Can I set priority on decoder files in wazuh.
268 views
Skip to first unread message
Bony John
Mar 27, 2023, 1:38:15 AM3/27/23
to Wazuh mailing list
Hi,
In wazuh decoder, when a new log hit to my decoder and don't have a decoder for that certain log I need a common decoder for match that(it will prematch all logs). for that I need to set a least priority level for that common decoder file.
is it possible?
if it is possible how can I do it?
elw...@wazuh.com
Mar 27, 2023, 2:51:19 AM3/27/23
to Wazuh mailing list
Hello Bony,
The best approach to catch all the logs, whether it has a decoder or not, is by enabling the archives (logall_json https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/global.html?highlight=logall#logall-json) and all logs will be in the archives.json file which you can forward to the archives index. however, the decoder reading priority relies on the digit that is before the decoder file name as you can see below from the ruleset :
Wazuh analysisD starts with 0005, 0006, ... etc. you can create a custom decoder file name as 0004-testt.xml, but be careful as it might break the parsing for certain logs.
I hope it helps.
Regards,
Wali
The best approach to catch all the logs, whether it has a decoder or not, is by enabling the archives (logall_json https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/global.html?highlight=logall#logall-json) and all logs will be in the archives.json file which you can forward to the archives index. however, the decoder reading priority relies on the digit that is before the decoder file name as you can see below from the ruleset :
Wazuh analysisD starts with 0005, 0006, ... etc. you can create a custom decoder file name as 0004-testt.xml, but be careful as it might break the parsing for certain logs.
I hope it helps.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages