Custom decoders basics
5 views
Skip to first unread message
Krzysztof
3:26 PM (8 hours ago) 3:26 PM
to Wazuh | Mailing List
Hello,
First of all, I would like to say hello to the entire community of Wazuh users and administrators.
In a test environment for educational purposes, I have implemented Wazuh on a virtual machine (Ubuntu). I plan to implement network device log monitoring. According to the documentation, I configured syslog listening on port 514 UDP in the ossec.conf file. Logs are not decoded by default, so I enabled the logall function in the ossec.conf file to find out what logs are coming into Wazuh. Everything is working as it should.
Since wazuh-archives collects all logs and fills up disk space very quickly, I would like to disable the logall function. From what I understand, I should create a custom decoder for devices that send syslog to wazuh, and then create rules that generate appropriate alerts.
And this is where the difficulties begin.
Below is an example log from the wazuh-archives.log file
```
2025 Dec 02 13:17:46 zof-wazuh->192.168.1.9 2025-12-02 13:17:48 T1700G-28TQ 53449 Gi1/0/4 changed state to up.
```
From the information I read on GitHub (https://github.com/wazuh/wazuh/issues/14271), the beginning of the log (2025 Dec 02 13:17:50 zof-wazuh->192.168.1.9) is a header generated by Wazuh Manager, and the next part of the message is the actual log (raw log) - (2025-12-02 13:17:48 T1700G-28TQ 53449 Gi1/0/4 changed state to up.), on the basis of which a decoding rule should be created and this log should be tested using wazuh-logtest.
If I understand correctly, when I enter the log into wazuh-logtest:
2025-12-02 13:17:48 T1700G-28TQ 53449 Gi1/0/4 changed state to up.
The pre-decoder should recognise:
timestamp - 2025-12-02 13:17:48
hostname - T1700G-28TQ
program_name - 53449
I should decode the rest of the log manually.
However, if I run wazuh-logtest even without a manually created custom decoding rule, I only get `full event` (Phase 1) and `name`: “windows-date-format”(Phase2)
```
/home/krzychu# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.1
Type one log per line
2025-12-02 13:31:08 T1700G-28TQ 60502 Enable port Gi1/0/6 by admin on web (192.168.1.23).
**Phase 1: Completed pre-decoding.
full event: '2025-12-02 13:31:08 T1700G-28TQ 60502 Enable port Gi1/0/6 by admin on web (192.168.1.23).'
**Phase 2: Completed decoding.
name: “windows-date-format”
And here are my questions. Did I make a mistake somewhere or misunderstand something? Why does the pre-decoder not read the timestamp hostname and program_name? Please give me some tips on how to make a decoder for such a log.
Thank you in advance for your time.
Best regards, Krzysztof
First of all, I would like to say hello to the entire community of Wazuh users and administrators.
In a test environment for educational purposes, I have implemented Wazuh on a virtual machine (Ubuntu). I plan to implement network device log monitoring. According to the documentation, I configured syslog listening on port 514 UDP in the ossec.conf file. Logs are not decoded by default, so I enabled the logall function in the ossec.conf file to find out what logs are coming into Wazuh. Everything is working as it should.
Since wazuh-archives collects all logs and fills up disk space very quickly, I would like to disable the logall function. From what I understand, I should create a custom decoder for devices that send syslog to wazuh, and then create rules that generate appropriate alerts.
And this is where the difficulties begin.
Below is an example log from the wazuh-archives.log file
```
2025 Dec 02 13:17:46 zof-wazuh->192.168.1.9 2025-12-02 13:17:48 T1700G-28TQ 53449 Gi1/0/4 changed state to up.
```
From the information I read on GitHub (https://github.com/wazuh/wazuh/issues/14271), the beginning of the log (2025 Dec 02 13:17:50 zof-wazuh->192.168.1.9) is a header generated by Wazuh Manager, and the next part of the message is the actual log (raw log) - (2025-12-02 13:17:48 T1700G-28TQ 53449 Gi1/0/4 changed state to up.), on the basis of which a decoding rule should be created and this log should be tested using wazuh-logtest.
If I understand correctly, when I enter the log into wazuh-logtest:
2025-12-02 13:17:48 T1700G-28TQ 53449 Gi1/0/4 changed state to up.
The pre-decoder should recognise:
timestamp - 2025-12-02 13:17:48
hostname - T1700G-28TQ
program_name - 53449
I should decode the rest of the log manually.
However, if I run wazuh-logtest even without a manually created custom decoding rule, I only get `full event` (Phase 1) and `name`: “windows-date-format”(Phase2)
```
/home/krzychu# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.1
Type one log per line
2025-12-02 13:31:08 T1700G-28TQ 60502 Enable port Gi1/0/6 by admin on web (192.168.1.23).
**Phase 1: Completed pre-decoding.
full event: '2025-12-02 13:31:08 T1700G-28TQ 60502 Enable port Gi1/0/6 by admin on web (192.168.1.23).'
**Phase 2: Completed decoding.
name: “windows-date-format”
And here are my questions. Did I make a mistake somewhere or misunderstand something? Why does the pre-decoder not read the timestamp hostname and program_name? Please give me some tips on how to make a decoder for such a log.
Thank you in advance for your time.
Best regards, Krzysztof
Reply all
Reply to author
Forward
0 new messages