Disable IIS decoders

22 views
Skip to first unread message

George Paun

unread,
Jan 8, 2026, 2:20:33 AM (yesterday) Jan 8
to Wazuh | Mailing List
Hi guys,

I need to take from scratch with decoders for IIS.
How can i disable the default decoders?

I made another decoders and i whant to test this ones. I f you check this ones if are ok. Logs i can't give you because policy

Thamks,
George

IIS decoders.txt

Bony V John

unread,
Jan 8, 2026, 2:37:33 AM (yesterday) Jan 8
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Jan 8, 2026, 4:52:17 AM (yesterday) Jan 8
to Wazuh | Mailing List
Hi,

You can exclude default decoders by adding a decoder exclude configuration in the Wazuh Manager ossec.conf file, as shown below:  
<decoder_exclude>ruleset/decoders/<decoder-file-name>.xml</decoder_exclude>

This configuration must be added inside the <ruleset> tag, and you need to specify the exact default decoder file name in <decoder-file-name>.xml.

However, in your case, you are talking about disabling a default decoder file, and it seems you are referring to 0380-windows_decoders.xml. This file contains multiple decoders, not just a single one.

In this situation, I recommend the following approach instead of disabling the entire decoder file directly:

1. Copy the default decoder file to the local decoders directory  

cp /var/ossec/ruleset/decoders/ 0380-windows_decoders.xml  /var/ossec/etc/decoders/local-windows_decoders.xml

2. Edit the copied decoder file (modify only required decoders and don't change the parent decoders names)
vi /var/ossec/etc/decoders/local-windows_decoders.xml
Modify only the required decoders or add your custom decoders in this file.  
Note: - I do not recommend removing all decoders from this file. The 0380-windows_decoders.xml file contains multiple decoders that are mapped to default Wazuh rules. Removing them entirely can break rule dependencies and may cause the Wazuh Manager to behave unexpectedly.  

These documents can be helpful for writing the decoders.

3. Next, change the file permission of the custom decoder file.
chmod 660 /var/ossec/etc/decoders/ local-windows_decoders.xml
chown wazuh:wazuh /var/ossec/etc/decoders/local-windows_decoders.xml

4. After that go to the manager’s ossec.conf
vi /var/ossec/etc/ossec.conf

Under the
<ruleset>

5. Add this line to exclude the default decoder file.
<decoder_exclude>ruleset/decoders/0380-windows_decoders.xml</decoder_exclude>

6. Now restart the Wazuh manager.
systemctl restart wazuh-manager

Check this document to learn more about modifying the existing decoder:
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html#modify-default-decoders

Regarding the shared custom decoder, there was an issue related to newline character, I have updated that and attached the decoder file here. The decoder looks fine syntactically, but I cannot fully confirm its correctness because the regex patterns depend on the exact log format being processed.
IIS decoders.txt

George Paun

unread,
Jan 8, 2026, 5:14:19 AM (yesterday) Jan 8
to Wazuh | Mailing List
Thanks Bony for steps to disable the default decoders. Can you look at the decoders i made?
Do you have another sugestions? I need to extract all information i can from IIS , including which link is access

Thanks,
George

Bony V John

unread,
Jan 8, 2026, 10:56:56 PM (yesterday) Jan 8
to Wazuh | Mailing List
Hi,

I have already gone through the decoder file you shared, and I provided the updated decoder file in my previous response. In the decoder file you shared, there were newline characters inside the <order> tag, which caused the issue. I have corrected that in the updated decoder and shared it with you. 

Additionally, I would like to suggest not replacing the entire default decoder file 0380-windows_decoders.xml with the custom decoder you shared. Replacing the full default decoder file can affect default rule dependencies and may cause the Wazuh manager to fail when those default decoders are excluded.

Instead, I recommend following the steps I shared earlier:

  • Copy the default 0380-windows_decoders.xml file to a custom decoder file.

  • Modify the required decoder or add your new custom decoder in the copied file.

  • If needed, adjust the existing decoder regex in that copied file based on your requirements.

This approach ensures that default rule dependencies remain intact and avoids stability issues on the Wazuh manager.

You can refer to the Wazuh decoder syntax documentation for creating or modifying decoders.

Please let me know if you have any further questions.

Reply all
Reply to author
Forward
0 new messages