","device_name":"WKSTNENG0451","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1546","tactic_ids":[3,4],"technique_name":"Event Triggered Execution","tactic_uids":["TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","id":2,"device_time":1768296970197,"device_os_name":"Windows 10 Professional Edition","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8006,"message":"mighost.exe set registry value HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\: kZp21AX71cQ=","log_time":"2026-01-13T10:00:34.732Z","status_detail":"Generic Data to be sent to Symantec EDR","device_ip":"192.168.50.91","actor":{"uid":"BD6A1693-A050-F1F0-C2D7-284F30AB9E10","start_time":1768296938441,"file":{"signature_level_id":60,"path":"c:\\$windows.~bt\\sources\\mighost.exe","signature_value_ids":[3,5],"sha2":"174885c6416a060e9a9342ce20fce0cf2b2937092b38f9b742c82c578f11111a","normalized_path":"CSIDL_SYSTEM_DRIVE\\$windows.~bt\\sources\\mighost.exe","original_name":"MigHost.exe","name":"mighost.exe","modified":1635900482000,"md5":"ccd2a46cb60bcc3c39c89c178a8c3aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\$WINDOWS.~BT\\Sources\\mighost.exe\" {47C9AD47-8A33-4C5F-A8B8-2F680D111BA4} /InitDoneEvent:MigHost.{47C9AD47-8A33-4C5F-A8B8-2F680D111BA4}.Event /ParentPID:19108 /LogDir:\"C:\\$WINDOWS.~BT\\Sources\\Panther\"","pid":31668,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_uid":"1a7182cb-d458-4a22-a454-54a55dac1122","device_ipv6":"fe80:0000:0000:0000:11cd:fe7d:e079:b123","reg_value_result":{"data":"qa3VA2W4cdM="},"severity_id":1,"reg_value":{"path":"HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\","data":"kZp21AX71cQ=","name":"Hash"}}
RFC 5424 with newline delimiter :
..s.=..Le006dbc22db34f13598be5e21e662","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":11644,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6f8f9ce0-b052-11f0-dbce-000000ab7e86","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"7196FA63-15F4-4B15-9FAA-8884F32001AA","status_detail":"Generic Data to be sent to ATP","device_ip":"192.168.88.31","actor":{"uid":"26F28CEE-E631-F1F0-87F5-944348B19999","start_time":1767175907324,"file":{"signature_level_id":60,"path":"c:\\windows\\system32\\svchost.exe","signature_value_ids":[3,5],"sha2":"7fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23999999","normalized_path":"CSIDL_SYSTEM\\svchost.exe","original_name":"svchost.exe","name":"svchost.exe","modified":1715758724225,"md5":"8469cc568ad6821fd9d925542730aa11","signature_company_name":"Microsoft Windows Publisher"},"cmd_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule","pid":1792,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_name":"WKSTNENG0200","device_uid":"a038a140-19b9-48b1-afa6-95fe98231111","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1053","tactic_ids":[2,3,4],"technique_name":"Scheduled Task/Job","tactic_uids":["TA0002","TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","severity_id":1,"id":1,"device_time":1768289701294}
<14>Jan 13 10:03:04 localhost.localdomain SEDR: {"process":{"uid":"A16F3108-B04F-F1F0-87F5-944348B12222","file":{"signature_level_id":60,"path":"c:\\windows\\system32\\raserver.exe","signature_value_ids":[3,5],"sha2":"460ea04d7985f61c7c20c6ee1ca1e4d53c42593ff6d5ea2a1ddbc7a15599999","normalized_path":"CSIDL_SYSTEM\\raserver.exe","original_name":"raserver.exe","name":"raserver.exe","modified":1713686252031,"md5":"16ae006dbc22db34f13598be5e211111","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":8612,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6c1ffc70-b052-11f0-f919-000000ab7e85","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"AED
