Locating decoder syscheck_registry_key_added

77 views
Skip to first unread message

David Adonis

unread,
Oct 7, 2025, 1:37:07 PM (12 days ago) Oct 7
to Wazuh | Mailing List
Hi everyone, I have some issues with Wazuh's rule. I need some help

Context:
I'm monitoring Windows Registry with FIM, and there're built-in rules(594, 597, 598) for this action.

Issue:
Screenshot 2025-10-07 232714.png
- Issue 1: Inside the rule file  which defined rule 594, 597 and 598, I saw the decoder for this rule. However, I couldn't find where does that "syscheck_registry_key_added" decoder locate at, same with "syscheck_registry_key_deleted" and "syscheck_registry_key_modified".

- Issue 2:  When I read the full alert for rule ID 598 on the Dashboard, it was obvious that the alert had a field called "full_log." However, when I edited the rule to access that field via $(full_log), the result was as picture below. I also tried with another field, "syscheck.path," but got the same result   
Screenshot 2025-10-07 233135.png
Can anyone help me explain this Issue. Thanks

Olamilekan Abdullateef Ajani

unread,
Oct 7, 2025, 2:06:30 PM (12 days ago) Oct 7
to Wazuh | Mailing List
Hello Adonis,

This is not an error, it is infact by design. FIM events are not handled by regular decoders which is why you could not locate one, they are generated natively and handled by syscheck module which is why you do not see any entry.

What you can tune though is the rule which as you have rightly stated are located in 0015-ossec_rules.xml, you can find the configurable options attached.

That being said, what is your use case regarding the full_log. I am not quite clear of your intentions. 

I await feedback from you.

syscheck.png

David Adonis

unread,
Oct 12, 2025, 3:51:38 PM (7 days ago) Oct 12
to Wazuh | Mailing List
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/fbb35ff1-297a-42fc-a540-c1ed8c78f1d3n%40googlegroups.com.

Olamilekan Abdullateef Ajani

unread,
Oct 13, 2025, 4:59:52 PM (6 days ago) Oct 13
to Wazuh | Mailing List
Hello Adonis,

Could you please elaborate on your last request? Awaiting feedback from you.

David Adonis

unread,
Oct 15, 2025, 8:11:24 AM (4 days ago) Oct 15
to Wazuh | Mailing List
I apologize, I might miss your response. I will explain my intention
I'm trying to write a rule to match a value in the $syscheck.path$ field for events from the syscheck_registry_key_added decoder, but it wasn't working. To troubleshoot, I tried displaying the log in the rule description using $(full_log) which also produced by same decoder. I noticed on the dashboard that the $syscheck.path$ field was empty(the same with $full_log$), which I think is why my rule was failing. Could you please explain why this field is empty for this type of event? Thanks.  
Vào lúc 03:59:52 UTC+7 ngày Thứ Ba, 14 tháng 10, 2025, Olamilekan Abdullateef Ajani đã viết:

Olamilekan Abdullateef Ajani

unread,
Oct 17, 2025, 11:36:06 AM (2 days ago) Oct 17
to Wazuh | Mailing List
Hello Adonis,

Apologies for the delayed response, I think I have a fair idea of your intentions. If you want to match the syscheck events, you do not need to reference the decoder. It works just like every other rule overide. You can check the screenshot attached, if you want to match the event path in that log, you can make use of the similar rule below:

<group name="syscheck custom,">
  <rule id="155401" level="0">
    <if_sid>594,597,598</if_sid>
    <field name="file" type="pcre2">^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\.*$</field>
    <description>capture fim events.</description>
  </rule>
</group>

You can find more configurable options in the documentation below regarding rules:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
syscheck-log.png

David Adonis

unread,
Oct 18, 2025, 9:30:14 AM (yesterday) Oct 18
to Olamilekan Abdullateef Ajani, Wazuh | Mailing List
Why can't I use "field name="syscheck.path"" to match and extract the value in "syscheck.path

Vào Th 6, 17 thg 10, 2025 vào lúc 22:36 'Olamilekan Abdullateef Ajani' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Y88bPbTcfJ4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/99c4bffb-0dd0-4614-98fc-a02f9763d9d8n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages