regex for U+FFFB

[mt b]

Hello everyone and happy 2026. I use wazuh 4.14.1.

I would like to start parsing a json log from the U+FFFB character present before the beginning of the json with a decoder like this:

....

<regex offset="after_regex">U+FFFB</regex>
  <plugin_decoder>JSON_Decoder</plugin_decoder>

.....

But I don't know what regex expression to use. Any suggestions?

[Bony V John]

Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

Based on your input, I tried to replicate the same scenario on my end and confirmed that the  character can be matched in a Wazuh decoder using regex. For testing, I used the following sample log format:  

firewall-FW1  {"timestamp":"2026-01-05T08:35:20.101Z","level":"INFO","service":"myapp","requestId":"r-123","message":"test"}

To match the  character, I used .* in the prematch. Below is the custom decoder I created:  

<decoder name="customjson-application">
    <prematch type="pcre2">firewall-FW1 .* </prematch>
    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>

The decoder matches the  firewall-FW1   portion in the prematch, and then the JSON plugin decoder parses the JSON content.

You can refer to the Wazuh JSON decoder documentation and the Wazuh regex documentation for more details.

If you can share the exact sample log you are using, I can test it on my end and help you adjust the decoder accordingly. I have attached a screenshot of my testing for your reference.

[mt b]

Dear  Bony V John,

thank you very much. It works for me.Thank you very much.