Default Decoder not extracting srcip/usrname, Need to write custom decoder(s).

16 views
Skip to first unread message

hvn4k.

unread,
Apr 22, 2026, 5:06:21 AM (5 days ago) Apr 22
to Wazuh | Mailing List
Good Day Team,

I am getting multiple types of logs regarding FTP login and dovecot but the default decoder is not able to extract source ip, username from those logs. /var/ossec/bin/wazuh-logtest

I have tried writing multiple custom decoder but somehow they are not working and the logs keep getting decoded by the default one's when i try them with 

i am attaching logs example 
1. Apr 22 05:06:22 *********** proftpd[2928337]: session[2928337] 0.0.0.0 (47.77.182.54[47.77.182.54]): USER root (Login failed): Incorrect password
2. Apr 22 05:07:44 ********** proftpd[2928419]: session[2928419] 0.0.0.0 (47.77.182.54[47.77.182.54]): USER steam: no such user found from 47.77.182.54 [47.77.182.54] to ********
3. Apr 22 05:11:54 ******* dovecot[2566210]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=66.132.186.183, lip=*********, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=**********>

Md. Nazmur Sakib

unread,
Apr 22, 2026, 5:24:50 AM (5 days ago) Apr 22
to Wazuh | Mailing List

Hello!

To achieve this, you need to modify the existing default decoders with the custom decoders.

To do this, SSH to your Wazuh Manager's server.


Copy the default decoder file to the custom decoder folder.
I am using 0375-web-accesslog_decoders.xml as an example.

cp /var/ossec/ruleset/decoders/0375-web-accesslog_decoders.xml /var/ossec/etc/decoders/local_web-accesslog_decoders.xml


Change file permission.

chmod 660 /var/ossec/etc/decoders/local_web-accesslog_decoders.xml

chown wazuh:wazuh /var/ossec/etc/decoders/local_web-accesslog_decoders.xml



Go to the manager’s ossec.conf

/var/ossec/etc/ossec.conf


Under the

<ruleset>


Add this line

<decoder_exclude>ruleset/decoders/0375-web-accesslog_decoders.xml</decoder_exclude>



Now restart the Wazuh manager.

systemctl restart wazuh-manager



Open the file with the text editor

/var/ossec/etc/decoders/local_web-accesslog_decoders.xml



Now modify the decoders so that they can handle your new logs and the other logs as well.

Tips: <prematch> </prematch> can be very useful.

Test your modified decoders with Wazuh logtest tool and once done, restart the manager to apply the changes.
systemctl restart wazuh-manager



Check this document to learn more about modifying default decoders.


Check these documents to learn more about decoder syntax and regex.

Decoders Syntax
Regular Expression Syntax



Let me if you need any further assistance.

Reply all
Reply to author
Forward
0 new messages