Wazuh Custom Decoder if log has multiple pattern
795 views
Skip to first unread message
Haziq Mt Roslan
Nov 5, 2023, 8:56:01 PM11/5/23
to Wazuh | Mailing List
Hi team,
I have been trying to learn on how to make custom decoder and rules in wazuh. I have succeeded some but I have been struggling with one log which have multiple pattern such as below:
Oct 31 19:20:39 user-1 WAN: WAN 2 - ALI DDSW (Priority 1) disconnected (WAN failed PING test)
Oct 31 19:20:43 user-1 WAN: WAN - ILA - DDWQ (Priority 1) disconnected (WAN failed PING test)
Nov 5 02:42:39 user-1 WAN: WAN - ALI - SAAQ (Priority 1) connected (22.22.22.22)
I have succeeded to make the 2nd and 3rd log but for the first one it still take other non neccessary part of the log which look like this:
**Phase 2: Completed decoding.
name: 'peplink_wan'
desc: 'WAN failed PING test'
interface: 'WAN 2'
isp: ' ALI DDSW (Priority 1) disconnected (WAN failed PING test)'
priority: '1'
status: 'disconnected'
Supposedly, it only take the ALI DDSW for the isp. This is how my decoder looks like:
Oct 31 19:20:39 user-1 WAN: WAN 2 - ALI DDSW (Priority 1) disconnected (WAN failed PING test)
Oct 31 19:20:43 user-1 WAN: WAN - ILA - DDWQ (Priority 1) disconnected (WAN failed PING test)
Nov 5 02:42:39 user-1 WAN: WAN - ALI - SAAQ (Priority 1) connected (22.22.22.22)
I have succeeded to make the 2nd and 3rd log but for the first one it still take other non neccessary part of the log which look like this:
**Phase 2: Completed decoding.
name: 'peplink_wan'
desc: 'WAN failed PING test'
interface: 'WAN 2'
isp: ' ALI DDSW (Priority 1) disconnected (WAN failed PING test)'
priority: '1'
status: 'disconnected'
Supposedly, it only take the ALI DDSW for the isp. This is how my decoder looks like:
<decoder name="peplink_wan">
<program_name>WAN</program_name>
</decoder>
<decoder name="peplinkchild">
<parent>peplink_wan</parent>
<regex>^(\.+) - (\.+ \.* \w*) </regex>
<order>interface,isp</order>
</decoder>
<decoder name="peplinkchild">
<parent>peplink_wan</parent>
<regex>\(Priority (\d+)\) (\w+) </regex>
<order>priority,status</order>
</decoder>
<decoder name="peplinkchild">
<parent>peplink_wan</parent>
<regex offset="after_regex">\((\.+)\)</regex>
<order>desc</order>
</decoder>
I hope u guys can point me to the right way and I also learn about the logical/multiple pattern but i didnt know how to use it yet. Thanks in advance.
<program_name>WAN</program_name>
</decoder>
<decoder name="peplinkchild">
<parent>peplink_wan</parent>
<regex>^(\.+) - (\.+ \.* \w*) </regex>
<order>interface,isp</order>
</decoder>
<decoder name="peplinkchild">
<parent>peplink_wan</parent>
<regex>\(Priority (\d+)\) (\w+) </regex>
<order>priority,status</order>
</decoder>
<decoder name="peplinkchild">
<parent>peplink_wan</parent>
<regex offset="after_regex">\((\.+)\)</regex>
<order>desc</order>
</decoder>
I hope u guys can point me to the right way and I also learn about the logical/multiple pattern but i didnt know how to use it yet. Thanks in advance.
Himanshu Sharma
Nov 5, 2023, 10:04:47 PM11/5/23
to Wazuh | Mailing List
Hi Team, 
Thanks for using the Wazuh.
I have created a sample custom decoder to match all the logs you shared. you can follow the below steps to add them to your environment. You can take the reference and change the decoder according to your requirements.
Add the below configuration to /var/ossec/etc/decoders/local_decoder.xml or create the new file here.
<decoder name="peplink_wan">
<program_name>WAN</program_name>
</decoder>
<decoder name="peplinkchild">
<parent>peplink_wan</parent>
<regex>(\.+)-(\.+) \((\.+)\) (\w+) \((\.+)\)</regex>
<order>interface,isp,priority,status,desc</order>
</decoder>Now restart your wazuh manager to apply changes.
Sample output:
To learn more about how to create custom decoder and rules please follow the below document.
Decoders Syntax - Ruleset XML syntax · Wazuh documentation
Creating decoders and rules from scratch | Wazuh
Hope this information helps you. Please feel free to reach out to us for any information/issues.
Regards,
Haziq Mt Roslan
Nov 6, 2023, 12:56:26 AM11/6/23
to Wazuh | Mailing List
Hi
Himanshu Sharma,
I would like to know how wazuh can detect the decoder as I know it can detect through program_name and prematch for example here:
<decoder name="ftos_inter">
**Phase 1: Completed pre-decoding.
full event: 'Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1'
timestamp: 'Nov 6 00:40:40'
hostname: 'SRT-SWD1'
**Phase 2: Completed decoding.
No decoder matched.
but i already tested the wazuh-regex and it works here is the result:
I would like to know how wazuh can detect the decoder as I know it can detect through program_name and prematch for example here:
<decoder name="ftos_inter">
<program_name>%STKUNIT1-M</program_name>
</decoder>
<decoder name="ftos_inter1">
<parent>ftos_inter</parent>
<regex offset="after_parent">CP\s(\.+):\sChanged\sinterface\sstate\sto\s(\.+):\s(\.+)</regex>
<order>extra,status,int</order>
</decoder>
Here is the result of wazuh-logtest:
</decoder>
<decoder name="ftos_inter1">
<parent>ftos_inter</parent>
<regex offset="after_parent">CP\s(\.+):\sChanged\sinterface\sstate\sto\s(\.+):\s(\.+)</regex>
<order>extra,status,int</order>
</decoder>
Here is the result of wazuh-logtest:
Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1
**Phase 1: Completed pre-decoding.
full event: 'Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1'
timestamp: 'Nov 6 00:40:40'
hostname: 'SRT-SWD1'
**Phase 2: Completed decoding.
No decoder matched.
but i already tested the wazuh-regex and it works here is the result:
Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1
+OSRegex_Execute: Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1
-Substring: %IFMGR-5-OSTATE_UP
-Substring: up
-Substring: Te 1/1
+OS_Regex : Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1
+OSRegex_Execute: Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1
-Substring: %IFMGR-5-OSTATE_UP
-Substring: up
-Substring: Te 1/1
+OS_Regex : Nov 6 00:40:40 SRT-SWD1 %STKUNIT1-M: CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/1
Can you clarify more on this. Any suggestion and advice would surely help. Thank you.
Himanshu Sharma
Nov 16, 2023, 4:35:19 AM11/16/23
to Wazuh | Mailing List
Hi Team,
Sorry for the delay.
As I checked your log there is no program name so you can not use the <program_name> in the docker as that field is not present.
Instead of <program_name> you can use the <prematch> to match the decoder. After that, your decoder will work and you can use a child decoder.
<decoder name="ftos_inter">
<prematch>%STKUNIT1-M</prematch>
</decoder>
<prematch>%STKUNIT1-M</prematch>
</decoder>
Reference:
Hope this information helps you. Please feel free to reach out to us for any information/issues.
Regards,
Regards,
Reply all
Reply to author
Forward
0 new messages