problem in my decoder
18 views
Skip to first unread message
JONATHAN MURHULA
Dec 15, 2025, 7:05:30 AM (2 days ago) Dec 15
to Wazuh | Mailing List
i have problem in my xml decoder , can you help me please :
<decoder name="postgresql-base">
<prematch>^\d{4}-\d{2}-\d{2}.*FATAL:</prematch>
</decoder>
<decoder name="postgresql-no-password-detail">
<parent>postgresql-base</parent>
<prematch>DÉTAIL:.*L'utilisateur</prematch>
<regex>DÉTAIL:.*L'utilisateur.*?([\w]+)</regex>
<order>user</order>
</decoder>
<prematch>^\d{4}-\d{2}-\d{2}.*FATAL:</prematch>
</decoder>
<decoder name="postgresql-no-password-detail">
<parent>postgresql-base</parent>
<prematch>DÉTAIL:.*L'utilisateur</prematch>
<regex>DÉTAIL:.*L'utilisateur.*?([\w]+)</regex>
<order>user</order>
</decoder>
i want to decode this log :
2025-12-10 08:56:04.376 WAT [16710] postgres@postgres ::1(40274) [inconnu] FATAL: authentification par mot de passe échouée pour l'utilisateur « postgres »
2025-12-10 08:56:04.376 WAT [16710] postgres@postgres ::1(40274) [inconnu] DÉTAIL: L'utilisateur « postgres » n'a pas de mot de passe affecté.
La connexion correspond à la ligne 89 du pg_hba.conf : « host all all ::1/128 scram-sha-256 »
2025-12-10 08:56:04.376 WAT [16710] postgres@postgres ::1(40274) [inconnu] DÉTAIL: L'utilisateur « postgres » n'a pas de mot de passe affecté.
La connexion correspond à la ligne 89 du pg_hba.conf : « host all all ::1/128 scram-sha-256 »
Hossam El Amraoui
Dec 15, 2025, 9:16:59 AM (2 days ago) Dec 15
to Wazuh | Mailing List
If you want to create a custom decoder(https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html) for these logs, you can take a look at our regex syntax section(https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html) and decoder syntax(https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html).
To test regex patterns and check that they work correctly, you can use pages such as [regex101.com](http://regex101.com/) (you have to take into account that this page, for example, uses the PCRE2 regex format). To test the rules, you can use the wazuh-logtest tool (https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html).
In your particular case, the regex syntax was correct, but in PCRE2 format, that was not indicated. Also, I added `DÉTAIL` to the base decoder. The final decoder looks like this:
```
<decoder name="postgresql-base">
<prematch type="pcre2">^\d{4}-\d{2}-\d{2}.*FATAL|DÉTAIL:</prematch>
</decoder>
<decoder name="postgresql-no-password-detail">
<parent>postgresql-base</parent>
<prematch type="pcre2">DÉTAIL:.*L'utilisateur</prematch>
<regex type="pcre2">DÉTAIL:.*L'utilisateur.*?([\w]+)</regex>
<order>user</order>
</decoder>
```
`wazuh-logtest` output:
```
root@ubuntu22:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.1
Type one log per line
2025-12-10 08:56:04.376 WAT [16710] postgres@postgres ::1(40274) [inconnu] DÉTAIL: L'utilisateur « postgres » n'a pas de mot de passe affecté.
**Phase 1: Completed pre-decoding.
full event: '2025-12-10 08:56:04.376 WAT [16710] postgres@postgres ::1(40274) [inconnu] DÉTAIL: L'utilisateur « postgres » n'a pas de mot de passe affecté.'
**Phase 2: Completed decoding.
name: 'postgresql-base'
parent: 'postgresql-base'
dstuser: 'postgres'
```
To test regex patterns and check that they work correctly, you can use pages such as [regex101.com](http://regex101.com/) (you have to take into account that this page, for example, uses the PCRE2 regex format). To test the rules, you can use the wazuh-logtest tool (https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html).
In your particular case, the regex syntax was correct, but in PCRE2 format, that was not indicated. Also, I added `DÉTAIL` to the base decoder. The final decoder looks like this:
```
<decoder name="postgresql-base">
<prematch type="pcre2">^\d{4}-\d{2}-\d{2}.*FATAL|DÉTAIL:</prematch>
</decoder>
<decoder name="postgresql-no-password-detail">
<parent>postgresql-base</parent>
<regex type="pcre2">DÉTAIL:.*L'utilisateur.*?([\w]+)</regex>
<order>user</order>
</decoder>
```
`wazuh-logtest` output:
```
root@ubuntu22:/home/vagrant# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.1
Type one log per line
2025-12-10 08:56:04.376 WAT [16710] postgres@postgres ::1(40274) [inconnu] DÉTAIL: L'utilisateur « postgres » n'a pas de mot de passe affecté.
full event: '2025-12-10 08:56:04.376 WAT [16710] postgres@postgres ::1(40274) [inconnu] DÉTAIL: L'utilisateur « postgres » n'a pas de mot de passe affecté.'
**Phase 2: Completed decoding.
name: 'postgresql-base'
parent: 'postgresql-base'
dstuser: 'postgres'
```
Reply all
Reply to author
Forward
0 new messages