help with decoder
132 views
Skip to first unread message
brandon echenique garcia
May 23, 2023, 7:20:48 PM5/23/23
to Wazuh mailing list
i've the following log:
May 16 18:43:43 mail amavis[23420]: (23420-01) Passed CLEAN {RelayedInternal,RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46806 <a..@.p> -> <r9@h.m>,<a..@.p>, Queue-ID: B2BD91F27FAF, Message-ID: <466631821.596.1684280598263.JavaMail.zimbra@.p>, mail_id: zicVENCrvOAP, Hits: -101.804, size: 2229, queued_as: 8BBD61F27E56/AFA351F2806F, 24903 ms
And i've created this decoder:
And i've created this decoder:
<decoder name="postfix_amavis">
<program_name>^amavis</program_name>
</decoder>
<decoder name="postfix_amavis1">
<parent>postfix_amavis</parent>
<regex>^Passed (\w+) (\S+,\S+), \S+ \w+ [(\S+)]:(\d+) (\S+) \p\p (\S+),(\S+), Queue-ID: (\S+), Message-ID: (\S+), mail_id: (\S+), Hits: -(\S+), size: (\d+), queued_as: (\S+), \d+ \w\w</regex>
<order>aone, atwo, athree, afour, afive, asix, aseven, queue, messa, maild, hits, size, queas</order>
</decoder>
but it does not work
<program_name>^amavis</program_name>
</decoder>
<decoder name="postfix_amavis1">
<parent>postfix_amavis</parent>
<regex>^Passed (\w+) (\S+,\S+), \S+ \w+ [(\S+)]:(\d+) (\S+) \p\p (\S+),(\S+), Queue-ID: (\S+), Message-ID: (\S+), mail_id: (\S+), Hits: -(\S+), size: (\d+), queued_as: (\S+), \d+ \w\w</regex>
<order>aone, atwo, athree, afour, afive, asix, aseven, queue, messa, maild, hits, size, queas</order>
</decoder>
but it does not work
it should be noted that before creating my decoder I did the following :
1.- exclude the decoder 0220-postfix......
</ruleset>
...
<decoder_exclude>ruleset/decoders/0220-postfix_decoders.xml</decoder_exclude>
...
what's my mistake?...
<decoder_exclude>ruleset/decoders/0220-postfix_decoders.xml</decoder_exclude>
...
</ruleset>
2.-Copy the existing decoder to /var/ossec/etc/decoders/
3.- I added the block of code below into the newly copied .xml file.
Antonio Kim
May 24, 2023, 4:38:43 AM5/24/23
to Wazuh mailing list
Hi Brandon!
Let me check your decoder and I will elaborate an answer for you.
First, let me ask, did you use decoder_exclude for any specific purpose?
Antonio
Let me check your decoder and I will elaborate an answer for you.
First, let me ask, did you use decoder_exclude for any specific purpose?
Antonio
Antonio Kim
May 24, 2023, 4:59:27 AM5/24/23
to Wazuh mailing list
Checking your decoder I could have these findings:
1. Checking if there was another decoder that could be conflicted:
full event: 'May 16 18:43:43 mail amavis[23420]: (23420-01) Passed CLEAN {RelayedInternal,RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46806 <a..@.p> -> <r9@h.m>,<a..@.p>, Queue-ID: B2BD91F27FAF, Message-ID: <466631821.596.1684280598263.JavaMail.zimbra@.p>, mail_id: zicVENCrvOAP, Hits: -101.804, size: 2229, queued_as: 8BBD61F27E56/AFA351F2806F, 24903 ms'
timestamp: 'May 16 18:43:43'
hostname: 'mail'
program_name: 'amavis'
**Phase 2: Completed decoding.
No decoder matched.
------------------------------------------------------
I could not find a decoder from wazuh that could be crossed by your new decoder.
2. Checking your decoder:
Please do not hesitate in contacting me if you need further information.
Here I am attaching some official documentation in case you want to recheck.
Antonio
1. Checking if there was another decoder that could be conflicted:
------------------------------------------------------
May 16 18:43:43 mail amavis[23420]: (23420-01) Passed CLEAN {RelayedInternal,RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46806 <a..@.p> -> <r9@h.m>,<a..@.p>, Queue-ID: B2BD91F27FAF, Message-ID: <466631821.596.1684280598263.JavaMail.zimbra@.p>, mail_id: zicVENCrvOAP, Hits: -101.804, size: 2229, queued_as: 8BBD61F27E56/AFA351F2806F, 24903 ms
**Phase 1: Completed pre-decoding.full event: 'May 16 18:43:43 mail amavis[23420]: (23420-01) Passed CLEAN {RelayedInternal,RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46806 <a..@.p> -> <r9@h.m>,<a..@.p>, Queue-ID: B2BD91F27FAF, Message-ID: <466631821.596.1684280598263.JavaMail.zimbra@.p>, mail_id: zicVENCrvOAP, Hits: -101.804, size: 2229, queued_as: 8BBD61F27E56/AFA351F2806F, 24903 ms'
timestamp: 'May 16 18:43:43'
hostname: 'mail'
program_name: 'amavis'
**Phase 2: Completed decoding.
No decoder matched.
