Custom decoder with weird json structure

[Elias Morais Pereira]

Hello,

I need to decode this "weird structure" message:

{"log":"{\"ClientAddr\":\"10.10.10.10:35910\",\"ClientHost\":\"10.10.10.10\",\"request_X-Real-Ip\":\"10.10.10.10\"}\n","stream":"stdout"}

With this decoder:

<decoder name="docker_nested_log">
    <parent>json</parent>
    <use_own_name>true</use_own_name>
    <prematch>ClientAddr</prematch>
    <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

At first, it returns the following in phase 2:

**Phase 1: Completed pre-decoding. full event: '{"log":"{\"ClientAddr\":\"10.10.10.10:35910\",\"ClientHost\":\"10.10.10.10\",\"request_X-Real-Ip\":\"10.10.10.10\"}\n","stream":"stdout"}' **Phase 2: Completed decoding. name: 'docker_nested_log' parent: 'json' log: '{"ClientAddr":"10.10.10.10:35910","ClientHost":"10.10.10.10","request_X-Real-Ip":"10.10.10.10"} ' stream: 'stdout'

I've tried creating other sibling decoders, parent decoders, and nothing works.

Any ideas on how I can move on to the third phase or even do the decoding in the second phase?

Regards!

[pdnb]

try use   <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder> then you should be into second { }.  

[Elias Morais Pereira]

Hello pdnb,

Now phase 2 came out like this.

**Phase 2: Completed decoding. name: 'docker_nested_log' parent: 'json'

Is that correct?

Att.

Elias Pereira

Técnico de Tecnologia da Informação

CTI - Campus Sertão

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/fMx7JsICCZg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/2b257877-4073-4d2b-821a-25e00888fbden%40googlegroups.com.

[Elias Morais Pereira]

hello,

The only decoder that "worked" for this type of log is the one below:

<decoder name="traefik_json_flat">

  <parent>json</parent>
  <use_own_name>true</use_own_name>

  <prematch>"log":"</prematch>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

I don't know how to do the rest anymore. I've tried everything and nothing can decode it.

Environment

• Wazuh Manager/Agent: 4.13.1

• Source: Docker host (json-file driver)

• File: /var/lib/docker/containers/<CID>/<CID>-json.log

• Events arrive in archives.json.

Sample event (one line from container log)

{"log":"{\"ClientHost\":\"10.10.10.10\",\"RequestMethod\":\"HEAD\",\"RequestPath\":\"/\",\"ServiceName\":\"zabbixdocker\",\"request_X-Real-Ip\":\"10.10.10.10\",\"time\":\"2025-10-06T17:18:27Z\"}\n","stream":"stdout","time":"2025-10-06T17:18:27.080968548Z"}

Goal
Extract from the inner JSON (inside "log":"{...}"):

• srcip ← request_X-Real-Ip (fallback ClientHost)

• method ← RequestMethod

• url ← RequestPath

• service ← ServiceName

What we tried (very short)

• Base <decoder name="traefik_json_flat"><parent>json</parent>...<plugin_decoder>JSON_Decoder</plugin_decoder></decoder> + siblings → base matches, siblings null.

• Targeting log with prematch field="log" (OK), but <regex field="..."> not supported; with offset="after_prematch" still null.

• Move cursor then plugin; still null.

• PCRE2 scanning escaped inner JSON (e.g., "(?:\\.|[^"])*?RequestMethod":"([A-Z]+)") compiles, but null.

• Disabled web-accesslog-docker to avoid false matches.

Questions

1. Supported way in 4.13.1 to decode nested JSON as string (field log) so siblings can extract keys?

2. Can plugin_decoder start right after a prematch (e.g., after "log":") to parse the inner {...}?

3. If regex over the escaped string is recommended, can you share a minimal working snippet that extracts RequestMethod, RequestPath, request_X-Real-Ip, etc., from log?