Untangle Logs Display Issue

[perps grace]

I have a problem viewing Untangle logs on Wazuh dashboard. Here is what I have done so far:
1.  Configured syslog on Untangle successfully

2. Created a folder for the logs, and the untangle log file is receiving logs and has set the permission to 750 

sudo tail -f /var/log/untangle/firewall.log
Aug  1 14:38:11 INFO  uvm[0]: {"timeStamp":"2025-08-01 14:38:11.829","s2pBytes":6720,"p2sBytes":694,"endTime":1754048291829,"sessionId":114930323767693,"class":"class com.untangle.uvm.app.SessionStatsEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"192.168.224.177","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.224.177","SServerAddr":"150.171.27.10","remoteAddr":"165.171.27.10","serverIntf":3,"CClientAddr":"192.168.224.177","serverCountry":"US","sessionId":114930323767693,"SClientAddr":"698.24.117.179","clientCountry":"XL","policyRuleId":0,"CClientPort":53855,"timeStamp":"2025-08-01 14:38:11.58","serverLongitude":-97.822,"clientIntf":1,"policyId":1,"SClientPort":41165,"bypassed":false,"SServerPort":443,"CServerAddr":"18.171.27.10","tagsString":""},"c2pBytes":251,"p2cBytes":1653}

3. Added the logfile to the ossec.conf file

  <localfile>
   <log_format>syslog</log_format>
   <location>/var/log/untangle/firewall.log</location>
  </localfile>

3. Created a decoder on the local_decoders.xml file and the rules on local_rules.xml
Decoder
<decoder name="uvm">
    <prematch>INFO  uvm[\d]:  </prematch>
    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

Rule
<group name="uvm,">
  <!-- SessionNatEvent -->
  <rule id="100120" level="5">
    <decoded_as>json</decoded_as>
    <field name="class">class com.untangle.uvm.app.SessionNatEvent</field>
    <description>UVM Session NAT Event detected</description>
  </rule>

  <!-- ThreatPreventionHttpEvent -->
  <rule id="100121" level="5">
    <decoded_as>json</decoded_as>
    <field name="class">class com.untangle.app.threat_prevention.ThreatPreventionHttpEvent</field>
    <description>UVM HTTP Threat Prevention Event detected</description>
  </rule>

  <!-- ApplicationControlLogEvent -->
  <rule id="100122" level="5">
    <decoded_as>json</decoded_as>
    <field name="class">class com.untangle.app.application_control.ApplicationControlLogEvent</field>
    <description>UVM Application Control Event detected</description>
  </rule>
</group>

4. Tested the untangle decoder and the rules; they are working perfectly
check attachment

My problem is i cannot see these logs on wazuh UI

[Benjamin Nworah]

Hello perps,

I tested your decoder and rules, and the sample log was not matching your decoder. I have made changes to the decoder and rules ( highlighted in yellow).

Kindly update these with what you have, and restart the wazuh-manager service:

systemctl restart wazuh-manager

decoder:

<decoder name="uvm">
        <prematch type="pcre2">uvm\[\d+\]:\s*</prematch>

  <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

rules:

<group name="uvm,">
  <!-- SessionNatEvent -->
  <rule id="100120" level="5">

    <decoded_as>uvm</decoded_as>
    <field name="class">class com.untangle.uvm.app.SessionStatsEvent</field>

    <description>UVM Session NAT Event detected</description>
  </rule>

  <!-- ThreatPreventionHttpEvent -->
  <rule id="100121" level="5">

    <decoded_as>uvm</decoded_as>

    <field name="class">class com.untangle.app.threat_prevention.ThreatPreventionHttpEvent</field>
    <description>UVM HTTP Threat Prevention Event detected</description>
  </rule>

  <!-- ApplicationControlLogEvent -->
  <rule id="100122" level="5">

    <decoded_as>uvm</decoded_as>

    <field name="class">class com.untangle.app.application_control.ApplicationControlLogEvent</field>
    <description>UVM Application Control Event detected</description>
  </rule>
</group>

The attached screen shot shows the event via the Wazuh UI.