ERROR: Too many fields for JSON decoder on Wazuh
19 views
Skip to first unread message
Henry Valero
Jun 2, 2026, 6:38:05 PM (4 days ago) Jun 2
to Wazuh | Mailing List
Hi,
I have a distributed Wazuh (4.12.0) and I'm ingesting logs from Zeek and Suricata among my other agents, and in the manager I get this error:
tail -f /var/ossec/logs/ossec.log
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
2026/06/02 17:32:14 wazuh-analysisd: ERROR: Too many fields for JSON decoder.
I have added to the end of this file /var/ossec/etc/internal_options.conf:
analysisd.json_max_fields=4096
And yet the error persists, How can I fix this?
analysisd.json_max_fields=4096
And yet the error persists, How can I fix this?
Atte,
Henry
Stuti Gupta
Jun 2, 2026, 11:08:50 PM (4 days ago) Jun 2
to Wazuh | Mailing List
Hi Henry
To fix the issue, you need to change the value of the field analysisd.decoder_order_size, not analysisd.json_max_fields in /var/ossec/etc/internal_options.conf file.
Please modify this entry:
# Maximum number of fields in a decoder (order tag) [32..1024]
analysisd.decoder_order_size=256
Change the value to 1024
Then restart the wazuh-manager:
systemctl restart wazuh-manager
Let me know if this resolves your issue.
To fix the issue, you need to change the value of the field analysisd.decoder_order_size, not analysisd.json_max_fields in /var/ossec/etc/internal_options.conf file.
Please modify this entry:
# Maximum number of fields in a decoder (order tag) [32..1024]
analysisd.decoder_order_size=256
Change the value to 1024
Then restart the wazuh-manager:
systemctl restart wazuh-manager
Let me know if this resolves your issue.
Henry Valero
Jun 3, 2026, 3:07:54 PM (3 days ago) Jun 3
to Wazuh | Mailing List
Thanks,
Yes, the error has been corrected
atte,
Henry
Reply all
Reply to author
Forward
0 new messages