Override existing decoder

[July Vegas]

Hi team,

I would like to know if there's a way to override some existing decoder so I can extract extra information from it. I don't know if I should edit the decoder file directly or there's any best practices about this problem.

[Asunción Gómez Castro]

Hi July!

To override a default decoder you shouldn't update the original file, since any changes in the /var/ossec/ruleset/decoders folder will be lost in the update process. The override procedure is:

1. Copy the decoder file from the default folder to the user folder /var/ossec/etc/decoders in order to keep the changes.

2. Exclude the original decoder file from the OSSEC loading list. To do this, use the tag <decoder_exclude> in the ossec.conf file. Thus, the specified decoder will not be loaded from the default decoder folder, and the decoder file saved in the user folder will be loaded instead.

3. Perform the changes in the file you copied in /var/ossec/etc/decoders.

Bear in mind that, if updates to the public Wazuh Ruleset include changes to the decoder you overrided, they will not apply to you since you are no longer loading that decoder file from the standard location that gets updates. Here's the documentation section about overriding a decoder:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder

I hope this response was helpful! If you have any follow-up questions, please do not hesitate to ask.

Kind regards,

Asun Gómez