Here's an example of what the decoder could look like:
<decoder name="dell_switch">
<parent>syslog</parent>
<regex>%([^:]+)</regex>
<order>custom_field</order>
<rename>
<from>custom_field</from>
<to>dell_switch_message</to>
</rename>
</decoder>
This decoder extracts the string after the
% sign using the regular expression
%([^:]+) The extracted string is stored in a new field called custom_field.
The <rename> tag is used to rename the custom_field to dell_switch_message.
Once the decoder is created, you can create a new rule to use the decoder.
The rule should use the dell_switch decoder and look for the extracted message in the log message.
Here's an example of what the rule could look like:
<rule id="100001" level="5"> <decoder>dell_switch</decoder> <if_sid>695</if_sid> <match>Node\.1-Unit\.1:PRI \[event\], Dell EMC \(OS10\) %dell_switch_message</match> <description>Dell switch message received</description> </rule>This rule uses the dell_switch decoder and looks for log messages with a sid of 695. It then looks for the extracted message in the log message using the %dell_switch_message syntax.
If the message is found, the rule generates an alert with a description of "Dell switch message received".
After creating the decoder and rule, you can test them using the wazuh-logtest utility located in /var/ossec/bin/
Input the example log message into wazuh-logtest to test the decoder and rule: