Sonicwall Decoder? issue??
30 views
Skip to first unread message
Cris Mead (FedaykinWolf)
Jul 31, 2025, 9:31:39 PMJul 31
to Wazuh | Mailing List
Hello, I just added a second sonicwall to wazuh, and I'm trying to differentiate the 2 in the logs. I thought this id=xxxxxx would be parsed into a field in wazuh but it is not... Bug or expected?
- using default 0295-sonicwall_decoders.xml
- on Wazuh 4.12
**Phase 1: Completed pre-decoding. full event: 'id=Perimeter_Firewall_1 sn=xxxxxxxx time="2025-07-31 17:08:52" fw=64.146.144.66 pri=1 c=32 m=608 msg="IPS Detection Alert: ICMP PING" sid=293 ipscat="ICMP PING" ipspri=3 n=187952 src=10.11.12.3:11:X0 dst=130.199.211.138:8:X1 fw_action="NA"'
**Phase 1: Completed pre-decoding. full event: 'id=Perimeter_Firewall_2 sn=xxxxxxxx time="2025-07-31 21:09:18" fw=64.146.144.58 pri=1 c=0 m=1200 msg="Suspected Botnet initiator blocked: Initiator IP:23.94.58.5" n=45626 src=23.94.58.5:43780:X1:23-94-58-5-host.colocrossing.com dst=64.16.14.60:80:X4:mx1.someplace.net srcMac=f0:2f:8f:4f:8f:fb dstMac=ef:eb:ff:9b:ff:dd proto=tcp/http fw_action="drop"'
Notice in Phase 1 the id= are not coloured, and no "Perimeter_Firewall_#" below (here's one to save space the other is the same)
**Phase 2: Completed decoding. name: 'sonicwall' action: 'IPS Detection Alert: ICMP PING' dstip: '130.199.211.138' dstport: '8' srcip: '10.11.12.3' srcport: '11' status: '1' **Phase 3: Completed filtering (rules). id: '4801' level: '8' description: 'SonicWall critical message.' groups: '["syslog","sonicwall"]' firedtimes: '1' gdpr: '["IV_35.7.d"]' gpg13: '["3.2"]' mail: 'false' **Alert to be generated.
What would I have to do to get the id= part into a field so I can more easily search between my 2 Sonicwalls?
Any help would be much appreciated
Thank you,
Stuti Gupta
Jul 31, 2025, 11:52:53 PMJul 31
to Wazuh | Mailing List
Hi
Cris
To achieve this, you need to change the default decoder. For that, please follow these steps:
<decoder_exclude>ruleset/decoders/0295-sonicwall_decoders.xml</decoder_exclude>
</ruleset>
<parent>sonicwall</parent>
<regex>id=(\.+) </regex>
<order>id</order>
</decoder>
Restart the wazuh-manager: systemctl restart wazuh-manager
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
Let me know if you want any further assistance
To achieve this, you need to change the default decoder. For that, please follow these steps:
Start by copying the default decoder file into the custom decoder directory using:
cp /var/ossec/ruleset/decoders/0295-sonicwall_decoders.xml /var/ossec/etc/decoders/0295-sonicwall_decoders.xmlNext, edit the Wazuh configuration file (/var/ossec/etc/ossec.conf) to exclude the default decoder so the custom one takes precedence. Add the following inside the <ruleset> block:
<ruleset><decoder_exclude>ruleset/decoders/0295-sonicwall_decoders.xml</decoder_exclude>
</ruleset>
Now open the copied decoder file:
vi /var/ossec/etc/decoders/0295-sonicwall_decoders.xmlAdd the following decoder block to decode the ID
<decoder name="sonicwall-fields"><parent>sonicwall</parent>
<regex>id=(\.+) </regex>
<order>id</order>
</decoder>
Restart the wazuh-manager: systemctl restart wazuh-manager
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
Let me know if you want any further assistance
Cris Mead (FedaykinWolf)
Aug 1, 2025, 12:16:33 AMAug 1
to Wazuh | Mailing List
Worked perfectly thank you!!
Reply all
Reply to author
Forward
0 new messages