Need help with troubleshooting decoder rule
66 views
Skip to first unread message
Дмитрий Усачев
Nov 10, 2025, 7:44:44 AMNov 10
to Wazuh | Mailing List
Hi there!
I need some help with my custom decoder rule. I need to update my custom decoder rule because input syslog was changed.
Now, my decoder seens so:
<decoder name="prod-ideco-sn15 suricata">
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
It's work a lot of time, but some time ago 2 of fields name was changed. Exactly, field src_user_id -> src_user_object_id, dst_user_id -> dst_user_object_id
But when i tried to change my decoder as shown below, i catch
I need some help with my custom decoder rule. I need to update my custom decoder rule because input syslog was changed.
Now, my decoder seens so:
<decoder name="prod-ideco-sn15 suricata">
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
It's work a lot of time, but some time ago 2 of fields name was changed. Exactly, field src_user_id -> src_user_object_id, dst_user_id -> dst_user_object_id
But when i tried to change my decoder as shown below, i catch
Error
What i did wrong?
Syslog example:
1 2025-11-10T14:51:06+03:00 prod-ideco suricata - - - flow_id:565630372212250, in_iface:, sensor_name:ideco-ips, event_type:alert, src_ip:143.20.185.23, src_ip_type:external, src_port:43498, src_country:США, src_country_code:US, src_session_uuid:, src_user_object_id:, src_user_name:, dest_ip:185.31.161.102, dest_ip_type:external, dest_port:80, dest_country:Россия, dest_country_code:RU, dest_session_uuid:, dest_user_object_id:, dest_user_name:, proto:TCP, alert.signature_id:1802289, alert.signature:IP blocklist, alert.category:Чёрный список IP-адресов, alert.severity:3, alert.gid:1, alert.action:blocked, http.hostname:, http.url:, http.http_user_agent:, flow.pkts_toserver:1, flow.pkts_toclient:0, flow.bytes_toserver:40, flow.bytes_toclient:0, flow.start:2025-11-10 11:51:06.393840, flow.end:2025-11-10 11:51:06.394842, flow.age:0, flow.state:, flow.reason:, flow.alerted:0, tcp.tcp_flags:, tcp.tcp_flags_ts:, tcp.tcp_flags_tc:, tcp.cwr:0, tcp.ecn:0, tcp.urg:0, tcp.ack:0, tcp.psh:0, tcp.rst:0, tcp.syn:0, tcp.fin:0, tcp.state:
<decoder name="prod-ideco-sn15 suricata">
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_object_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_object_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
<prematch>prod-ideco-sn15 suricata</prematch>
<regex>(\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_ip:(\.*), src_ip_type:(\.*), src_port:(\.*), src_country:(\.*), src_country_code:(\.*), src_session_uuid:(\.*), src_user_object_id:(\.*), src_user_name:(\.*), dest_ip:(\.*), dest_ip_type:(\.*), dest_port:(\.*), dest_country:(\.*), dest_country_code:(\.*), dest_session_uuid:(\.*), dest_user_object_id:(\.*), dest_user_name:(\.*), proto:(\.*), alert.signature_id:(\.*), alert.signature:(\.*), alert.category:(\.*), alert.severity:(\.*), alert.gid:(\.*), alert.action:(\.*), http.hostname:(\.*), http.url:(\.*), http.http_user_agent:(\.*), flow.pkts_toserver:(\.*), flow.pkts_toclient:(\.*), flow.bytes_toserver:(\.*), flow.bytes_toclient:(\.*), flow.start:(\.*), flow.end:(\.*), flow.age:(\.*), flow.state:(\.*), flow.reason:(\.*), flow.alerted:(\.*), tcp.tcp_flags:(\.*), tcp.tcp_flags_ts:(\.*), tcp.tcp_flags_tc:(\.*), tcp.cwr:(\.*), tcp.ecn:(\.*), tcp.urg:(\.*), tcp.ack:(\.*), tcp.psh:(\.*), tcp.rst:(\.*), tcp.syn:(\.*), tcp.fin:(\.*), tcp.state:(\.*)</regex>
