Matching Rule Issue

5 views
Skip to first unread message

David Adonis

unread,
2:45 AM (7 hours ago) 2:45 AM
to Wazuh | Mailing List
Intention:
- I am monitoring network traffic on my OpenWRT firewall. I use the nlbwmon package to monitor and export data, which I then send to a Wazuh server using rsyslog. The problem is that nlbwmon exports data in a JSON format that is not standard for Wazuh, and rsyslog just forwards this data within a standard syslog message. To fix this, I wrote an automated script to standardize the nlbwmon data. This script formats the traffic data and places it directly into the msg section of the syslog message, which rsyslog then forwards. Below is an example:

Screenshot 2025-10-18 203908.png
- Then I configured Wazuh Server to process this data:
1. Write a decoder to parsing the traffic data using JSON_Decoder
Screenshot 2025-10-18 204109.png
2. Write a rule with <decoded_as>syslog_custome</decoded_as> options  to match and trigger alert

Issue:
When I tested the rule, Wazuh didn't match and trigger alert as I expected. I checked correctly with logtest, Though.
partial_blur (1).jpg
partial_blur (2).jpg
partial_blur (3).jpg
- As you can see, everything seems work correctly. But there's no alert presented on Dashboard

- However, when I replaced character " to \",  it worked
partial_blur (4).jpg

Hope someone can help me to explain and fix this issue soon, Thanks
Reply all
Reply to author
Forward
0 new messages