Custom Auddiocodes SBC Decoder

[Andrehens Chicfici]

Hey,

I've desperately tried to build a custom decoder for Audiocodes Session Border Controlles but I can't get them to work.

They're sending via syslog but the log format is just _weird_.

I built RegExes with Regex101 which work on _some_ strings but never get a child decoder working. 

Logs look something like

2026-01-23T03:05:54.032649+01:00 192.168.180.15 [S=17183] [BID=bc2577:83] RAISE-ALARM:acProxyConnectionLost: [HA-Main] Proxy Set Alarm Proxy Set 1 (OXE): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:9; [Time:23-01@03:05:53.371] [19508657]
2026-01-23T03:05:54.032649+01:00 192.168.180.15 [S=17184] [BID=bc2577:83] RAISE-ALARM:acIpGroupNoRouteAlarm: [HA-Main] IP Group is temporarily blocked. IP Group (OXE Vodafone Default) Blocked Reason: No Working Proxy; Severity:major; Source:Board#1/IPGroup#3; Unique ID:10; [Time:23-01@03:05:53.372] [19508660]
2026-01-23T03:05:54.178838+01:00 192.168.180.15 [S=17185] [SID=bc2577:83:159074] (N 18040269)?? [WARNING] Can't find matching transaction for response 408 to OPTIONS. Call-ID: 1588718582...@192.168.180.31 [Time:23-01@03:05:53.519] [19508665]
2026-01-23T03:06:11.345569+01:00 192.168.180.15 [S=17186] [SID=bc2577:83:159076] (N 18040299)?? [WARNING] Can't find matching transaction for response 408 to OPTIONS. Call-ID: 112361762...@192.168.180.31 [Time:23-01@03:06:10.686] [19508697]
2026-01-23T03:06:21.147926+01:00 192.168.180.15 [S=17187] [BID=bc2577:83] (N 18040317)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:23-01@03:06:20.488] [19508717]
2026-01-23T03:06:21.148347+01:00 192.168.180.15 [S=17188] [BID=bc2577:83] (N 18040319)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:23-01@03:06:20.488] [19508719]
2026-01-23T03:06:28.151753+01:00 192.168.180.15 [S=17189] [SID=bc2577:83:159078] (N 18040336)?? [WARNING] Can't find matching transaction for response 408 to OPTIONS. Call-ID: 5844438552...@192.168.180.31 [Time:23-01@03:06:27.492] [19508737]
2026-01-23T03:06:45.151462+01:00 192.168.180.15 [S=17190] [SID=bc2577:83:159081] (N 18040387)?? [WARNING] Can't find matching transaction for response 408 to OPTIONS. Call-ID: 1223532157...@192.168.180.31 [Time:23-01@03:06:44.492] [19508792]
2026-01-23T03:06:48.771166+01:00 192.168.180.15 [S=17191] [BID=bc2577:83] (N 18040401)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:23-01@03:06:48.111] [19508808]
2026-01-23T03:06:48.771166+01:00 192.168.180.15 [S=17192] [BID=bc2577:83] (N 18040403)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:23-01@03:06:48.111] [19508810]
2026-01-23T03:07:02.168722+01:00 192.168.180.15 [S=17193] [SID=bc2577:83:159084] (N 18040640)?? [WARNING] Can't find matching transaction for response 408 to OPTIONS. Call-ID: 1225487361...@192.168.180.31 [Time:23-01@03:07:01.509] [19509065]
2026-01-23T03:07:07.518192+01:00 192.168.180.15 [S=17194] [SID=bc2577:83:159086] (N 18040667)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.858] [19509094]
2026-01-23T03:07:07.518192+01:00 192.168.180.15 [S=17195] [SID=bc2577:83:159086] (N 18040669)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.858] [19509096]
2026-01-23T03:07:07.533423+01:00 192.168.180.15 [S=17196] [SID=bc2577:83:159087] (N 18040684)?? [WARNING] Can't find matching dialog for ACK request. Call-ID: voQlJjc4XdCd:xvA [Time:23-01@03:07:06.874] [19509114]
2026-01-23T03:07:07.579022+01:00 192.168.180.15 [S=17197] [SID=bc2577:83:159088] (N 18040699)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.919] [19509130]
2026-01-23T03:07:07.579022+01:00 192.168.180.15 [S=17198] [SID=bc2577:83:159088] (N 18040701)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.919] [19509132]
2026-01-23T03:07:07.594375+01:00 192.168.180.15 [S=17199] [SID=bc2577:83:159089] (N 18040716)?? [WARNING] Can't find matching dialog for ACK request. Call-ID: 8ZTmm8oEgg4X6AUV [Time:23-01@03:07:06.935] [19509150]

