Need help with troubleshooting decoder rule
29 views
Skip to first unread message
Дмитрий Усачев
Nov 10, 2025, 7:44:44 AM (17 hours ago) Nov 10
to Wazuh | Mailing List
Hi there!
I need some help with my custom decoder rule. I need to update my custom decoder rule because input syslog was changed.
Now, my decoder seens so:
<decoder name="prod-ideco-sn15 suricata">
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
It's work a lot of time, but some time ago 2 of fields name was changed. Exactly, field src_user_id -> src_user_object_id, dst_user_id -> dst_user_object_id
But when i tried to change my decoder as shown below, i catch
I need some help with my custom decoder rule. I need to update my custom decoder rule because input syslog was changed.
Now, my decoder seens so:
<decoder name="prod-ideco-sn15 suricata">
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
It's work a lot of time, but some time ago 2 of fields name was changed. Exactly, field src_user_id -> src_user_object_id, dst_user_id -> dst_user_object_id
But when i tried to change my decoder as shown below, i catch
Error
What i did wrong?
Syslog example:
1 2025-11-10T14:51:06+03:00 prod-ideco suricata - - - flow_id:565630372212250, in_iface:, sensor_name:ideco-ips, event_type:alert, src_ip:143.20.185.23, src_ip_type:external, src_port:43498, src_country:США, src_country_code:US, src_session_uuid:, src_user_object_id:, src_user_name:, dest_ip:185.31.161.102, dest_ip_type:external, dest_port:80, dest_country:Россия, dest_country_code:RU, dest_session_uuid:, dest_user_object_id:, dest_user_name:, proto:TCP, alert.signature_id:1802289, alert.signature:IP blocklist, alert.category:Чёрный список IP-адресов, alert.severity:3, alert.gid:1, alert.action:blocked, http.hostname:, http.url:, http.http_user_agent:, flow.pkts_toserver:1, flow.pkts_toclient:0, flow.bytes_toserver:40, flow.bytes_toclient:0, flow.start:2025-11-10 11:51:06.393840, flow.end:2025-11-10 11:51:06.394842, flow.age:0, flow.state:, flow.reason:, flow.alerted:0, tcp.tcp_flags:, tcp.tcp_flags_ts:, tcp.tcp_flags_tc:, tcp.cwr:0, tcp.ecn:0, tcp.urg:0, tcp.ack:0, tcp.psh:0, tcp.rst:0, tcp.syn:0, tcp.fin:0, tcp.state:
<decoder name="prod-ideco-sn15 suricata">
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_object_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_object_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_object_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_object_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
Syslog example:
1 2025-11-10T14:51:06+03:00 prod-ideco suricata - - - flow_id:565630372212250, in_iface:, sensor_name:ideco-ips, event_type:alert, src_ip:143.20.185.23, src_ip_type:external, src_port:43498, src_country:США, src_country_code:US, src_session_uuid:, src_user_object_id:, src_user_name:, dest_ip:185.31.161.102, dest_ip_type:external, dest_port:80, dest_country:Россия, dest_country_code:RU, dest_session_uuid:, dest_user_object_id:, dest_user_name:, proto:TCP, alert.signature_id:1802289, alert.signature:IP blocklist, alert.category:Чёрный список IP-адресов, alert.severity:3, alert.gid:1, alert.action:blocked, http.hostname:, http.url:, http.http_user_agent:, flow.pkts_toserver:1, flow.pkts_toclient:0, flow.bytes_toserver:40, flow.bytes_toclient:0, flow.start:2025-11-10 11:51:06.393840, flow.end:2025-11-10 11:51:06.394842, flow.age:0, flow.state:, flow.reason:, flow.alerted:0, tcp.tcp_flags:, tcp.tcp_flags_ts:, tcp.tcp_flags_tc:, tcp.cwr:0, tcp.ecn:0, tcp.urg:0, tcp.ack:0, tcp.psh:0, tcp.rst:0, tcp.syn:0, tcp.fin:0, tcp.state:
Nicolas Alejandro Bertoldo
Nov 10, 2025, 8:36:14 AM (16 hours ago) Nov 10
to Wazuh | Mailing List
Hi warhammerik,
Let me examine your decoder and I will get back to you with an answer as soon as possible.
Can you confirm that the first decoder is loaded by the manager without errors?
Regards
Let me examine your decoder and I will get back to you with an answer as soon as possible.
Can you confirm that the first decoder is loaded by the manager without errors?
Regards
Дмитрий Усачев
Nov 10, 2025, 9:16:06 AM (15 hours ago) Nov 10
to Wazuh | Mailing List
yep, its work now, if i try to use decoder test on old version of log
понедельник, 10 ноября 2025 г. в 16:36:14 UTC+3, Nicolas Alejandro Bertoldo:
Nicolas Alejandro Bertoldo
Nov 10, 2025, 10:57:07 AM (13 hours ago) Nov 10
to Wazuh | Mailing List
Hi warhammerik,
I have tested your decoder locally and the problem is the size of the string within <regex></regex>. The maximum supported size is 1024 characters, and your new decoder has 1033 characters.
I have tested your decoder locally and the problem is the size of the string within <regex></regex>. The maximum supported size is 1024 characters, and your new decoder has 1033 characters.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: ERROR: (1104): Maximum string size reached for: (\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_i>
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: ERROR: (2107): Decoder configuration error: 'prod-ideco-sn15 suricata'.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/local_decoder.xml'.
In this case, since it is a complex log type, I recommend using sibling decoders.
Regards.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: ERROR: (2107): Decoder configuration error: 'prod-ideco-sn15 suricata'.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/local_decoder.xml'.
In this case, since it is a complex log type, I recommend using sibling decoders.
Regards.
Reply all
Reply to author
Forward
0 new messages