I need help because Wazuh Decoder and Ruleset are running well, but there are no alerts on the dashboard.
Nhân Nguyễn
Md. Nazmur Sakib
Hi Nhân Nguyễn,
If you are getting the logs in the archive log file with this command
tail -f /var/ossec/logs/archives/archives.log | grep -E "Deep Security|CEF
That means the logs are coming to your Wazuh server.
As you do not see any logs in the alerts.log, that means they are not matching any rule.
You can test your logs to see if they match any rules by using the ruleset test tool.
Go to Tools > Ruleset test in the Wazuh dashboard and paste the log you found in the archive.log
Ref: Testing decoders and rules - Data analysis
Make sure to exclude the log header added by Wazuh before testing the log
Ex:
If you get this log in the archive.log
2024 Aug 29 11:42:45 DPW-SW1->/var/log/syslog Aug 29 11:42:44 DPW-SW1 74acb943ac7a,US-24-G1-7.0.50+15613: user: test
You need to use this part for the testing
Aug 29 11:42:44 DPW-SW1 74acb943ac7a,US-24-G1-7.0.50+15613: user: test
If they do not match any rules, you need to write some custom rules to trigger an alert. For that you can check these documents.
If you need any further help on this, please share some sample relevant logs from the archives.log file.
cat /var/ossec/logs/archives/archives.log | grep -E "Deep Security|CEF
Nhân Nguyễn
I used the Ruleset test feature with the following sample log
2026 Apr 21 16:31:01 DeepSecurityABCD->192.168.1.1 2026-04-21T09:07:28+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|276|Update: Summary Information|3|src=192.168.1.1 suser=System target=192.168.1.2 msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
And receive the result
**Phase 1: Completed pre-decoding.
full event: '2026 Apr 21 16:31:01 DeepSecurityABCD->192.168.1.1 2026-04-21T09:07:28+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|276|Update: Summary Information|3|src=192.168.1.1 suser=System target=192.168.1.2 msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0'
timestamp: '2026 Apr 21 16:31:01'
**Phase 2: Completed decoding.
name: 'trendmicro-cef'
id: '0'
name: 'Update: Summary Information'
product: 'Deep Security Manager'
severity: '3'
signature: '276'
vendor: 'Trend Micro'
version: '20.0.1112'
**Phase 3: Completed filtering (rules).
id: '299999'
level: '15'
description: 'DEBUG: Any Trend Micro CEF'
groups: '["trendmicro","debug"]'
firedtimes: '1'
mail: 'true'
**Alert to be generated.
And Trend Micro's system still sends logs regularly but no alerts are triggered on the Dashboard.
Md. Nazmur Sakib
I believe this is the log your endpoint is forwarding.
2026-04-21T09:07:28+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|276|Update: Summary Information|3|src=192.168.1.1 suser=System target=192.168.1.2 msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
And this is the syslog header added by the Wazuh Manager.
2026 Apr 21 16:31:01 DeepSecurityABCD->192.168.1.1
So you need to write the decoders and rules, and test them based on the actual logs that are forwarded by your endpoint, which seems to me
2026-04-21T09:07:28+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|276|Update: Summary Information|3|src=192.168.1.1 suser=System target=192.168.1.2 msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
I have written some sample decoders based on that.
Decoders:
<decoder name="trendmicro-cef">
<program_name>CEF</program_name>
<prematch>Trend Micro\|Deep Security</prematch>
</decoder>
<decoder name="trendmicro-cef-child">
<parent>trendmicro-cef</parent>
<regex>(\d+)</regex>
<order>id</order>
</decoder>
<decoder name="trendmicro-cef-child">
<parent>trendmicro-cef</parent>
<regex>\d+\|\.+\|\.+\|\.+\|\.+\|(\S+\p\s\S+\s\S+)\|</regex>
<order>name</order>
</decoder>
<decoder name="trendmicro-cef-child">
<parent>trendmicro-cef</parent>
<regex>\d+\|\.+\|(\w+\s\w+\s\w+)</regex>
<order>product</order>
</decoder>
<decoder name="trendmicro-cef-child">
<parent>trendmicro-cef</parent>
<regex>\d+\|\.+\|\.+\|\.+\|\.+\|\.+\|(\d+)</regex>
<order>severity</order>
</decoder>
<decoder name="trendmicro-cef-child">
<parent>trendmicro-cef</parent>
<regex>\d+\|\.+\|\.+\|\.+\|(\d+)</regex>
<order>signature</order>
</decoder>
<decoder name="trendmicro-cef-child">
<parent>trendmicro-cef</parent>
<regex>\d+\|(\w+\s\w+)</regex>
<order>vendor</order>
</decoder>
<decoder name="trendmicro-cef-child">
<parent>trendmicro-cef</parent>
<regex>\d+\|\.+\|\.+\|(\d+\p\d+\p\d+)</regex>
<order>version</order>
</decoder>
Rules:
<group name="trendmicro,debug">
<rule id="100111" level="15">
<decoded_as>trendmicro-cef</decoded_as>
<description>DEBUG: Any Trend Micro CEF</description>
</rule>
</group>
Use ID numbers between 100000 and 120000 for custom rules to avoid conflicts.
Ref: Adding custom rules
Make sure to restart the Wazuh manager or reload the analysisd to apply the changes.
Let me know if this works for you.
Nhân Nguyễn
I have a question: since Trend Micro sends many logs in different formats as shown below,
2026 Apr 22 23:59:58 DeepSecurityABCD->192.168.1.1 2026-04-23T00:01:24+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|2601|Software Update: Integrity Monitoring Module Installation Successful|3|src=192.168.1.1 suser=System target=192.168.1.1 msg=Installation of Feature-IM-RedHat_EL9-90.0.3.rpm 'IM' succeeded TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
2026 Apr 22 23:59:58 DeepSecurityABCD->192.168.1.1 2026-04-23T00:01:24+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|2909|Agent Self-Protection disabled|3|src=192.168.1.1 suser=System target=192.168.1.1 msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
2026 Apr 22 23:59:58 DeepSecurityABCD->192.168.1.1 2026-04-23T00:01:24+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|2401|Software Update: Firewall Module Installation Successful|3|src=192.168.1.1 suser=System target=192.168.1.1 msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
2026 Apr 22 23:59:58 DeepSecurityABCD->192.168.1.1 2026-04-23T00:01:24+07:00 DeepSecurityABCD CEF:0|Trend Micro|Deep Security Manager|20.0.1112|706|Software Update: Agent Software Upgraded|3|src=192.168.1.1 suser=System target=192.168.1.1 msg=Agent software upgraded to version 100.0.1.0.\n\nInstall log:\n\nwarning: /opt/ds_agent/Agent-PGPCore-RedHat_EL9-90.0.3.rpm: Header V4 RSA/SHA512 Signature, key ID e1051cbd: NOKEY\nBegin Agent weak cert validation ...\nStopping old versions...\n/var/opt/ds_agent /\n/\nThis installer is PGP signed, signature is RSA/SHA512 RSA/SHA512\nenable ds_agent service with systemd\nCreated symlink from /etc/systemd/system/multi-user.target.wants/ds_agent.service to /usr/lib/systemd/system/ds_agent.service.\n2026-04-23 00:01:11.000000 [+0700]: [Info/5] SQLITE_INFO[283]: recovered 74 frames from WAL file /var/opt/ds_agent/dsa_core/ds_agent.db-wal dsa/core/db/SqliteDb.cpp:629:dsa_sqlite3_logerror 2FBB:7F166C0BB700:CScriptThread\n2026-04-23 00:01:11.968918 [+0700]: [Info/5] Format version: 2 ...space/build_dsa-core_master/dsa/core/scripts/dsa_9up.lua:199:get_format_version 2FBB:7F166C0BB700:CScriptThread\n2026-04-23 00:01:11.970919 [+0700]: [Info/5] no migration needed for db /var/opt/ds_agent/dsa_core/ds_agent.db ...space/build_dsa-core_master/dsa/core/scripts/dsa_9up.lua:219:(null) 2FBB:7F166C0BB700:CScriptThread\nReset BLP\nDSA service started. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
is there a way to write a decoder to extract data for each log format?
Nhân Nguyễn
I tried the decoder and ruleset you sent me, and when I applied them, an alert appeared. Thank you very much.