Sibling decoder does not records value

[Bayu Sangkaya (bayusky.labs)]

Hi Team,

I've created this decoder

<decoder name="vcenter-base">
  <prematch>vcenter</prematch>
</decoder>

<decoder name="vcenter-log">
  <parent>vcenter-base</parent>
  <regex>(vcenter\S*) (\S+) </regex>
  <order>vcenter_hostname,vcenter_program_name</order>
</decoder>

<!-- SSO Identity Performance -->
<decoder name="vcenter-log">
  <parent>vcenter-base</parent>
  <regex>PerfBucketKey [measurementPt=(\S+), providerInfo=(\S+)], ms=(\d+)</regex>
  <order>measurement_point,provider_info,duration_ms</order>
</decoder>

Then this is lthe log:
2025-10-09T07:52:10.497524+00:00 vcentersvt2 sso-identity-perf 2025-10-09T07:52:10.497Z INFO sts-perf[50:tomcat-http--13] [CorId=8eeed9d2-77c8-4e3f-a46f-d3ac6f043e05] [com.vmware.identity.performanceSupport.PerfDataSink] PerfBucketKey [measurementPt=LdapBindConnection, providerInfo=LDAP://VCENTERSVT0.BAYUSKY.CO.ID:389], ms=2

But when I did decoder test it doesn't record vcenter_hostname and vcenter_program_name

**Phase 1: Completed pre-decoding.
full event: '2025-10-09T07:52:10.497524+00:00 vcentersvt2 sso-identity-perf 2025-10-09T07:52:10.497Z INFO sts-perf[50:tomcat-http--13] [CorId=8eeed9d2-77c8-4e3f-a46f-d3ac6f043e05] [com.vmware.identity.performanceSupport.PerfDataSink] PerfBucketKey [measurementPt=LdapBindConnection, providerInfo=LDAP://VCENTERSVT0.BAYUSKY.CO.ID:389], ms=2'
timestamp: '2025-10-09T07:52:10.497524+00:00'

**Phase 2: Completed decoding.
name: 'vcenter-base'
duration_ms: '2'
measurement_point: 'LdapBindConnection'
provider_info: 'LDAP://VCENTERSVT0.BAYUSKY.CO.ID:389'

**Phase 3: Completed filtering (rules).
id: '100500'
level: '3'
description: 'vCenter logs'
groups: '["vcenter"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.

[Bony V John]

Hi,

Please allow me some time. I’m working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

I have tested your custom decoder using the sample log you shared, and it seems that the hostname cannot be decoded due to the syslog format of the log.
For some syslog-formatted logs, the log headers cannot be decoded, in this case, the hostname is treated as part of the syslog header.

However, you can still decode the program name from the log. To achieve this, I have removed the regex used for decoding the hostname and excluded the corresponding field from the <order> tag.

Updated decoder:

<decoder name="vcenter-base">
  <prematch>vcenter</prematch>
</decoder>

<decoder name="vcenter-log">
  <parent>vcenter-base</parent>

  <regex>^(\S*)</regex>
  <order>vcenter_program_name</order>

</decoder>

<!-- SSO Identity Performance -->
<decoder name="vcenter-log">
  <parent>vcenter-base</parent>
  <regex>PerfBucketKey [measurementPt=(\S+), providerInfo=(\S+)], ms=(\d+)</regex>
  <order>measurement_point,provider_info,duration_ms</order>
</decoder>

I have attached a screenshot of my testing for your reference:

From the sample log you shared:

2025-10-09T07:52:10.497524+00:00 vcentersvt2 sso-identity-perf 2025-10-09T07:52:10.497Z INFO sts-perf[50:tomcat-http--13] [CorId=8eeed9d2-77c8-4e3f-a46f-d3ac6f043e05] [com.vmware.identity.performanceSupport.PerfDataSink] PerfBucketKey [measurementPt=LdapBindConnection, providerInfo=LDAP://VCENTERSVT0.BAYUSKY.CO.ID:389], ms=2

The highlighted yellow section (up to vcentersvt2) is considered the syslog header by Wazuh Manager and cannot be decoded using custom decoders.
The remaining green-highlighted section of the log can be successfully decoded using the custom decoders provided above.

You can refer to the Wazuh decoder syntax documentation for additional details.