<order>time,flow_id,in_iface,sensor_name,event_type,srcip,src_ip_type,srcport,src_country,src_country_code,src_session_uuid,srcuser_id,src_user_name,dstip,dest_ip_type,dstport,dest_country,dest_country_code,dest_session_uuid,dest_user_id,dest_user_name,proto,alert_signature_id,alert_signature,alert_category,alert_severity,alert_gid,alert_action,http_hostname,url,http_user_agent,flow_pkts_toserver,flow_pkts_toclient,flow_bytes_toserver,flow_bytes_toclient,flow_start,flow_end,flow_age,flow_state,flow_reason,flow_alerted,tcp.tcp_flags,tcp.tcp_flags_ts,tcp.tcp_flags_tc,tcp.cwr,tcp_ecn,tcp_urg,tcp_ack,tcp_psh,tcp_rst,tcp_syn,tcp_fin,tcp_state</order>
</decoder>
Syslog example:
1 2025-11-10T14:51:06+03:00 prod-ideco suricata - - - flow_id:565630372212250, in_iface:, sensor_name:ideco-ips, event_type:alert, src_ip:143.20.185.23, src_ip_type:external, src_port:43498, src_country:США, src_country_code:US, src_session_uuid:, src_user_object_id:, src_user_name:, dest_ip:185.31.161.102, dest_ip_type:external, dest_port:80, dest_country:Россия, dest_country_code:RU, dest_session_uuid:, dest_user_object_id:, dest_user_name:, proto:TCP, alert.signature_id:1802289, alert.signature:IP blocklist, alert.category:Чёрный список IP-адресов, alert.severity:3, alert.gid:1, alert.action:blocked, http.hostname:, http.url:, http.http_user_agent:, flow.pkts_toserver:1, flow.pkts_toclient:0, flow.bytes_toserver:40, flow.bytes_toclient:0, flow.start:2025-11-10 11:51:06.393840, flow.end:2025-11-10 11:51:06.394842, flow.age:0, flow.state:, flow.reason:, flow.alerted:0, tcp.tcp_flags:, tcp.tcp_flags_ts:, tcp.tcp_flags_tc:, tcp.cwr:0, tcp.ecn:0, tcp.urg:0, tcp.ack:0, tcp.psh:0, tcp.rst:0, tcp.syn:0, tcp.fin:0, tcp.state:
Nicolas Alejandro Bertoldo
Nov 10, 2025, 8:36:14 AMNov 10
to Wazuh | Mailing List
Hi warhammerik,
Let me examine your decoder and I will get back to you with an answer as soon as possible.
Can you confirm that the first decoder is loaded by the manager without errors?
Regards
Let me examine your decoder and I will get back to you with an answer as soon as possible.
Can you confirm that the first decoder is loaded by the manager without errors?
Regards
Дмитрий Усачев
Nov 10, 2025, 9:16:06 AMNov 10
to Wazuh | Mailing List
yep, its work now, if i try to use decoder test on old version of log
понедельник, 10 ноября 2025 г. в 16:36:14 UTC+3, Nicolas Alejandro Bertoldo:
Nicolas Alejandro Bertoldo
Nov 10, 2025, 10:57:07 AMNov 10
to Wazuh | Mailing List
Hi warhammerik,
I have tested your decoder locally and the problem is the size of the string within <regex></regex>. The maximum supported size is 1024 characters, and your new decoder has 1033 characters.
I have tested your decoder locally and the problem is the size of the string within <regex></regex>. The maximum supported size is 1024 characters, and your new decoder has 1033 characters.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: ERROR: (1104): Maximum string size reached for: (\.*) flow_id:(\.*), in_iface:(\.*), sensor_name:(\.*), event_type:(\.*), src_i>
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: ERROR: (2107): Decoder configuration error: 'prod-ideco-sn15 suricata'.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/local_decoder.xml'.
In this case, since it is a complex log type, I recommend using sibling decoders.
Regards.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: ERROR: (2107): Decoder configuration error: 'prod-ideco-sn15 suricata'.
Nov 10 13:50:19 wazuh-server env[8366]: 2025/11/10 13:50:19 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/local_decoder.xml'.
In this case, since it is a complex log type, I recommend using sibling decoders.
Regards.
Дмитрий Усачев
Nov 11, 2025, 1:12:54 AMNov 11
to Wazuh | Mailing List
IDK why, but i think wazuh can't decode program_name correctly in my case.