2026-01-27T14:32:55.503714+01:00 192.168.180.15  [S=46920] [BID=bc2577:83]  (N 20026931)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:32:52.208] [21657916]
2026-01-27T14:32:55.503714+01:00 192.168.180.15  [S=46921] [BID=bc2577:83]  (N 20026933)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:32:52.208] [21657918]
2026-01-27T14:33:23.644433+01:00 192.168.180.15  [S=46922] [BID=bc2577:83]  (N 20027396)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:33:20.348] [21658414]
2026-01-27T14:33:23.645236+01:00 192.168.180.15  [S=46923] [BID=bc2577:83]  (N 20027398)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:33:20.349] [21658416]
2026-01-27T14:33:51.515995+01:00 192.168.180.15  [S=46924] [BID=bc2577:83]  (N 20027557)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:33:48.220] [21658584]
2026-01-27T14:33:51.515995+01:00 192.168.180.15  [S=46925] [BID=bc2577:83]  (N 20027559)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:33:48.220] [21658586]
2026-01-27T14:34:19.627964+01:00 192.168.180.15  [S=46926] [BID=bc2577:83]  (N 20027598)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:34:16.332] [21658630]
2026-01-27T14:34:19.627964+01:00 192.168.180.15  [S=46927] [BID=bc2577:83]  (N 20027600)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:34:16.332] [21658632]
2026-01-27T14:34:47.514271+01:00 192.168.180.15  [S=46928] [BID=bc2577:83]  (N 20027929)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:34:44.219] [21658986]
2026-01-27T14:34:47.514271+01:00 192.168.180.15  [S=46929] [BID=bc2577:83]  (N 20027931)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:34:44.219] [21658988]
2026-01-27T14:35:15.638334+01:00 192.168.180.15  [S=46930] [BID=bc2577:83]  (N 20028408)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:35:12.343] [21659498]

2026-01-27T14:35:15.638334+01:00 192.168.180.15  [S=46931] [BID=bc2577:83]  (N 20028410)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:35:12.343] [21659500]

At first it doesn't send a hostname. So with multiple devices I think I need to match it via the IP? Next is that different types of error messages seem to be available. I tried some RegExes like \[S=(\d++)] \[BID=(\S+) RAISE-ALARM:(\S+ )\[(HA-Main)](\s+)(.*?)\s+\(([^)]+)\):\s+([^;]+); Severity:([^;]+);\s+Source:([^;]+);\s+Unique ID:([^;]+);\s+\[Time:([^\]]+)\]\s+\[(\d+)\] or
\[S=(\d+)\]\s+\[BID=([^\]]+)\]\s+RAISE-ALARM:([^:]+):\s+\[HA-Main]\s+(.*?)\s+\(([^)]+)\):\s+([^;]+);\s+Severity:([^;]+);\s+Source:([^;]+);\s+Unique ID:([^;]+);\s+\[Time:([^\]]+)\]\s+\[(\d+)\] but none match the child decoder.

My current attempt looks like:

<decoder name="SBC">
  <prematch>[S=</prematch>
</decoder>

  <!-- Child decoder for RAISE-ALARM logs -->
<decoder name="SBC_RAISE_ALARM">
  <parent>SBC</parent>
  <regex type="pcre2">(\d+)\]\s+\[BID=([^\]]+)]\s+RAISE-ALARM:([^:]+):\s+\[HA-Main]\s+(.*?)\s+\(([^)]+)\):\s+([^;]+);\s+Severity:([^;]+);\s+Source:([^;]+);\s+Unique ID:([^;]+);\s+\[Time:([^\]]+)]\s+\[(\d+)]</regex>
  <order>s_id bid alarm_code component site alarm_message severity source unique_id event_time event_id</order>
</decoder>

This at least matches the s_id but nothing more. I am running out of ideas how to get a working decoder...

**Phase 1: Completed pre-decoding.
        full event: '2026-01-23T03:05:54.032649+01:00 192.168.180.15 [S=17183] [BID=bc2577:83] RAISE-ALARM:acProxyConnectionLost: [HA-Main] Proxy Set Alarm Proxy Set 1 (OXE): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:9; [Time:23-01@03:05:53.371] [19508657]'
        timestamp: '2026-01-23T03:05:54.032649+01:00'

**Phase 2: Completed decoding.
        name: 'SBC'
        s_id: '17183'

If anyone has ideas I would be very happy...

cheers chic

[J. Rome]

Hello Andrehens,

I'll forward your query to the Wazuh team and get back to you with an answer asap.

