Help with Ubiquiti decoders

79 views
Skip to first unread message

Vando Nascimento

unread,
May 15, 2025, 2:26:00 PM5/15/25
to Wazuh | Mailing List
Hello,

I'm trying to create decoders for a Ubiquiti UDM but I'm not being able to do it on my own. It's my first time with decoder creation.

The equipment is sending information via syslog to the Wazuh server. I can verify that with the logall option. This is the type of entry I see on archives.json:

{"timestamp":"2025-05-15T15:21:32.316+0000","agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1747322492.110446319","full_log":"May 15 12:21:32 UDM-DATACENTER [LAN_LOCAL-A-2147483647] DESCR=\"[LAN_LOCAL]Allow All Traffic\" IN=br101 OUT= MAC=ff:ff:ff:ff:ff:ff:9c:6b:00:87:d6:64:08:00 SRC=172.16.101.242 DST=172.16.101.255 LEN=68 TOS=00 PREC=0x00 TTL=128 ID=188 PROTO=UDP SPT=58983 DPT=1947 LEN=48 MARK=1c0000 ","predecoder":{"timestamp":"May 15 12:21:32","hostname":"UDM-DATACENTER"},"decoder":{"name":"allow_all_traffic"},"location":"172.16.103.10"}

This is what I see on logtest so far:

root@wazuh:/var/ossec/etc/decoders# /var/ossec/bin/wazuh-logtest

Starting wazuh-logtest v4.11.2

Type one log per line

 

May 14 11:55:12 UDM-DATACENTER [LOCAL_LAN-A-2147483647] DESCR=\"[LOCAL_LAN]Allow All Traffic\" IN= OUT=br102 MAC= SRC=172.16.102.10 DST=172.16.102.198 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=28634 DF PROTO=TCP SPT=7550 DPT=54452 SEQ=1325727731 ACK=2021585811 WINDOW=32746 ACK URGP=0 UID=982 GID=981 MARK=1c0000

 

**Phase 1: Completed pre-decoding.

        full event: 'May 14 11:55:12 UDM-DATACENTER [LOCAL_LAN-A-2147483647] DESCR=\"[LOCAL_LAN]Allow All Traffic\" IN= OUT=br102 MAC= SRC=172.16.102.10 DST=172.16.102.198 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=28634 DF PROTO=TCP SPT=7550 DPT=54452 SEQ=1325727731 ACK=2021585811 WINDOW=32746 ACK URGP=0 UID=982 GID=981 MARK=1c0000'

        timestamp: 'May 14 11:55:12'

        hostname: 'UDM-DATACENTER'

 

**Phase 2: Completed decoding.

        name: 'allow_all_traffic'


The only change on local_decoder.xml is this entry:

<decoder name="allow_all_traffic">

  <prematch>Allow\sAll\sTraffic</prematch>

</decoder>

Any other entry I try to create makes logtest not to complete phase 2.

These are other two types of logs that I see on archives.json:

{"timestamp":"2025-05-15T17:32:06.838+0000","agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1747330326.127624015","full_log":"May 15 14:32:06 UDM-DATACENTER [WAN_LAN-D-10004] DESCR=\"Bloqueia tudo \" IN=eth9 OUT=br103 MAC=28:70:4e:45:89:42:b0:be:76:ab:69:5d:08:00 SRC=192.168.10.87 DST=172.16.103.159 LEN=52 TOS=00 PREC=0x00 TTL=126 ID=61229 DF PROTO=TCP SPT=54375 DPT=7680 SEQ=3551523209 ACK=0 WINDOW=64240 SYN URGP=0 MARK=1c0000 ","predecoder":{"timestamp":"May 15 14:32:06","hostname":"UDM-DATACENTER"},"decoder":{},"location":"172.16.103.10"}

{"timestamp":"2025-05-15T17:54:39.411+0000","agent":{"id":"000","name":"wazuh"},"manager":{"name":"wazuh"},"id":"1747331679.130729773","full_log":"May 15 14:54:39 UDM-DATACENTER CEF:0|Ubiquiti|UniFi Network|9.1.120|Firewall|Blocked by Firewall|4|msg=192.168.30.198 was blocked from accessing 172.16.101.92 by Bloqueia tudo .","predecoder":{"program_name":"CEF","timestamp":"May 15 14:54:39","hostname":"UDM-DATACENTER"},"decoder":{},"location":"172.16.103.10"}

Any help will be appreciated.

Thanks.

Olamilekan Abdullateef Ajani

unread,
May 15, 2025, 4:18:04 PM5/15/25
to Wazuh | Mailing List
Hello,

I have created a decoder and a matching rule for your perusal, please see reference attached too.

LOG: 
May 15 12:21:32 UDM-DATACENTER [LAN_LOCAL-A-2147483647] DESCR=\"[LAN_LOCAL]Allow All Traffic\" IN=br101 OUT= MAC=ff:ff:ff:ff:ff:ff:9c:6b:00:87:d6:64:08:00 SRC=172.16.101.242 DST=172.16.101.255 LEN=68 TOS=00 PREC=0x00 TTL=128 ID=188 PROTO=UDP SPT=58983 DPT=1947 LEN=48 MARK=1c0000

DECODER - /var/ossec/etc/decoders/local_decoder.xml
<decoder name="ubiquiti_decoder">
  <prematch>LAN_LOCAL</prematch>
</decoder>
<decoder name="ubiquiti_decoder_child">
  <parent>ubiquiti_decoder</parent>
  <regex>DESCR=\\"(\.+)"\s</regex>
  <order>Description</order>
</decoder>
<decoder name="ubiquiti_decoder_child">
  <parent>ubiquiti_decoder</parent>
  <regex>MAC=(\.+)\s</regex>
  <order>Mac-Address</order>
</decoder>
<decoder name="ubiquiti_decoder_child">
  <parent>ubiquiti_decoder</parent>
  <regex>SRC=(\d+\p\d+\p\d+\p\d+)</regex>
  <order>Source-Address</order>
</decoder>
<decoder name="ubiquiti_decoder_child">
  <parent>ubiquiti_decoder</parent>
  <regex>DST=(\d+\p\d+\p\d+\p\d+)</regex>
  <order>Destination-Address</order>
</decoder>
<decoder name="ubiquiti_decoder_child">
  <parent>ubiquiti_decoder</parent>
  <regex>PROTO=(\w+)</regex>
  <order>Protocol</order>
</decoder>

RULE: /var/ossec/etc/rules/local_rules.xml
<group name="ubiquiti,">
  <rule id="122214" level="12">
    <decoded_as>ubiquiti_decoder</decoded_as>>
      <description>ubiquiti events capture from host $(Source-Address)</description>
  </rule>
</group>

Please note the decoders above are highly customizable and you can use this as reference point to create other decoders you need. If you require further assistance, please feel free to reach out.

For reference documentation on writing decoders and rules, please see links below:
ubiquiti.png

Vando Nascimento

unread,
May 16, 2025, 1:40:13 PM5/16/25
to Wazuh | Mailing List
Hi,

Thank you so much for you reply. It worked on my system. Now I'll start trying some variations.

Is there any online tool you recommend for checking the wazuh regex syntax in real time? I tried your expressions on regex101 and regexr and some of them weren't recognized. As I'm still learning these tools are quite handy.

Thanks.

Olamilekan Abdullateef Ajani

unread,
May 19, 2025, 11:49:04 AM5/19/25
to Wazuh | Mailing List
Hello,

Regex101 is good, but the best possible way to learn the syntax is from the wazuh documentation itself or from opensearch as wazuh is also based on this. You can check out the reference link below for the ruleset and also regex syntax.

Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
Reply all
Reply to author
Forward
0 new messages