GitLab logs JSON

18 views
Skip to first unread message

Kevin Truder

unread,
Mar 17, 2026, 5:30:33 AM (3 days ago) Mar 17
to Wazuh | Mailing List
Hi,

My organization wants to ingest logs from its GitLab to its Wazuh instance. While the deprecated application.log is perfectly decoded and matched, the replacing JSON format which shouldn't need a decoder if I understand correctly doesn't match at all. Did I miss something? I have no permission to log in to the GitLab hosting machine, so debugging this is tricky.
Sample logs can be found in GitLab doc linked. With wazuh-logtest, the JSON format is decoded and left unmatched while the old format generates alerts.

Thanks in advance,

Kev

Matias Ezequiel Latorre

unread,
Mar 17, 2026, 7:57:27 AM (3 days ago) Mar 17
to Wazuh | Mailing List

Hi Kevin,

You are correct that JSON logs do not require a custom decoder, and your observation is accurate: the events are being decoded properly but remain unmatched.

This behavior is expected.

Wazuh processes logs in two stages:

  1. Decoding (which is working correctly in your case)

  2. Rule matching (which is where your events are not matching)

The built-in GitLab rules do support JSON logs, but they are quite specific about the field combinations they expect.

For example, I tested your sample and it only matched a built-in rule when using "severity":"ERROR". With "severity":"INFO", the event is correctly decoded but does not match any rule.

This confirms that:

  • JSON decoding is working correctly

  • GitLab rules are present and functional

  • But not all JSON events from application_json.log match the existing rules

So the difference you are seeing between application.log and application_json.log is due to rule coverage, not decoding.

If your logs have different field values or structures than those expected by the built-in rules, they will be decoded but remain unmatched. In those cases, creating custom local rules based on the actual JSON fields received is the recommended approach.

Official documentation for creating rules:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

Testing rules with wazuh-logtest:
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

Below is a simple example of a custom rule for INFO-level events. This is just a generic starting point and should be refined based on the exact structure of the JSON events you receive:

<group name="gitlab,gitlab_json,">
<rule id="100500" level="3">
<decoded_as>json</decoded_as>
<field name="correlation_id">\w+</field>
<field name="severity">^INFO$</field>
<field name="message">.+</field>
<description>(GitLab) INFO: $(message)</description>
<options>no_full_log</options>
</rule>
</group>

This example includes correlation_id to better scope the rule to GitLab-style events and avoid matching unrelated JSON logs.

You can start from this and progressively refine rules for specific actions (user creation, project changes, etc.) depending on your needs.

Best regards.

Reply all
Reply to author
Forward
0 new messages