Cheers.

[J. Rome]

Your child decoder isn't matching because the regex starts with (\d+)]
which won't match when there's content before it. After pre-decoding,
Wazuh strips the timestamp/hostname, leaving: [S=17183] [BID=bc2577:83] RAISE-ALARM:...

Pre-decoding docs:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#pre-decoding

Tentative fix:

Use offset="after_prematch" to tell the child decoder to start matching
right after [S= (recommended):

Decoder syntax docs (see "offset" attribute):
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#regex

<decoder name="SBC_RAISE_ALARM">
  <parent>SBC</parent>

  <regex type="pcre2" offset="after_prematch">(\d+)]\s+\[BID=([^\]]+)]\s+RAISE-ALARM:([^:]+):\s+\[HA-Main]\s+(.+?)(?:\s+\(([^)]+)\))?\s*:\s*([^;]+);\s+Severity:([^;]+);\s+Source:([^;]+);\s+Unique ID:([^;]+);\s+\[Time:([^\]]+)]\s+\[(\d+)]</regex>
  <order>s_id,bid,alarm_code,component,site,alarm_message,severity,source,unique_id,event_time,event_id</order>
</decoder>

OR match the full pattern from the start (include [S= in the regex):

<decoder name="SBC_RAISE_ALARM">
  <parent>SBC</parent>

  <regex type="pcre2">\[S=(\d+)\]\s+\[BID=([^\]]+)\]\s+RAISE-ALARM:([^:]+):\s+\[HA-Main\]\s+(.*?)\s+\(([^)]+)\):\s+([^;]+);\s+Severity:([^;]+);\s+Source:([^;]+);\s+Unique ID:([^;]+);\s+\[Time:([^\]]+)\]\s+\[(\d+)\]</regex>
  <order>s_id,bid,alarm_code,component,site,alarm_message,severity,source,unique_id,event_time,event_id</order>
</decoder>

Note: Use commas in <order>, not spaces!

Decoder order attribute docs:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#order

For other log types, add more child decoders:

Parent/child decoder docs:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#parent

<decoder name="SBC_WARNING">
  <parent>SBC</parent>
  <regex type="pcre2">\[S=(\d+)\]\s+\[(?:SID|BID)=([^\]]+)\]\s+\([^\)]+\)\?\?\s+\[WARNING\]\s+(.+?)\s+\[Time:([^\]]+)\]\s+\[(\d+)\]</regex>
  <order>s_id,session_id,warning_message,event_time,event_id</order>
</decoder>

<decoder name="SBC_ERROR">
  <parent>SBC</parent>
  <regex type="pcre2">\[S=(\d+)\]\s+\[BID=([^\]]+)\]\s+\([^\)]+\)!!\s+\[ERROR\]\s+(.+?)\s+\[Time:([^\]]+)\]\s+\[(\d+)\]</regex>
  <order>s_id,bid,error_message,event_time,event_id</order>
</decoder>

DOCUMENTATION REFERENCES:

- Custom decoders guide:
  https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- Testing decoders with wazuh-logtest:
  https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
- PCRE2 regex support:
  https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#type
- Pre-decoded fields (srcip, hostname, etc):
  https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#decoded-fields

Hope this helps!

[Andrehens Chicfici]

Wow, THANK YOU @J.Rome!!!

The RAISE-ALARM decoder works!

But the  Error and Warning Decoders won't.... Will dig deeper into that.

cheers chic

[Andrehens Chicfici]

So I went back to this project and the weird thing is:

This log message gets decoded:

2026-01-23T03:05:54.032649+01:00 192.168.180.15 [S=17183] [BID=bc2577:83] RAISE-ALARM:acProxyConnectionLost: [HA-Main] Proxy Set Alarm Proxy Set 1 (OXE): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:9; [Time:23-01@03:05:53.371] [19508657]

and this doesn't:

2026-01-23T03:05:54.032649+01:00 192.168.180.15 [S=17184] [BID=bc2577:83] RAISE-ALARM:acIpGroupNoRouteAlarm: [HA-Main] IP Group is temporarily blocked. IP Group (OXE Vodafone Default) Blocked Reason: No Working Proxy; Severity:major; Source:Board#1/IPGroup#3; Unique ID:10; [Time:23-01@03:05:53.372] [19508660]

with this decoder:

<decoder name="SBC">
  <prematch>[S=</prematch>
</decoder>

<decoder name="SBC_RAISE_ALARM">
  <parent>SBC</parent>
  <regex type="pcre2">\[S=(\d+)\]\s+\[BID=([^\]]+)\]\s+RAISE-ALARM:([^:]+):\s+\[HA-Main\]\s+(.*?)\s+\(([^)]+)\):\s+([^;]+);\s+Severity:([^;]+);\s+Source:([^;]+);\s+Unique ID:([^;]+);\s+\[Time:([^\]]+)\]\s+\[(\d+)\]</regex>
  <order>s_id,bid,alarm_code,component,site,alarm_message,severity,source,unique_id,event_time,event_id</order>
</decoder>

Also I am not getting a decoder working for all the ERROR and WARNING messages...

2026-01-27T14:32:55.503714+01:00 192.168.180.15  [S=46920] [BID=bc2577:83]  (N 20026931)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:32:52.208] [21657916]
2026-01-27T14:32:55.503714+01:00 192.168.180.15  [S=46921] [BID=bc2577:83]  (N 20026933)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:32:52.208] [21657918]
2026-01-27T14:33:23.644433+01:00 192.168.180.15  [S=46922] [BID=bc2577:83]  (N 20027396)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:33:20.348] [21658414]
2026-01-27T14:33:23.645236+01:00 192.168.180.15  [S=46923] [BID=bc2577:83]  (N 20027398)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:33:20.349] [21658416]
2026-01-27T14:33:51.515995+01:00 192.168.180.15  [S=46924] [BID=bc2577:83]  (N 20027557)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:33:48.220] [21658584]
2026-01-27T14:33:51.515995+01:00 192.168.180.15  [S=46925] [BID=bc2577:83]  (N 20027559)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:33:48.220] [21658586]
2026-01-27T14:34:19.627964+01:00 192.168.180.15  [S=46926] [BID=bc2577:83]  (N 20027598)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:34:16.332] [21658630]
2026-01-27T14:34:19.627964+01:00 192.168.180.15  [S=46927] [BID=bc2577:83]  (N 20027600)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:34:16.332] [21658632]
2026-01-27T14:34:47.514271+01:00 192.168.180.15  [S=46928] [BID=bc2577:83]  (N 20027929)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:34:44.219] [21658986]
2026-01-27T14:34:47.514271+01:00 192.168.180.15  [S=46929] [BID=bc2577:83]  (N 20027931)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:34:44.219] [21658988]
2026-01-27T14:35:15.638334+01:00 192.168.180.15  [S=46930] [BID=bc2577:83]  (N 20028408)!! [ERROR] AcSIPParser [SIP Message Headers] Parse error: "Unexpected symbol ' ' in scheme.". (L:1,C:18)Parsed line: Cirpack KeepAlive Packet [Time:27-01@14:35:12.343] [21659498]
2026-01-27T14:35:15.638334+01:00 192.168.180.15  [S=46931] [BID=bc2577:83]  (N 20028410)!! [ERROR] SIPStackEngine::HandleReceivedMessage - Basic error in Message [Time:27-01@14:35:12.343] [21659500]

2026-01-23T03:07:02.168722+01:00 192.168.180.15 [S=17193] [SID=bc2577:83:159084] (N 18040640)?? [WARNING] Can't find matching transaction for response 408 to OPTIONS. Call-ID: 123773612...@192.168.180.31 [Time:23-01@03:07:01.509] [19509065]

2026-01-23T03:07:07.518192+01:00 192.168.180.15 [S=17194] [SID=bc2577:83:159086] (N 18040667)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.858] [19509094]
2026-01-23T03:07:07.518192+01:00 192.168.180.15 [S=17195] [SID=bc2577:83:159086] (N 18040669)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.858] [19509096]
2026-01-23T03:07:07.533423+01:00 192.168.180.15 [S=17196] [SID=bc2577:83:159087] (N 18040684)?? [WARNING] Can't find matching dialog for ACK request. Call-ID: voQlJjc4XdCd:xvA [Time:23-01@03:07:06.874] [19509114]
2026-01-23T03:07:07.579022+01:00 192.168.180.15 [S=17197] [SID=bc2577:83:159088] (N 18040699)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.919] [19509130]
2026-01-23T03:07:07.579022+01:00 192.168.180.15 [S=17198] [SID=bc2577:83:159088] (N 18040701)?? [WARNING] Route Failed! IPGroup 3 is not alive [Time:23-01@03:07:06.919] [19509132]
2026-01-23T03:07:07.594375+01:00 192.168.180.15 [S=17199] [SID=bc2577:83:159089] (N 18040716)?? [WARNING] Can't find matching dialog for ACK request. Call-ID: 8ZTmm8oEgg4X6AUV [Time:23-01@03:07:06.935] [19509150]

