wazuh decoder don't work

[Mesud Nagizade]

  Hello, I have a problem with my Wazuh decoder. The issue is that it parses the log with the JSON decoder, but it doesn’t parse all the fields inside the log. I am writing a custom decoder, but it still goes to the default JSON decoder and doesn’t capture all the fields. On normal regex websites, the regex I write parses the log correctly, but in Wazuh it doesn’t work. Could you please help me? 
 
log example : 

{"SEQUENCE_NO": 84676438, "ACTION_SEQUENCE_NO": 194645625, "ACTION": "EXECUTEQUERY", "REQ_XML": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><test_REQ_ENV><FCUBS_HEADER><SOURCE>CUBE</SOURCE><UBSCOMP>test</UBSCOMP><USERID>TEST</USERID><BRANCH>5000</BRANCH><SERVICE/><OPERATION/><MULTITRIPID/><FUNCTIONID>STDCUSUM</FUNCTIONID><ACTION>EXECUTEQUERY</ACTION><MSGSTAT/><MODULEID>ST</MODULEID><MSGID/><DEBUG_MODE>N</DEBUG_MODE><ENTITY>ENTITY_ID1</ENTITY><SNAPSHOTID/><PKVALS>VÖEN111~C</PKVALS><PKFIELDS>BLK_MASTER__VALUE~BLK_MASTER__SEARCH_BY</PKFIELDS><SQNO>84676438</SQNO><MFAAUTHENTICATED>N</MFAAUTHENTICATED></test_HEADER><v_BODY><REC TYPE=\"BLK_MASTER\" RECID=\"1\"><FV><![CDATA[C~VÖEN111~~~]]></FV></REC><MISC><REMARKS/></MISC></test_BODY></test_REQ_ENV>", "RESP_XML": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><test_RES_ENV><test_HEADER> \n<SOURCE>CUBE</SOURCE> \n<UBSCOMP>test</UBSCOMP> \n<MSGID>6125272082403140</MSGID> \n<CORRELID>*</CORRELID> \n<USERID>TEST</USERID> \n<ENTITY>ENTITY_ID1</ENTITY> \n<BRANCH>5000</BRANCH> \n<MODULEID>ST</MODULEID> \n<DESTINATION>CUBE</DESTINATION> \n<FUNCTIONID>STDCUSUM</FUNCTIONID> \n<ACTION>EXECUTEQUERY</ACTION> \n<MSGSTAT>FAILURE</MSGSTAT> \n<DEBUG_MODE>N</DEBUG_MODE> \n<MAKERREMARKS><![CDATA[]]></MAKERREMARKS> \n<CHECKERREMARKS></CHECKERREMARKS> \n</test_HEADER> \n\n <Test_BODY> \n<REC TYPE=\"BLK_MASTER\" RECID=\"1\"><FV><![CDATA[C~VÖEN111~~~]]></FV></REC><MISC><REMARKS/></MISC><test_ERROR_RESP><ERROR><ECODE>ST-CULN-001</ECODE><EDESC><![CDATA[No Matching Records were found for the Customer Number VÖEN111]]></EDESC></ERROR></test_ERROR_RESP></test_BODY></test_RES_ENV>", "REQ_TIME": "2025-09-29 10:17:26", "USER_ID": "TEST", "LOGIN_SEQUENCE_NO": 84669898, "timestamp": "2025-09-29T06:17:33.669770+00:00", "type": "smtb_sms_action_log"}

i want to parse: user_id,action,sequence_no,login_sequence_no, Branch ,CDATA

[Bony V John]

Hi,

Please allow me some time. I’m working on this and will get back to you with an update as soon as possible.  

[Bony V John]

Hi,

Based on the shared sample log, I have created a custom decoder that extracts the required fields you mentioned. You can use the custom decoder below, which I tested successfully in my environment:  

<decoder name="test1">
        <parent>json</parent>
        <prematch>REQ_XML</prematch>
        <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

<decoder name="test1">
        <parent>json</parent>
        <regex>BRANCH>(\S*)\S/BRANCH></regex>
        <order>BRANCH</order>
</decoder>

<decoder name="test1">
        <parent>json</parent>
        <regex>CDATA[(\S*)]</regex>
        <order>CDATA</order>
</decoder>

By default, the built-in JSON decoder was already parsing most fields such as user_id, action, sequence_no, and login_sequence_no. To additionally decode the BRANCH and CDATA fields, I created two custom decoders as child decoders of the JSON decoder.

With this setup, both BRANCH and CDATA fields will now be extracted properly from the log.

You can refer to the Wazuh decoder syntax documentation for more details.

I’ve also attached a screenshot of my test results for your reference.