Wazuh - Custom Rule

41 views
Skip to first unread message

Brenno Garcia

unread,
Dec 14, 2025, 5:17:22 PM (3 days ago) Dec 14
to Wazuh | Mailing List
Hello

I want to generate alerts for IPsec tunnel activation/deactivation logs on SonicWall.

Here is an example log and the result of the logtest; it works perfectly, but I want to extract only the part that says the IPsec tunnel name and use it as the rule description. However, the note field contains much more information than that.

bash-5.2# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.12.0
Type one log per line

Dec 12 12:03:37 172.16.255.1    id=BRSBO01TIFW sn=18C24192D44A time="2025-12-12 12:03:37" fw=1.1.1.1 pri=6 c=65536 gcat=7 m=427 msg="IPsec Tunnel status changed" note="Tunnel Up. policy 7(VPN TUNNEL - NAME), Dst 192.168.0.0 - 192.168.0.255, Src 172.16.255.0 - 172.16.255.7, GW 1.1.1.1, inSpi 0x7a20049c, Reason: Commit New IPSec (Existed dstNode)" n=156368 fw_action="NA"

**Phase 1: Completed pre-decoding.
        full event: 'Dec 12 12:03:37 172.16.255.1    id=BRSBO01TIFW sn=18C24192D44A time="2025-12-12 12:03:37" fw=1.1.1.1 pri=6 c=65536 gcat=7 m=427 msg="IPsec Tunnel status changed" note="Tunnel Up. policy 7(VPN TUNNEL -  NAME), Dst 192.168.0.0 - 192.168.0.0, Src 172.16.255.0 - 172.16.255.7, GW 1.1.1.1, inSpi 0x7a20049c, Reason: Commit New IPSec (Existed dstNode)" n=156368 fw_action="NA"'
        timestamp: 'Dec 12 12:03:37'
        hostname: '172.16.255.1'

**Phase 2: Completed decoding.
        name: 'sonicwall-custom'
        action: 'IPsec Tunnel status changed'
        categoria: '7'
        host: 'BRSBO01TIFW'
        note: 'Tunnel Up. policy 7(VPN TUNNEL -  NAME), Dst 192.168.0.0 - 192.168.0.0, Src 172.16.255.0 - 172.16.255.7, GW 1.1.1.1, inSpi 0x7a20049c, Reason: Commit New IPSec (Existed dstNode)'
        status: '6'

Is there any way to extract only this information (VPN TUNNEL -  NAME) from the rule without new decoder?


Or would I need to create a decoder just for this information?

If that's the case, will this decoder affect the functionality of the note field that is extracted and used in other rules?

Bony V John

unread,
Dec 14, 2025, 10:38:07 PM (3 days ago) Dec 14
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Dec 15, 2025, 1:01:39 AM (3 days ago) Dec 15
to Wazuh | Mailing List
Hi,

It seems that you are already using a custom decoder for this SonicWall log. If you need to decode the VPN tunnel name as well, you will need to modify the decoder to extract the tunnel name.

To show the VPN tunnel name in the rule description, you must decode the tunnel name using a custom decoder. Using rules alone, we cannot extract a value directly from the raw log.

By default, Wazuh provides a default decoder for SonicWall events. If you have already modified the decoder, you can consider adding an additional regex pattern to decode the fields inside the note field as well. In my case, I modified the default decoder by following the Wazuh documentation, and then I added the below decoder to decode the values inside the note field separately:


<decoder name="sonicwall-fields">
  <parent>sonicwall</parent>
  <regex offset="after_regex">\s*note="(\.*)\SVPN TUNNEL \S (\S*)\S, Dst (\.*), Src (\.*), GW (\S*), inSpi (\S*), Reason: (\.*)" n=(\d*) fw_action="(\S*)"</regex>
  <order>note,tunnel_name,DST,SRC,GW,inSpi,reason,n,fw_action</order>
</decoder>

Yes, if you create a custom decoder to decode the VPN tunnel name from the note field, it can affect other rules that rely on the note field.

For example, if you use the above decoder, the note field may only contain a partial value (such as Tunnel Up. policy 7). If other rules depend on the note field and expect different values, those rules may stop working. In that case, you can modify those rules to use the newly decoded fields (decoded separately) instead of relying only on the note field.

Screenshot 2025-12-15 113034.png

Brenno Garcia

unread,
Dec 15, 2025, 2:03:09 PM (2 days ago) Dec 15
to Wazuh | Mailing List
Hello,
The problem is that the notes field changes for each SonicWall log.
Normally, this field only contains a message about the log, which I use for some access control rules. But in this specific log, there is several other pieces of information in this field, which would make the regex very complicated.
Is there any way to continue extracting the notes field in the normal way I already do, but when it's about IPsec, it will extract it in the custom way you suggested?