This device is driving me insane...

cheers

chic

[J. Rome]

Good catch - the mismatch is in your `RAISE-ALARM` pattern, not in Wazuh decoding flow.

Your current regex requires this exact shape:

- `... (site): message;`

But the failing line uses:

- `... (site) Blocked Reason: message;`

So this part fails: `\s+\(([^)]+)\):\s+([^;]+);`

Use this decoder set instead (handles both `):` and `Blocked Reason:` plus your `ERROR`/`WARNING` variants):

```xml
<decoder name="SBC">
  <prematch type="pcre2">\[S=</prematch>

</decoder>

<decoder name="SBC_RAISE_ALARM">
  <parent>SBC</parent>

  <prematch type="pcre2">RAISE-ALARM:</prematch>
  <regex type="pcre2">\[S=(\d+)\]\s+\[BID=([^\]]+)\]\s+RAISE-ALARM:([^:]+):\s+\[HA-Main\]\s+(.*?)(?:\s+\(([^)]+)\))?\s*(?::|Blocked Reason:)\s*([^;]+);\s+Severity:([^;]+);\s+Source:([^;]+);\s+Unique ID:([^;]+);\s+\[Time:([^\]]+)\]\s+\[(\d+)\]</regex>
  <order>s_id,bid,alarm_code,component,site,alarm_message,severity,source,unique_id,event_time,event_id</order>
</decoder>

<decoder name="SBC_WARNING">
  <parent>SBC</parent>

  <prematch type="pcre2">\[WARNING\]</prematch>
  <regex type="pcre2">\[S=(\d+)\]\s+\[(?:SID|BID)=([^\]]+)\]\s+\(N\s+\d+\)\?\?\s+\[WARNING\]\s+(.+?)\s+\[Time:([^\]]+)\]\s+\[(\d+)\]</regex>
  <order>s_id,session_or_board_id,warning_message,event_time,event_id</order>

</decoder>

<decoder name="SBC_ERROR">
  <parent>SBC</parent>

  <prematch type="pcre2">\[ERROR\]</prematch>
  <regex type="pcre2">\[S=(\d+)\]\s+\[BID=([^\]]+)\]\s+\(N\s+\d+\)!!\s+\[ERROR\]\s+(.+?)\s+\[Time:([^\]]+)\]\s+\[(\d+)\]</regex>
  <order>s_id,bid,error_message,event_time,event_id</order>
</decoder>
```


Docs:
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
- https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

[Andrehens Chicfici]

That worked! Perfect! Thanks a lot @J. Rome!!!

[Andrehens Chicfici]

Okay just checked whether all error logs can be handled. Most did but I found some cases where the ERROR messages contain a  [SID=bc2577:83:242575] field instead of  [BID=bc2577:83:242575]. I changed my regex to:

\[S=(\d+)\]\s+\[.ID=([^\]]+)\]\s+\(N\s+\d+\)!!\s+\[ERROR\]\s+(.+?)\s+\[Time:([^\]]+)\]\s+\[(\d+)\]

Maybe there is a smarter solution? Like in my WARNING-decoder?:

\[S=(\d+)\]\s+\[(?:SID|BID)=([^\]]+)\]\s+\(N\s+\d+\)\?\?\s+\[WARNING\]\s+(.+?)\s+\[Time:([^\]]+)\]\s+\[(\d+)\]

But there is still one ERROR-message case that can't get decoded:

2026-02-11T15:10:50.013996+01:00  192.168.180.15   [S=145560] [SID=bc2577:83:242575]  (N 27589876)!! [ERROR] AcSIPParser [Manipulation Parsing] Parse error: "Unexpected symbol 'S'. Expected digit". (L:1,C:1)Parsed line: Session-Expires: 1800;refresher=uac#015

I guess thats because of the []-Brackets after AcSIPParser and the following text with the " " and ' ' escape characters. Daaamn regexing sucks...

cheers

chic