Wazuh Decoder not extracting field
163 views
Skip to first unread message
badr afilal
Dec 17, 2024, 5:57:29 AM12/17/24
to Wazuh | Mailing List
Hello folks!
i have a customized nginx log that by default get decoded by "Zeus" but i want to adjust it to also retrieve additional information like srcip ,etc,
###########################
My decoder than look like this:
<decoder name="zeus">
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch"> (\S+) - (\S+)</regex>
<order>srcip,host</order>
</decoder>
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch"> (\S+) - (\S+)</regex>
<order>srcip,host</order>
</decoder>
###############################
but when recieving logs i see no field named srcip or host
The log format looks like :
[17/Dec/2024:11:27:02 +0100] 15.15.15.15 - 10.1.10.1 - example.domain.com example.domain.com to:
10.81.1.10:8080
: POST /path/to/resource HTTP/1.1 200 4094 https://example.domain.com/path/to/page upstream_response_time 14.575 request_time 14.576 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
##############
any help please what do you suggest!
Bony V John
Dec 17, 2024, 7:51:32 AM12/17/24
to Wazuh | Mailing List
Hello,
Based on your requirement, I have updated the decoder, and you can follow the steps below to add this custom decoder in your Wazuh environment:
Step 1: Exclude the Default Decoder
Step 1: Exclude the Default Decoder
- You need to exclude the default zeus decoder (0390-zeus_decoders.xml) from Wazuh.
- Run the following command to edit the ossec.conf file:
nano /var/ossec/etc/ossec.conf
- Add the following line within the <ruleset> tag:
<decoder_exclude>ruleset/decoders/0390-zeus_decoders.xml</decoder_exclude>
- Save the file and exit.
Step 2: Add the New Decoder
- Create a new decoder file for the updated zeus decoder:
nano /var/ossec/etc/decoders/custom-zeus.xml
<decoder name="zeus">
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch">(\S+)\s-\s(\S+)</regex>
<order>srcip, host</order>
</decoder>
<order>srcip, host</order>
</decoder>
- Save the file and exit.
Step 3: Restart Wazuh Manager
- Restart the Wazuh Manager service to apply the changes:
systemctl restart wazuh-managerStep 4: Test the New Decoder
- Use the logtest tool to test the decoder with your sample log:
/var/ossec/bin/wazuh-logtest
- Paste your sample log into the tool to verify the decoder functionality. You can view the decoded fields to confirm the correct extraction of the host and source IP address.
- Since the default decoder already processes zeus logs, we excluded it to prevent conflicts.
- You can refer to the Wazuh documentation on modifying default decoders for more details.
I’ve also attached a screenshot of the decoder output for your reference.
Let me know if you have any further questions or face any issues!
Regards,
badr afilal
Dec 17, 2024, 8:28:57 AM12/17/24
to Wazuh | Mailing List
Hello thank you G00t it works perfectly!! could you please re-adjust it so i can retrieve additional info like the following:
Log format: ###################################################
[17/Dec/2024:11:27:02 +0100] 15.15.15.15 - 10.1.10.1 - example.domain.com example.domain.com to: 10.81.1.10:8080 : POST /path/to/resource HTTP/1.1 200 4094 https://example.domain.com/path/to/page upstream_response_time 14.575 request_time 14.576 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Updated order ####################################
- srcip → Source IP
- host → Internal host
- domain → The domain being accessed
- upstream_ip → IP and port to which the request was sent
- method → HTTP method (e.g., GET, POST)
- url_path → URL path
- response_code → HTTP response code (e.g., 200, 404)
- response_size → Size of the response (e.g., 19630)
- referrer → Referrer URL
- upstream_time → Upstream response time
- request_time → Total request time
- user_agent → Browser's User-Agent string
#################################################
Bony V John
Dec 17, 2024, 11:18:33 PM12/17/24
to Wazuh | Mailing List
Hi,
I have created a sample decoder based on your requirement to extract some fields from the logs using the field names you mentioned. Please take a look at it as a reference. You can also refer to the Wazuh decoder and regex documentation to update the decoder as per your specific needs for extracting additional fields from the logs.
<decoder name="zeus">
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch">(\S+)\s-\s(\S+)\s-\s(\S+)\s\.*:\s(\S+):(\d+)</regex>
<order>srcip, host, domain, upstream_ip, port</order>
</decoder>
I have attached a screenshot of the decoder output, showcasing the fields being successfully extracted.
Let me know if you have any questions or need further assistance!
Regards,
badr afilal
Dec 18, 2024, 2:40:14 AM12/18/24
to Wazuh | Mailing List
Thank you so much !
Reply all
Reply to author
Forward
0 new messages