10:03:04.075391 ens18 In IP (tos 0x0, ttl 63, id 16389, offset 0, flags [DF], proto TCP (6), length 2948)
10.16.200.44.24524 > 10.16.201.200.514: Flags [.], cksum 0xe976 (incorrect -> 0xe5c5), seq 101360:104256, ack 1, win 15, options [nop,nop,TS val 3540480991 ecr 1039643213], length 2896
E...@.@.?..o
CEF:
Jan 13 10:03:54 localhost.localdomain CEF:0|Symantec|SEDR|4.12.0-73|8001|net.exe launched c:\windows\syswow64\net1.exe|1|act=1 cat=5 deviceExternalId=571c9cae-fe1c-4fee-be9a-4429fffa1111 dvchost=SARLAPDSI01160 rt=1768298623114 deviceCustomDate1=1768298623114 deviceCustomDate1Label=Logged Time cs5=Windows 11 Professional Edition cs5Label=Device OS Name suser=Svc.User symcSEDRLogName=epmp_events-fdr-2026-01-13/_doc symcSEDRUUID=529d4630-b062-11f0-cb5f-000000db8088 symcSEDRData={"process":{"uid":"4480CF04-EEF7-F1F0-9750-2851A8F02222","file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net1.exe","signature_value_ids":[3,5],"sha2":"747136c32e9e7639b251719cfe503f1bd482335aecec7ae7cb8a91b0a911111","normalized_path":"CSIDL_SYSTEMX86\\net1.exe","original_name":"net1.exe","name":"net1.exe","modified":1711956138294,"md5":"a8d42e2bf18d54816819ea4db4480aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"C:\\WINDOWS\\system32\\net1 user","pid":19660,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"type_id":8001,"device_domain":"corp-zone.local","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.NetUser!g1"},"ref_uid":"108D99A2-8F4E-44C9-8902-3A2147851111","status_detail":"Generic Data to be sent to ATP","actor":{"uid":"4480CEE6-EEF7-F1F0-9750-2851A8F03333","start_time":1768296526105,"file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net.exe","signature_value_ids":[3,5],"sha2":"1cb12d8d687b36b58a25d18d8fd4c70cb06e2f048518cf0359fc5d51b711111","normalized_path":"CSIDL_SYSTEMX86\\net.exe","original_name":"net.exe","name":"net.exe","modified":1729077174381,"md5":"c1a1e4fab1261259b5b69a8143341afe","signature_company_name":"Microsoft Windows"},"cmd_line":"net user","pid":17360,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"logging_device_name":"10.16.200.44","user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1087","tactic_ids":[7],"technique_name":"Account Discovery","tactic_uids":["TA0007"]},{"technique_uid":"T1033","tactic_ids":[7],"technique_name":"System Owner/User Discovery","tactic_uids":["TA0007"]}],"logging_device_ip":"10.16.200.44","device_time":1768296526355}
<14>1 2026-01-13T10:00:34.773Z localhost.localdomain SEDR - 8006 [origin ip="192.168.50.91"] {"user_name":"Svc.User","device_domain":"corp-zone.local","uuid":"7a9f1120-a063-21f0-b10a-000000ab912e","edr_enriched_data":{"category_name":"Generic Data to be sent to Symantec EDR","category_id":201,"rule_name":"eChangeDefaultFileAssoc","suspicion_score":50,"rule_description":"Change to default File Association handler detected"},"ref_uid":"AA1CBF2C-A716-49BB-C22F-8113ECC44A1D","device_name":"WKSTNENG0451","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1546","tactic_ids":[3,4],"technique_name":"Event Triggered Execution","tactic_uids":["TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","id":2,"device_time":1768296970197,"device_os_name":"Windows 10 Professional Edition","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8006,"message":"mighost.exe set registry value HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\: kZp21AX71cQ=","log_time":"2026-01-13T10:00:34.732Z","status_detail":"Generic Data to be sent to Symantec EDR","device_ip":"192.168.50.91","actor":{"uid":"BD6A1693-A050-F1F0-C2D7-284F30AB9E10","start_time":1768296938441,"file":{"signature_level_id":60,"path":"c:\\$windows.