Escaping < and > characters in Decoder

[ccM]

Hi,

Iam trying to build a decoder of a log file which contains fields like that <30>.
So my regex to match is  <\d+>.*

I have tried different ways to escape the < and > chracters but no luck.

I have tried to simplicfy the my "log-file" and my decoder to just decoder the <30> part of the log file:

used a backslash to escape < and >:

<decoder name="ubiquiti-switch-decoder-parent">
    <prematch>^Switchdata : </prematch>
</decoder>

<decoder name="ubiquiti-switch-decoder">
  <parent>ubiquiti-switch-decoder-parent</parent>
  <regex type="pcre2">SwitchData : \<\d+\>.*</regex>
  <order>severity</order>
</decoder>

used &lt; and &gt; to escape < and >:

<decoder name="ubiquiti-switch-decoder-parent">
    <prematch>^Switchdata : </prematch>
</decoder>

<decoder name="ubiquiti-switch-decoder">
  <parent>ubiquiti-switch-decoder-parent</parent>
  <regex type="pcre2">SwitchData : &lt; \d+&gt;.*</regex>
  <order>severity</order>
</decoder>

used \&lt; and \&gt; to escape < and >:

<decoder name="ubiquiti-switch-decoder-parent">
    <prematch>^Switchdata : </prematch>
</decoder>

<decoder name="ubiquiti-switch-decoder">
  <parent>ubiquiti-switch-decoder-parent</parent>
  <regex type="pcre2">SwitchData : \&lt; \d+\&gt;.*</regex>
  <order>severity</order>
</decoder>

all solutions are not working. Any ideas how to escape < > the right way?
Thanks a lot

[hasitha.u...@wazuh.com]

Hi ccM,

You can use the \p Regex (OS_Regex) syntax to accomplish your issue.

Ref: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#regex-os-regex-syntax
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

If its not work even, share me sample logs to assist further.

Let me know if this resolve your issue. 

Regards,
Hasitha Upekshitha

[ccM]

Hi thanks for advice.
Iam normaly using pcre2 regex for my decoders. Iam not shure how to build a decoder with OS_Regex.

Any ideas how to achieve in pcre2 regex?
My log file logs like that

SwitchData : 2024-10-24 12:22:16,385 <29>Oct 24 14:22:16 Test1 68d79ee2427e,UAP-AC-LR-6.6.77+15402

[ccM]

the order should be like that
(2024-10-24 12:22:16,385) (<29>)(Oct 24 14:22:16) (Test1) (68d79ee2427e),(UAP-AC-LR-6.6.77+15402)
timestamp, severity, UTCTimestamp, hostname, mac, device

[ccM]

And my regex is that 
^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})\s+<(\d+)>([A-Z][a-z]{2} \d{1,2} \d{2}:\d{2}:\d{2})\s+(\S+)\s+(\S+),(\S+)$
working fine on https://regex101.com/

but escaping the < > characters is not working for me

[hasitha.u...@wazuh.com]

Hi ccM,

I have created decoder for you using pcre2 regex. I have used \W to ignore <> to "non-word" character.
Ref: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
For more details you can refer this.

You can create a new file like this or you can use existing custom decoder /var/ossec/etc/decoders/local_decoder.xml file.

nano /var/ossec/etc/decoders/test_new_decoders.xml

<decoder name="testSwitch">
  <prematch>SwitchData</prematch>
</decoder>

<decoder name="testSwitch-custom">
  <parent>testSwitch</parent>
  <regex type="pcre2">(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) \W(\d{2})\W([A-Z][a-z]{2} \d{1,2} \d{2}:\d{2}:\d{2}) (\S+) (\S+),(\S+)</regex>
  <order>logTimestamp,Severity,UTCTimestamp,Hostname,MAC,Device</order>
</decoder>

Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html

Let me know if the issue resolves.

Regards,
Hasitha Upekshitha

[ccM]

thanks that helped