Error docoder ar_log_json after upgrade wazuh manager to 4.2

[riiky devils]

Hello team,

Glad to see wazuh finally update to 4.2 version. But currently i'm faced the issue after upgrade wazuh manager to 4.2 version. "ar_log_json" decoder become invalid

this is bug or something need to be resetting after upgrade to 4.2?
I just upgrade wazuh manager from yum

Please help me.

Thank You,

[Manuel Camona Perez]

Hi,

It seems that the new decoder added to /var/ossec/ruleset/decoders/0010-active-response_decoders.xml in 4.2.0 was not found. 

First of all, check that the new decoder

<decoder name="ar_log_json">

    <prematch>^\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d active-response/bin/\S+: </prematch>

    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>

</decoder>

is in /var/ossec/ruleset/decoders/0010-active-response_decoders.xml. If not, add it to the file and your issue may be solved.

If the decoder is in the file mentioned, this error could be happening if the decoder file was excluded. You can check if you are excluding this file in the decoder_exclude tags of the ruleset section of your manager ossec.conf file.

When do we exclude decoders? We do this when we modify standard decoders. When modifying decoders, we move the decoder file to etc/decoders with the new changes, and we exclude the original one: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder

If this doesn't help you, please add the following line to /var/ossec/etc/local_internal_options.conf to see the analysisd daemon in debug mode. After adding the line, restart the manager again to see possible extra information.

analysisd.debug=2

[riiky devils]

Hi Manuel,

Thank you so much, i forgot that  /var/ossec/ruleset/decoders/0010-active-response_decoders.xml exist in decoder_exclude and remove that solved my issue.

Best Regards,