~bt\\sources\\mighost.exe","signature_value_ids":[3,5],"sha2":"174885c6416a060e9a9342ce20fce0cf2b2937092b38f9b742c82c578f11111a","normalized_path":"CSIDL_SYSTEM_DRIVE\\$windows.~bt\\sources\\mighost.exe","original_name":"MigHost.exe","name":"mighost.exe","modified":1635900482000,"md5":"ccd2a46cb60bcc3c39c89c178a8c3aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\$WINDOWS.~BT\\Sources\\mighost.exe\" {47C9AD47-8A33-4C5F-A8B8-2F680D111BA4} /InitDoneEvent:MigHost.{47C9AD47-8A33-4C5F-A8B8-2F680D111BA4}.Event /ParentPID:19108 /LogDir:\"C:\\$WINDOWS.~BT\\Sources\\Panther\"","pid":31668,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_uid":"1a7182cb-d458-4a22-a454-54a55dac1122","device_ipv6":"fe80:0000:0000:0000:11cd:fe7d:e079:b123","reg_value_result":{"data":"qa3VA2W4cdM="},"severity_id":1,"reg_value":{"path":"HKEY_USERS\\$OFFLINE_RW_92BC1F33(S-1-5-21-2849571123-431395611-1983873001-10421)\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.glb\\UserChoice\\","data":"kZp21AX71cQ=","name":"Hash"}}
RFC 5424 with newline delimiter :
..s.=..Le006dbc22db34f13598be5e21e662","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":11644,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6f8f9ce0-b052-11f0-dbce-000000ab7e86","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"7196FA63-15F4-4B15-9FAA-8884F32001AA","status_detail":"Generic Data to be sent to ATP","device_ip":"192.168.88.31","actor":{"uid":"26F28CEE-E631-F1F0-87F5-944348B19999","start_time":1767175907324,"file":{"signature_level_id":60,"path":"c:\\windows\\system32\\svchost.exe","signature_value_ids":[3,5],"sha2":"7fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23999999","normalized_path":"CSIDL_SYSTEM\\svchost.exe","original_name":"svchost.exe","name":"svchost.exe","modified":1715758724225,"md5":"8469cc568ad6821fd9d925542730aa11","signature_company_name":"Microsoft Windows Publisher"},"cmd_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule","pid":1792,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_name":"WKSTNENG0200","device_uid":"a038a140-19b9-48b1-afa6-95fe98231111","logging_device_name":"10.16.200.44","category_id":5,"user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1053","tactic_ids":[2,3,4],"technique_name":"Scheduled Task/Job","tactic_uids":["TA0002","TA0003","TA0004"]}],"logging_device_ip":"10.16.200.44","severity_id":1,"id":1,"device_time":1768289701294}
<14>Jan 13 10:03:04 localhost.localdomain SEDR: {"process":{"uid":"A16F3108-B04F-F1F0-87F5-944348B12222","file":{"signature_level_id":60,"path":"c:\\windows\\system32\\raserver.exe","signature_value_ids":[3,5],"sha2":"460ea04d7985f61c7c20c6ee1ca1e4d53c42593ff6d5ea2a1ddbc7a15599999","normalized_path":"CSIDL_SYSTEM\\raserver.exe","original_name":"raserver.exe","name":"raserver.exe","modified":1713686252031,"md5":"16ae006dbc22db34f13598be5e211111","signature_company_name":"Microsoft Windows"},"cmd_line":"\"C:\\Windows\\system32\\RAServer.exe\" /offerraupdate","pid":8612,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-01-13/_doc","type_id":8001,"user_name":"Svc.User","message":"svchost.exe launched c:\\windows\\system32\\raserver.exe","device_domain":"corp-zone.local","uuid":"6c1ffc70-b052-11f0-f919-000000ab7e85","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.SchtasksLaunch!g2"},"log_time":"2026-01-13T10:02:55.013Z","ref_uid":"AED