Bony V John

unread,
Dec 16, 2025, 6:10:59 AM (yesterday) Dec 16
to Wazuh | Mailing List
Hi,

I understand your requirement. To proceed, could you please share your custom SonicWall decoder and a few sample SonicWall events that are not related to the IPsec event you shared above?

The decoder I shared earlier will only work when the log contains a format like this:

note="(\.*)\SVPN TUNNEL \S (\S*)\S

If this pattern, especially the VPN TUNNEL <name> part appears only in IPsec events, then that decoder will match only IPsec-related logs, and other SonicWall events will be ignored by that decoder.

Please share:

  • Your current custom SonicWall decoder

  • 2–3 sample SonicWall logs that are not IPsec-related

Once I have those, I can test it on my end and guide you on how to update the decoder without impacting other events.

Brenno Garcia

unread,
Dec 16, 2025, 12:23:25 PM (yesterday) Dec 16
to Wazuh | Mailing List
Hi,

<decoder name="sonicwall-custom">
  <plugin_decoder>SonicWall_Decoder</plugin_decoder>
  <prematch>^\<\d+>\s*id=\w+\s+sn=\w+\s+time="\.+"\s+fw=\S+ |^\s*id=\w+\s+sn=\w+\s+time="\.+"\s+fw=\S+ </prematch>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex type="after_parent">msg="(\.+)"</regex>
  <order>action</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex type="pcre2">.*id=(\S+)</regex>
  <order>host</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_parent">pri=(\S+)</regex>
  <order>status</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">gcat=(\d+)</regex>
  <order>categoria</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">src=(\S+):</regex>
  <order>srcip</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">src=\S+:(\S+):</regex>
  <order>srcport</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">dst=(\d+.\d+.\d+.\d+):(\d+):\S*</regex>
  <order>dstip, dstport</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">usr="(\S+)"</regex>
  <order>user</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">sess="(\.+)"</regex>
  <order>sessao</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">note="(\.+)"</regex>
  <order>note</order>
</decoder>

<decoder name="sonicwall-fields">
  <parent>sonicwall-custom</parent>
  <regex offset="after_regex">dst=(\d+.\d+.\d+.\d+)::|dst=(\d+.\d+.\d+.\d+)\s</regex>
  <order>dstip</order>
</decoder>

Dec 10 10:24:54 172.16.255.1    id=BRSBO01TIFW sn=18C24192D44A time="2025-12-10 10:24:54" fw=1.1.1.1 pri=6 c=16 gcat=4 m=237 msg="VPN zone remote user login allowed" src=2.2.2.2::X2 dst=1.1.1.1::X2 usr="domain.user" sess="vpnc" dur=0 note="User: domain.user" n=2010 fw_action="NA"

Dec 10 10:20:02 172.16.255.1    id=BRSBO01TIFW sn=18C24192D44A time="2025-12-10 10:20:02" fw=1.1.1.1 pri=6 c=16 gcat=4 m=243 msg="User login denied - RADIUS authentication failure" src=2.2.2.2::X2 dst=1.1.1.1:4443:X0 usr="domain\domain.user" proto=tcp/4443 sess="Web" dur=0 note="User: domain\domain.user" n=1564 fw_action="NA"

Dec 12 10:49:01 172.16.255.1    id=BRSBO01TIFW sn=18C24192D44A time="2025-12-12 10:49:01" fw=1.1.1.1 pri=6 c=16 gcat=4 m=997 msg="Non-config mode GUI administration session started" src=2.2.2.2::X3 dst=1.1.1.1:4443:X0 usr="otheruser" proto=tcp/4443 sess="Web" dur=0 note="User: otheruser" n=184 fw_action="NA"

Bony V John

unread,
6:11 AM (9 hours ago) 6:11 AM
to Wazuh | Mailing List
Hi,

Based on the three sample logs you shared above, the custom decoder I provided will not affect those event types. As mentioned earlier, it will only decode the IPsec event type, and the rest of the events will not be decoded by that custom decoder.

This is because the regex pattern used in the decoder:

note="(\.*)\SVPN TUNNEL \S (\S*)\S

is only present in the IPsec events, and the other events do not contain this pattern. Therefore, it will not match or impact the other event types.

You can refer to the Wazuh documentation for more details.

Brenno Garcia

unread,
3:02 PM (11 minutes ago) 3:02 PM
to Wazuh | Mailing List
Hi, 

It worked.
Thank you.

Reply all
Reply to author
Forward
0 new messages