Sorry for my late response.
We don't currently have those decoders, but we can help you create a custom decoder.
Since the logs you shared with us do not have information about the program, they can be formatted when they are collected by the agent, before being sent to the manager. That is, you can use the <out_format> option
in the <localfile>
section of your ossec.conf
to set text that will be decoded as program_name
, and will make it easier to match with the decoder.
1. For example:
<out_format>$(timestamp) $(hostname) consulAndNomad: $(log)</out_format>
2. Restart the wazuh-agent to apply the configuration:
systemctl restart wazuh-agent
3. Now, let’s add the following custom JSON decoder
that will allow us to decode the log format you have shared. Add the following decoder in /var/ossec/etc/decoders/local_decoder.xml
Note that the <program_name> is the same text that we added in the <out_format> configuration.
The JSON decoder will extract the fields contained in the JSON event as dynamic fields, taking into account from the end of the prematch text (the original log).
4. In addition, we could define a rule for these events decoded:
<rule id="100002" level="5">
<description>Consul and Nomad event</description>
I hope this helps. Please let me know if you have any questions!