10:03:04.075391 ens18 In IP (tos 0x0, ttl 63, id 16389, offset 0, flags [DF], proto TCP (6), length 2948)
10.16.200.44.24524 > 10.16.201.200.514: Flags [.], cksum 0xe976 (incorrect -> 0xe5c5), seq 101360:104256, ack 1, win 15, options [nop,nop,TS val 3540480991 ecr 1039643213], length 2896
E...@.@.?..o
CEF:
Jan 13 10:03:54 localhost.localdomain CEF:0|Symantec|SEDR|4.12.0-73|8001|net.exe launched c:\windows\syswow64\net1.exe|1|act=1 cat=5 deviceExternalId=571c9cae-fe1c-4fee-be9a-4429fffa1111 dvchost=SARLAPDSI01160 rt=1768298623114 deviceCustomDate1=1768298623114 deviceCustomDate1Label=Logged Time cs5=Windows 11 Professional Edition cs5Label=Device OS Name suser=Svc.User symcSEDRLogName=epmp_events-fdr-2026-01-13/_doc symcSEDRUUID=529d4630-b062-11f0-cb5f-000000db8088 symcSEDRData={"process":{"uid":"4480CF04-EEF7-F1F0-9750-2851A8F02222","file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net1.exe","signature_value_ids":[3,5],"sha2":"747136c32e9e7639b251719cfe503f1bd482335aecec7ae7cb8a91b0a911111","normalized_path":"CSIDL_SYSTEMX86\\net1.exe","original_name":"net1.exe","name":"net1.exe","modified":1711956138294,"md5":"a8d42e2bf18d54816819ea4db4480aa1","signature_company_name":"Microsoft Windows"},"cmd_line":"C:\\WINDOWS\\system32\\net1 user","pid":19660,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"type_id":8001,"device_domain":"corp-zone.local","edr_enriched_data":{"category_name":"Generic Data to be sent to ATP","category_id":201,"rule_name":"IF.NetUser!g1"},"ref_uid":"108D99A2-8F4E-44C9-8902-3A2147851111","status_detail":"Generic Data to be sent to ATP","actor":{"uid":"4480CEE6-EEF7-F1F0-9750-2851A8F03333","start_time":1768296526105,"file":{"signature_level_id":60,"path":"c:\\windows\\syswow64\\net.exe","signature_value_ids":[3,5],"sha2":"1cb12d8d687b36b58a25d18d8fd4c70cb06e2f048518cf0359fc5d51b711111","normalized_path":"CSIDL_SYSTEMX86\\net.exe","original_name":"net.exe","name":"net.exe","modified":1729077174381,"md5":"c1a1e4fab1261259b5b69a8143341afe","signature_company_name":"Microsoft Windows"},"cmd_line":"net user","pid":17360,"integrity_id":6,"user":{"name":"Svc.User","sid":"S-1-5-18"}},"logging_device_name":"10.16.200.44","user_domain":"NT AUTHORITY","attacks":[{"technique_uid":"T1087","tactic_ids":[7],"technique_name":"Account Discovery","tactic_uids":["TA0007"]},{"technique_uid":"T1033","tactic_ids":[7],"technique_name":"System Owner/User Discovery","tactic_uids":["TA0007"]}],"logging_device_ip":"10.16.200.44","device_time":1768296526355}
Richmond Aribibia Fimie
Jan 13, 2026, 9:52:52 AMJan 13
to Wazuh | Mailing List
Hello @yazid
Thank you for sharing the Symantec logs, that was very helpful. I’ve created a decoder based on the samples you provided, and it’s working correctly with Wazuh. The decoder now parses the Symantec EDR logs in both RFC 5424 extracting fields such as user, device, UUID, severity, category, rule details, suspicion score, and MITRE ATT&CK technique IDs.
With this in place, Wazuh can properly interpret and categorize your Symantec events.