**Phase 1: Completed pre-decoding.
full event: '1 2025-11-10T14:51:06+03:00 prod-ideco suricata - - - flow_id:565630372212250, in_iface:, sensor_name:ideco-ips, event_type:alert, src_ip:143.20.185.93, src_ip_type:external, src_port:43498, src_country:США, src_country_code:US, src_session_uuid:, src_user_object_id:, src_user_name:, dest_ip:185.31.161.76, dest_ip_type:external, dest_port:80, dest_country:Россия, dest_country_code:RU, dest_session_uuid:, dest_user_object_id:, dest_user_name:, proto:TCP, alert.signature_id:1802289, alert.signature:IP blocklist, alert.category:Чёрный список IP-адресов, alert.severity:3, alert.gid:1, alert.action:blocked, http.hostname:, http.url:, http.http_user_agent:, flow.pkts_toserver:1, flow.pkts_toclient:0, flow.bytes_toserver:40, flow.bytes_toclient:0, flow.start:2025-11-10 11:51:06.393840, flow.end:2025-11-10 11:51:06.394842, flow.age:0, flow.state:, flow.reason:, flow.alerted:0, tcp.tcp_flags:, tcp.tcp_flags_ts:, tcp.tcp_flags_tc:, tcp.cwr:0, tcp.ecn:0, tcp.urg:0, tcp.ack:0, tcp.psh:0, tcp.rst:0, tcp.syn:0, tcp.fin:0, tcp.state:'
**Phase 2: Completed decoding.
No decoder matched.So, that what i do:
My decoder:
<decoder name="ideco">
<program_name>suricata</program_name>
</decoder>
<decoder name="ideco">
<parent>ideco</parent>
<regex>flow_id:(\.*),</regex>
<order>flow_id</order>
</decoder>
<program_name>suricata</program_name>
</decoder>
<decoder name="ideco">
<parent>ideco</parent>
<regex>flow_id:(\.*),</regex>
<order>flow_id</order>
</decoder>
I'm expect decoded field flow_id in my case, but it's not work as i expecting.
понедельник, 10 ноября 2025 г. в 18:57:07 UTC+3, Nicolas Alejandro Bertoldo:
Nicolas Alejandro Bertoldo
Nov 11, 2025, 10:06:55 AMNov 11
to Wazuh | Mailing List
Warhammerik,
The problem is that the event header does not have a standard syslog format, so the pre-decoder stage is failing.
The problem is that the event header does not have a standard syslog format, so the pre-decoder stage is failing.
In Wazuh, for logs in syslog format, the syslog header is pre-decoded automatically, and we cannot re-decode or override those headers using custom decoders.
At the moment, the only practical option is to add an extra value or prefix to each log before it’s analyzed by wazuh-analysisd. Once the log has been analyzed, we can’t modify it further.
So, I would recommend following the same approach you’re currently using — instead of directly forwarding the logs to the Wazuh Manager, use a custom script or a Wazuh agent localfile monitor to prepend a static identifier or tag to each log.
For example, if you’re monitoring the logs through a Wazuh agent localfile configuration, you can configure out_format in the agent that collects the logs:
<localfile>
<log_format>syslog</log_format>
<location>/your/path/your_file.log</location>
<out_format>Suricata: $(log)</out_format>
</localfile>
With this configuration, the Wazuh agent will automatically add the prefix Suricata: before each log line before sending it to the Wazuh Manager.
If you’re forwarding logs from a syslog server instead of a Wazuh agent, you can refer to the relevant Wazuh Slack community discussion on how to achieve this with rsyslog.
Additionally, in the upcoming Wazuh 5.0 release, the rule engine is expected to be upgraded with enhanced capabilities. This improvement should help address limitations like these in future versions.
Regards
At the moment, the only practical option is to add an extra value or prefix to each log before it’s analyzed by wazuh-analysisd. Once the log has been analyzed, we can’t modify it further.
So, I would recommend following the same approach you’re currently using — instead of directly forwarding the logs to the Wazuh Manager, use a custom script or a Wazuh agent localfile monitor to prepend a static identifier or tag to each log.
For example, if you’re monitoring the logs through a Wazuh agent localfile configuration, you can configure out_format in the agent that collects the logs:
<localfile>
<log_format>syslog</log_format>
<location>/your/path/your_file.log</location>
<out_format>Suricata: $(log)</out_format>
</localfile>
With this configuration, the Wazuh agent will automatically add the prefix Suricata: before each log line before sending it to the Wazuh Manager.
If you’re forwarding logs from a syslog server instead of a Wazuh agent, you can refer to the relevant Wazuh Slack community discussion on how to achieve this with rsyslog.
Additionally, in the upcoming Wazuh 5.0 release, the rule engine is expected to be upgraded with enhanced capabilities. This improvement should help address limitations like these in future versions.
Regards
Reply all
Reply to author
Forward
0 new messages