------------------------------------------------------
I could not find a decoder from wazuh that could be crossed by your new decoder.
2. Checking your decoder:
-----------------------------------------------------
May 16 18:43:43 mail amavis[23420]: (23420-01) Passed CLEAN {RelayedInternal,RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46806 <a..@.p> -> <r9@h.m>,<a..@.p>, Queue-ID: B2BD91F27FAF, Message-ID: <466631821.596.1684280598263.JavaMail.zimbra@.p>, mail_id: zicVENCrvOAP, Hits: -101.804, size: 2229, queued_as: 8BBD61F27E56/AFA351F2806F, 24903 ms
**Phase 1: Completed pre-decoding.
full event: 'May 16 18:43:43 mail amavis[23420]: (23420-01) Passed CLEAN {RelayedInternal,RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46806 <a..@.p> -> <r9@h.m>,<a..@.p>, Queue-ID: B2BD91F27FAF, Message-ID: <466631821.596.1684280598263.JavaMail.zimbra@.p>, mail_id: zicVENCrvOAP, Hits: -101.804, size: 2229, queued_as: 8BBD61F27E56/AFA351F2806F, 24903 ms'
timestamp: 'May 16 18:43:43'
hostname: 'mail'
program_name: 'amavis'
**Phase 2: Completed decoding.
name: 'postfix_amavis'
-----------------------------------------------------
full event: 'May 16 18:43:43 mail amavis[23420]: (23420-01) Passed CLEAN {RelayedInternal,RelayedOutbound}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46806 <a..@.p> -> <r9@h.m>,<a..@.p>, Queue-ID: B2BD91F27FAF, Message-ID: <466631821.596.1684280598263.JavaMail.zimbra@.p>, mail_id: zicVENCrvOAP, Hits: -101.804, size: 2229, queued_as: 8BBD61F27E56/AFA351F2806F, 24903 ms'
timestamp: 'May 16 18:43:43'
hostname: 'mail'
program_name: 'amavis'
**Phase 2: Completed decoding.
name: 'postfix_amavis'
-----------------------------------------------------
I could not find the fields that you are trying to get from the log.
In order to make it simple:
1. I recommend to you to follow this structure:
<decoder name="name_of_decoder">
In order to make it simple:
1. I recommend to you to follow this structure:
<decoder name="name_of_decoder">
<prematch>{the fixed structure of the log you want to decode, this will be written with regex}></prematch>
<regex>{the complete regex for detecting fields that you want to get from the log}</regex>
<orders>{name of the fields (dict)}</orders>
</decoder>2. Use /var/ossec/bin/wazuh-logtest to check if the decoder is working ( you have to restart it always you are tying an update from your decoder)
3. After you can check that decoder is working, create the rule.
Here you have a clear example of use case.
Please do not hesitate in contacting me if you need further information.
Here I am attaching some official documentation in case you want to recheck.
Antonio
brandon echenique garcia
May 24, 2023, 1:54:17 PM5/24/23
to Wazuh mailing list
thanks for all the support,
i've able to create my own decoder, I realized the error that I had in my structure.
i've able to create my own decoder, I realized the error that I had in my structure.
I proceed to publish the correct decoder in case it is of support to someone in the community.
<decoder name="postfix_amavis">
<program_name>^amavis</program_name>
</decoder>
<decoder name="postfix_amavis1">
<parent>postfix_amavis</parent>
<regex>Passed (\w+) {(\S+,\S+)}, \S+ \w+ [(\S+)]:(\d+) (\S+) \p\p (\S+),(\S+), Queue-ID: (\w+), Message-ID: (\S+), mail_id: (\w+), Hits: -(\d+.\d+), size: (\d+), queued_as: (\S+), \d+ \w\w</regex>
<order>amavis.uno, amavis.dos, amavis.tres, amavis.cuatro, amavis.cinco, amavis.seis, amavis.siete, queue, messa, maild, hits, size, queas</order>
</decoder>
Regards!
Reply all
Reply to author
Forward
0 new messages