Apache decoder with User-Agent?

[Xavier Mertens]

Hello Wazuh'ers,

I'm facing an issue with standard Apache logs. Did you succeed in extracting more fields like the user-agent and referrer?

I see that there exists a default "web-accesslog-glpi" decoder but all my events match on the stock "web-accesslog"?!

/x

[hasitha.u...@wazuh.com]

Hi Xavier,

Could you please share the sample logs to modify the existing decoders if it's match.

To do that, you can enable archives.json logs to capture the logs.

Enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file of the Wazuh manager.
Documentation:Wazuh Documentation | logall
<ossec_config>

 <global>

___________________

  <logall_json>yes</logall_json>

_______________
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.json file. You will then be able to observe the incoming logs generated by your endpoints. After setting this option, restart the manager and check the archives.json file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.
cat /var/ossec/logs/archives/archives.json | grep Keywoard

Please share the sample logs from archives.json, so that I can create custom decoders and rules.

Let me know the update on this.

[Xavier Mertens]

Here is a few examples:

x.x.x.x - - [11/Jun/2025:11:59:59 +0200] "GET /index.php HTTP/1.1" 200 7382 "-" "meta-externalagent/1.1 (+https://developers.facebook.com/docs/sharing/webmasters/crawler)"

xxx:xxx:xxx:xxx:xxx:xxx:: - - [10/Jun/2025:19:58:19 +0200] "GET /index.php HTTP/1.1" 200 7382 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"  

x.x.x.x - - [11/Jun/2025:11:59:11 +0200] "GET /index.php/Main_Page HTTP/1.1" 200 7293 "http://site.org/index.php/Main_Page" "DuckDuckBot/1.1; (+http://duckduckgo.com/duckduckbot.html)"

They should match web-accesslog-glpi IMHO?

Tx!

[hasitha.u...@wazuh.com]

Hi Xavier,

I have modified the existing web access decoder to have the referer and the UserAgent according to the provided logs.
You can follow these steps to modify the default decoder.

First, you need to copy the default decoder file into the custom decoder creation folder and rename it like this.
cp /var/ossec/ruleset/decoders/0375-web-accesslog_decoders.xml /var/ossec/etc/decoders/local_web-accesslog_decoders.xml

Next, modify the decoder file like below.
You need to add this regex after the existing regex \s\d+\s"(\.+)"\s"(\.+)" and need to add the field names for that extracted regex in the order section.

Open the custom decoder file.
nano /var/ossec/etc/decoders/local_web-accesslog_decoders.xml

Default decoder section

1. <decoder name="web-accesslog-domain">
2.     <type>web-log</type>
3.     <parent>web-accesslog</parent>
4.     <prematch>^\S+.\D+</prematch>
5.     <regex>^\S+ (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
6.     <order>srcip, protocol, url, id</order>
7. </decoder>

Modified decoder section

1. <decoder name="web-accesslog-domain">
2.     <type>web-log</type>
3.     <parent>web-accesslog</parent>
4.     <prematch>^\S+.\D+</prematch>
5.     <regex>^\S+ (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+)\s\d+\s"(\.+)"\s"(\.+)"</regex>
6.     <order>srcip, protocol, url, id, Referer, UserAgent</order>
7. </decoder>

Replace the modified version with your default decoder section.

Then provide the file permission to the custom decoder file.
chmod 660 /var/ossec/etc/decoders/local_web-accesslog_decoders.xml

chown wazuh:wazuh /var/ossec/etc/decoders/local_web-accesslog_decoders.xml

After that, you need to exclude the default decoder from being loaded in the Wazuh Manager's ossec.conf file. Otherwise, it may conflict with your custom decoder.
Open the manager ossec.conf file and modify accordingly.

nano /var/ossec/etc/ossec.conf

Then add this  <decoder_exclude>ruleset/decoders/0375-web-accesslog_decoders.xml</decoder_exclude> to the <ruleset> code block.

For example:

1. <ruleset>
2.     <!-- Default ruleset -->
3.     <decoder_dir>ruleset/decoders</decoder_dir>
4.     <rule_dir>ruleset/rules</rule_dir>
5.     <rule_exclude>0215-policy_rules.xml</rule_exclude>
6.     <list>etc/lists/audit-keys</list>
7.     <list>etc/lists/amazon/aws-eventnames</list>
8.     <list>etc/lists/security-eventchannel</list>
9.  
10.     <!-- User-defined ruleset -->
11.     <decoder_dir>etc/decoders</decoder_dir>
12.     <rule_dir>etc/rules</rule_dir>
13.      <decoder_exclude>ruleset/decoders/0375-web-accesslog_decoders.xml</decoder_exclude>
14.  </ruleset>

After that, you can restart the Wazuh manager to apply changes.
systemctl restart wazuh-manager

Let me know if you need further assistance on this.

Regards,
Hasitha Upekshitha

[hasitha.u...@wazuh.com]

Hi  Xavier,

Let me know the update on the above to assist further.

[Xavier Mertens]

Hi Hasitha,

I missed free time to test and implement this before just did it and it works! Tx!

/x

[Hasitha Upekshitha]

Hi Xavier,

I am glad that your issue has been resolved.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/1bf64d85-47bb-446e-bb92-5d3318bd1f63n%40googlegroups.com.