wazuh-analysisd ERROR Too many fields for JSON decoder

[trd sec tech team]

|Wazuh version|Component|Install type|Install method|Platform|
|4.8.0|wazuh-analysisd|manager|packages|centos7|
Hi there, i found a issue of wazuh-analysisd,when i access to google cloud to get log from storage,i found no logs can be shown on dashboard, then i check the log of manager,i found there has lots of errors:wazuh-analysisd ERROR Too many fields for JSON decoder

and wazuh-remoted WARNING Too big message size from socket.

then i try to change the size of decoder to 1024,but it can't solove this issue,what can I do now ?

[Facundo Dalmau]

Hi. Do you have an example of the logs being fetched from GCP? The error 'wazuh-analysisd: ERROR: Too many fields for JSON decoder' typically occurs when there are too many fields in the JSON message being processed by the Wazuh manager. To fix this issue, you can try increasing the analysisd.decoder_order_size parameter in the Wazuh manager configuration file (/var/ossec/etc/local_internal_options.conf). This parameter determines the maximum number of fields in a decoder. Keep in mind that increasing this value may also increase the CPU and memory usage of the manager. Once you have made the necessary changes, restart the Wazuh manager and check if the error persists.

I hope this helps,

[trd sec tech team]

Hi Facundo Dalmau:

Here is a simple of gcp logs:

{"insertId":"ssssss","logName":"projects/sssss/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"ss...@gmail.com"},"authorizationInfo":[{"granted":true,"permission":"storage.buckets.create","resource":"projects/_/buckets/asdfsdfsdsdfsdf","resourceAttributes":{}}],"metadata":{"rpo":"DEFAULT"},"methodName":"storage.buckets.create","request":{"defaultObjectAcl":{"@type":"type.googleapis.com/google.iam.v1.Policy","bindings":[{"members":["projectViewer:ssssss"],"role":"roles/storage.legacyObjectReader"},{"members":["projectOwner:sssss","projectEditor:sssss"],"role":"roles/storage.legacyObjectOwner"}]}},"requestMetadata":{"callerIp":"10.10.10.10","callerSuppliedUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2024-07-30T01:38:27.75913671Z"}},"resourceLocation":{"currentLocations":["us"]},"resourceName":"projects/_/buckets/asdfsdfsdsdfsdf","serviceData":{"@type":"type.googleapis.com/google.iam.v1.logging.AuditData","policyDelta":{"bindingDeltas":[{"action":"ADD","member":"projectEditor:sssss","role":"roles/storage.legacyBucketOwner"},{"action":"ADD","member":"projectOwner:sssss","role":"roles/storage.legacyBucketOwner"},{"action":"ADD","member":"projectViewer:sssss","role":"roles/storage.legacyBucketReader"},{"action":"ADD","member":"sssss","role":"roles/storage.legacyObjectOwner"},{"action":"ADD","member":"projectOwner:sssss","role":"roles/storage.legacyObjectOwner"},{"action":"ADD","member":"projectViewer:sssss","role":"roles/storage.legacyObjectReader"}]}},"serviceName":"storage.googleapis.com","status":{}},"receiveTimestamp":"2024-07-30T01:38:29.538821014Z","resource":{"labels":{"bucket_name":"asdfsdfsdsdfsdf","location":"sssss","project_id":"sssss"},"type":"gcs_bucket"},"severity":"NOTICE","timestamp":"2024-07-30T01:38:27.748961251Z"}

actually it's not too long, and i already increased the analysisd.decoder_order_size to maximan(1024), however it's unluck

Facundo Dalmau 在 2024年7月26日 星期五晚上8:17:10 [UTC+8] 的信中寫道：