Steps to add the custom Symantec decoder in Wazuh
- Create a custom decoder file
- Go to the Wazuh manager configuration directory:
- Create a new file, for example:
cd /var/ossec/etc/decoders/
- Add the Content of the created symantec decoder
- Restart Wazuh manager
- Apply the changes by restarting the service:
nano symantec-edr_decoders.xml
Yazid
Jan 14, 2026, 10:23:15 AMJan 14
to Wazuh | Mailing List
the custom decoder is working ( i did a mistake the logs are in type RFC 3164 with newline delimiter ) but the decorder is still working.
i test it in the decoder Test and the alert is generated but when i search for that alert i cant find any alert related to the EDR withing the Wazuh Dashboard
Richmond Aribibia Fimie
Jan 15, 2026, 12:12:52 PMJan 15
to Wazuh | Mailing List
Hello @yazid,
The reason the alerts weren’t showing on the dashboard is because we didn’t create a rule for the decoder. The decoder parses the logs, but without a corresponding rule, Wazuh won’t generate alerts that can be indexed and displayed.
I’ve shared the updated decoder file with you. To make it work, please add the following custom rule block into your local_rules.xml file located at:
/var/ossec/etc/rules/local_rules.xml
<group name="symantec,symantec-edr,">
<!-- Base rule for RFC 5424 format -->
<rule id="111000" level="3">
<decoded_as>symantec-edr-rfc5424</decoded_as>
<description>Symantec EDR: Event detected (RFC 5424)</description>
<group>symantec_edr,</group>
</rule>
<!-- Base rule for BSD Syslog format -->
<rule id="111001" level="3">
<decoded_as>symantec-edr-bsd</decoded_as>
<description>Symantec EDR: Event detected (BSD Syslog)</description>
<group>symantec_edr,</group>
</rule>
</group>
Yazid
Jan 20, 2026, 6:16:33 AM (13 days ago) Jan 20
to Wazuh | Mailing List
Hello Richmon,
Thank you for the rules you sent me and for your reply.
I followed all the steps you provided and tested the rule. The test gives me the same result you got, which seems correct. However, the Wazuh dashboard is not actually decoding or displaying any alerts from Symantec EDR.
I also verified whether the logs are being received by Wazuh, and they are indeed coming in, as you can see in the screenshot attached.
Am I missing something in the configuration, or is there anything else I should check?
Thank you in advance for your help.
Richmond Aribibia Fimie
Jan 21, 2026, 9:12:10 AM (12 days ago) Jan 21
to Wazuh | Mailing List
Hello Yazid
To help us troubleshoot, please run the following command directly on your Wazuh manager:
tail -f /var/ossec/logs/alerts/alerts.json
To help us troubleshoot, please run the following command directly on your Wazuh manager:
tail -f /var/ossec/logs/alerts/alerts.json
Yazid
Jan 22, 2026, 5:52:41 AM (11 days ago) Jan 22
to Wazuh | Mailing List
Hello @Richmond,
I am in a production environment, and I’m receiving too many alerts every second from multiple agents while running the following command:
tail -f /var/ossec/logs/alerts/alerts.json
So, I ran the same command using grep instead. As you can see in the screenshots, there are no alerts generated for the commands I tested. I waited 3 minutes for each command, and no results were returned.
On the other hand, the logs are being received correctly from Symantec EDR by the Wazuh manager. I also tried copying and pasting one of those logs into the rule tester, and it did trigger an alert there. However, the alert does not appear in the dashboard and is not written to alerts.json.
Richmond Aribibia Fimie
Jan 22, 2026, 6:28:52 AM (11 days ago) Jan 22
to Wazuh | Mailing List
Hello @Yazid
Thank you for sharing the results, I’ll run some tests on my end to validate the integration again and check the behavior in my environment. Please give me a bit of time to go through this, and I’ll get back to you with the results or any findings.
Thank you for sharing the results, I’ll run some tests on my end to validate the integration again and check the behavior in my environment. Please give me a bit of time to go through this, and I’ll get back to you with the results or any findings.
Yazid
Jan 25, 2026, 4:46:50 AM (8 days ago) Jan 25
to Wazuh | Mailing List
Hello @Richmond
Thank you for helping me up to this point. Please take your time testing and checking the behavior; and I’m still waiting for your reply.
Thank you for helping me up to this point. Please take your time testing and checking the behavior; and I’m still waiting for your reply.
Richmond Aribibia Fimie
Jan 25, 2026, 9:35:25 AM (8 days ago) Jan 25
to Wazuh | Mailing List
Hello @Yazid
Good day, can you also share me a sample of the
type RFC 3164 with newline delimiter logs because the shared logs are in
JSON over RFC5424 syslog.
Thank you.
Yazid
Feb 1, 2026, 4:52:52 AM (yesterday) Feb 1
to Wazuh | Mailing List
Hello @Richmond,
Apologies for the delayed response, and thank you for your reply.
Please find below another sample in RFC 3164 format with a newline delimiter, as requested.
Apologies for the delayed response, and thank you for your reply.
Please find below another sample in RFC 3164 format with a newline delimiter, as requested.
<14>Feb 01 08:44:10 localhost.localdomain SEDR: {"process":{"uid":"0326C388-FF3E-F1F0-A33B-944348B144BF","file":{"signature_level_id":60,"path":"c:\\users\\omar.mouhamed\\appdata\\local\\microsoft\\edgeupdate\\microsoftedgeupdate.exe","signature_value_ids":[3,5],"sha2":"955b5950fd92e5c5eec395b022566c9a2594ca3126d894408e2e29ba25d8b0dd","normalized_path":"CSIDL_PROFILE\\appdata\\local\\microsoft\\edgeupdate\\microsoftedgeupdate.exe","original_name":"msedgeupdate.dll","name":"microsoftedgeupdate.exe","modified":1766474798807,"md5":"b299aa9a27c330a9b44e45bd1595dbea","signature_company_name":"Microsoft Corporation"},"cmd_line":"\"C:\\Users\\omar.mouhamed\\AppData\\Local\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\" /c","pid":17688,"integrity_id":3,"user":{"name":"OMAR.mouhamed","sid":"S-1-5-21-3909545729-431395655-1983873778-7175"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-02-01/_doc","type_id":8001,"user_name":"OMAR.mouhamed","message":"microsoftedgeupdatecore.exe launched c:\\users\\omar.mouhamed\\appdata\\local\\microsoft\\edgeupdate\\microsoftedgeupdate.exe","device_domain":"Company-US.sg","uuid":"4aed5b50-ff3e-11f0-dcbd-00000124883f","edr_enriched_data":{"category_name":"Generic Data to be sent to Symantec EDR","category_id":201,"rule_name":"eUserExecution","suspicion_score":50,"rule_description":"User execution detected"},"log_time":"2026-02-01T08:44:10.346Z","ref_uid":"9D26955D-E9E9-42E3-B483-7DAB4EDB3110","status_detail":"Generic Data to be sent to Symantec EDR","device_ip":"192.168.1.22","actor":{"uid":"0326C385-FF3E-F1F0-A33B-944348B144BF","start_time":1769930345614,"file":{"signature_level_id":60,"path":"c:\\users\\omar.mouhamed\\appdata\\local\\microsoft\\edgeupdate\\1.3.217.3\\microsoftedgeupdatecore.exe","signature_value_ids":[3,5],"sha2":"e08103f9fc421c12960adde630c9ca19e7aa9b750643fbd41f2bf86776e0c056","normalized_path":"CSIDL_PROFILE\\appdata\\local\\microsoft\\edgeupdate\\1.3.217.3\\microsoftedgeupdatecore.exe","original_name":"MicrosoftEdgeUpdate.exe","name":"microsoftedgeupdatecore.exe","modified":1769412719933,"md5":"0d268c266b1b31ed8cbeaa874993876b","signature_company_name":"Microsoft Corporation"},"cmd_line":"\"C:\\Users\\omar.mouhamed\\AppData\\Local\\Microsoft\\EdgeUpdate\\1.3.217.3\\MicrosoftEdgeUpdateCore.exe\" ","pid":16584,"integrity_id":3,"user":{"name":"OMAR.mouhamed","sid":"S-1-5-21-3909545729-431395655-1983873778-7175"}},"device_name":"COMWKSD01","device_uid":"0955941c-30fd-44ad-97f4-375c5efb95f7","logging_device_name":"10.10.10.4","category_id":5,"user_domain":"Company-US","attacks":[{"technique_uid":"T1204","tactic_ids":[2],"technique_name":"User Execution","tactic_uids":["TA0002"]}],"logging_device_ip":"10.10.10.4","severity_id":1,"id":1,"device_time":1769930345861}
<14>Feb 01 08:44:10 localhost.localdomain SEDR: {"process":{"uid":"0326C38A-FF3E-F1F0-A33B-944348B144BF","file":{"signature_level_id":60,"path":"c:\\program files (x86)\\microsoft\\edge\\application\\msedge.exe","signature_value_ids":[3,5],"sha2":"f6ddbb23e51bc501001fefd33a04b61f88aeb75a0128b580be35e60e9c964c8a","normalized_path":"CSIDL_PROGRAM_FILESX86\\microsoft\\edge\\application\\msedge.exe","original_name":"msedge.exe","name":"msedge.exe","modified":1769183893397,"md5":"cbbe19eb4dd6a59de4e44575f38c4d67","signature_company_name":"Microsoft Corporation"},"cmd_line":"\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start","pid":11560,"integrity_id":3,"user":{"name":"OMAR.mouhamed","sid":"S-1-5-21-3909545729-431395655-1983873778-7175"}},"device_os_name":"Windows 10 Pro for Workstations","log_name":"epmp_events-fdr-2026-02-01/_doc","type_id":8001,"user_name":"omar.mouhamed","message":"explorer.exe launched c:\\program files (x86)\\microsoft\\edge\\application\\msedge.exe","device_domain":"Company-US.sg","uuid":"4af79480-ff3e-11f0-eda7-000001248840","edr_enriched_data":{"category_name":"Generic Data to be sent to Symantec EDR","category_id":201,"rule_name":"eUserExecution","suspicion_score":50,"rule_description":"User execution detected"},"log_time":"2026-02-01T08:44:10.346Z","ref_uid":"977B648C-5D2B-4C78-87EB-A41379219F31","status_detail":"Generic Data to be sent to Symantec EDR","device_ip":"192.168.1.22","actor":{"uid":"0326C282-FF3E-F1F0-A33B-944348B144BF","start_time":1769930315566,"file":{"signature_level_id":60,"path":"c:\\windows\\explorer.exe","signature_value_ids":[3,5],"sha2":"b25eec93b5321286e93b749efdd41c8bae7e0ff51f15576391c475f90b84a79c","normalized_path":"CSIDL_WINDOWS\\explorer.exe","original_name":"EXPLORER.EXE","name":"explorer.exe","modified":1728902097317,"md5":"f1846bb7f670919e97c2196f5eb6faa6","signature_company_name":"Microsoft Windows"},"cmd_line":"C:\\Windows\\Explorer.EXE","pid":3320,"integrity_id":3,"user":{"name":"OMAR.mouhamed","sid":"S-1-5-21-3909545729-431395655-1983873778-7175"}},"device_name":"SARWKSDENG02214","device_uid":"0955941c-30fd-44ad-97f4-375c5efb95f7","logging_device_name":"10.10.10.4","category_id":5,"user_domain":"Company-US","attacks":[{"technique_uid":"T1204","tactic_ids":[2],"technique_name":"User Execution","tactic_uids":["TA0002"]}],"logging_device_ip":"10.10.10.4","severity_id":1,"id":1,"device_time":1769930345928}
Thank You.
Reply all
Reply to author
Forward
0 new messages