Problem with custom Dovecot decoder — default only parses first log format, escaped </> breaks field extraction
73 views
Skip to first unread message
mustafa mamdouh
Oct 22, 2025, 6:33:29 AM10/22/25
to Wazuh | Mailing List
Hello everyone, I created a custom decoder to handle 4 Dovecot login formats because the default decoder only parses the first format (the other 3 are ignored). I’ll keep this short — below are: 1) the default decoder (works but only for log #1), 2) my custom regex that matches the other 3 formats, 3) the escaped-XML version that Wazuh accepts but then doesn’t extract fields, and 4) four sample logs with sensitive info obfuscated. Any help appreciated.Default decoder (only matches format #1):
<decoder name="dovecot-success"> <parent>dovecot</parent> <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch> <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\S*)$</regex> <order>user, srcip, dstip, protocol</order> </decoder>
<decoder name="dovecot-success"> <parent>dovecot</parent> <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch> <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\S*)$</regex> <order>user, srcip, dstip, protocol</order> </decoder>
Custom regex that matches the other formats (works in regex testers / matches 3 other logs):
<decoder name="dovecot-success"> <parent>dovecot</parent> <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch> <regex offset="after_prematch">^user=<([^>]+)>, method=\S+, rip=([\d\.]+), lip=([\d\.]+), mpid=\S+, (.*)$</regex> <order>user, srcip, dstip, protocol</order> </decoder>.png?part=0.2&view=1)
.png?part=0.1&view=1)
.png?part=0.3&view=1)
Sample logs (sensitive data masked):#1 Oct 8 19:35:07 host dovecot[1981234]: imap-login: Login: user=<p....@dixxxrlwaed.ae>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=788266, session=<cvDkbaeARslyrh+C>#2 Oct 8 20:26:00 host dovecot[1981234]: imap-login: Login: user=<__cpanel__service__auth__imap__i6m_jtyfiutjnvwpj>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=808237, secured, session=<9f9tu6hAJqV/AAAB>#3 Oct 9 13:05:02 host dovecot[1981234]: pop3-login: Login: user=<trggaf...@mnjugnn.com>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=1227258, TLS: read(size=586) failed: Connection reset by peer, session=<CtdfGLZAxF8f2zy9>#4 Oct 9 13:04:03 host dovecot[1981234]: imap-login: Login: user=<t.fk...@tffvcf.com>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=1226891, TLS, session=<8QojFbZAtff0YQWl>
<decoder name="dovecot-success"> <parent>dovecot</parent> <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch> <regex offset="after_prematch">^user=<([^>]+)>, method=\S+, rip=([\d\.]+), lip=([\d\.]+), mpid=\S+, (.*)$</regex> <order>user, srcip, dstip, protocol</order> </decoder>
Escaped XML version (Wazuh accepts & saves, but no fields are extracted — default decoder still handles logs):
<decoder name="dovecot-success">
<parent>dovecot</parent>
<prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
<regex offset="after_prematch">^user=<([^>]+)>, method=\S+, rip=([\d\.]+), lip=([\d\.]+), mpid=\S+, (.*)$</regex>
<order>user, srcip, dstip, protocol</order>
</decoder> Sample logs (sensitive data masked):#1 Oct 8 19:35:07 host dovecot[1981234]: imap-login: Login: user=<p....@dixxxrlwaed.ae>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=788266, session=<cvDkbaeARslyrh+C>#2 Oct 8 20:26:00 host dovecot[1981234]: imap-login: Login: user=<__cpanel__service__auth__imap__i6m_jtyfiutjnvwpj>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=808237, secured, session=<9f9tu6hAJqV/AAAB>#3 Oct 9 13:05:02 host dovecot[1981234]: pop3-login: Login: user=<trggaf...@mnjugnn.com>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=1227258, TLS: read(size=586) failed: Connection reset by peer, session=<CtdfGLZAxF8f2zy9>#4 Oct 9 13:04:03 host dovecot[1981234]: imap-login: Login: user=<t.fk...@tffvcf.com>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=1226891, TLS, session=<8QojFbZAtff0YQWl>
Problem summary: default decoder only parses the first log type; my unescaped regex handles the other 3 formats but cannot be loaded raw in Wazuh XML. Escaping < and > to </> makes the XML load, but the decoder then fails to extract fields (Wazuh still uses the default decoder). I suspect the regex engine inside Wazuh doesn’t interpret the escaped angle brackets the same way, or the decoder loading process modifies the pattern.Questions for the community:
- Best practice to match literal < and > inside a Wazuh decoder regex (without losing matching behavior)?
- Is there an alternative pattern that avoids angle brackets but still reliably extracts user=... for all four log types? (e.g., user=(?:<([^>]+)>|(\S+)) or using \[<\] style?)
- Any Wazuh-specific quirks when regex is stored as XML entities vs raw that I should be aware of?
Environment: Wazuh version: [add version], OS: [add OS].
Thanks in advance — any short examples or a quick corrected decoder I can paste in would be great.
Awwal Ishiaku
Oct 22, 2025, 10:28:51 AM10/22/25
to Wazuh | Mailing List
Hi, the following pair of decoders work for your use case.
<decoder name="dovecot_2">
<prematch type="pcre2">^\w+ \d+ \d+:\d+:\d+ \w+ dovecot\[\d+\]</prematch>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">user=\x3c(\S+)\x3e</regex>
<order>user</order>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">rip=(\S+),</regex>
<order>srcip</order>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">lip=(\S+),</regex>
<order>dstip</order>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">mpid=\d+, (\S+),</regex>
<order>protocol</order>
</decoder>
<prematch type="pcre2">^\w+ \d+ \d+:\d+:\d+ \w+ dovecot\[\d+\]</prematch>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">user=\x3c(\S+)\x3e</regex>
<order>user</order>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">rip=(\S+),</regex>
<order>srcip</order>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">lip=(\S+),</regex>
<order>dstip</order>
</decoder>
<decoder name="dovecot_2_child">
<parent>dovecot_2</parent>
<regex type="pcre2">mpid=\d+, (\S+),</regex>
<order>protocol</order>
</decoder>
The solution is to use the unicode values of < (\x3c) and > (\x3e) in the regex so the dashboard can process them without problems.
An alternative is to add the decoders directly on the Wazuh manager via the /var/ossec/etc/decoders/local_decoder.xml file.
Reply all
Reply to author
Forward
0 new messages