Hello Bony,
The best approach to catch all the logs, whether it has a decoder or not, is by enabling the archives (logall_json
https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/global.html?highlight=logall#logall-json) and all logs will be in the archives.json file which you can forward to the archives index. however, the decoder reading priority relies on the digit that is before the decoder file name as you can see below from the ruleset :
ls -ll /var/ossec/ruleset/decoders/
total 856
-rw-r-----. 1 root wazuh 1636 Nov 11 15:32 0005-wazuh_decoders.xml
-rw-r-----. 1 root wazuh 386 Nov 11 15:32 0006-json_decoders.xml
-rw-r-----. 1 root wazuh 2787 Nov 11 15:32 0007-wazuh-api_decoders.xml
-rw-r-----. 1 root wazuh 2744 Nov 11 15:32 0010-active-response_decoders.xml
-rw-r-----. 1 root wazuh 846 Nov 11 15:32 0015-aix-ipsec_decoders.xml
-rw-r-----. 1 root wazuh 3562 Nov 11 15:32 0025-apache_decoders.xmlWazuh analysisD starts with 0005, 0006, ... etc. you can create a custom decoder file name as 0004-testt.xml, but be careful as it might break the parsing for certain logs.
I hope it helps.
Regards,
Wali