HAProxy decoder and rules Help-Advise

[Ricardo Mendonça]

Hi,

Been trying to set decoder and rule to haproxy log, without any success

The base log looks like this

04/Jun/2024:00:07:17.188 {somesite.somedomain.net} 14.64.16.169 FE_Prod_http_to_https 10.1.2.12 hostname-host-8381 10.1.2.13 10.1.2.25 8181 POST https://somesite.somedomain.net/v2/testv2/file-temp HTTP/2.0 201 193 56

Needed some help decodig this log and parse it granularly with the different fields, and rule also.

Just one further question. Better to use local rules/decoder xml, or build one custom for haproxy

Thank you all

[Gerardo David Caceres Fleitas]

Hello Ricardo Mendonça,

Here is the decoder that I used to test this sample log. You can continue use it and adapt it according to your needs.

<!--

04/Jun/2024:00:07:17.188 {somesite.somedomain.net} 14.64.16.169 FE_Prod_http_to_https 10.1.2.12 hostname-host-8381 10.1.2.13 10.1.2.25 8181 POST https://somesite.somedomain.net/v2/testv2/file-temp HTTP/2.0 201 193 56

-->


<decoder name="ha-proxy-parent">
<prematch>^\d\d\.\w+\.\d\d\d\d:\d\d:\d\d:\d\d.\d+ </prematch>
</decoder>


<decoder name="ha-proxy-parent-child">
<parent>ha-proxy-parent</parent>
<regex> \p(\w+.\w+.\w+)\p (\d+.\d+.\d+.\d+) </regex>
<order>test.domain, test.ip</order>
</decoder>



Please find below relevant information regarding the decoders and rules:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#os-regex-syntax
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

I hope this is helpful to you.

Best regards.