Aruba 6200 decoder not working and cannot see the logs in Dashboard

[MS Mum]

Hello!

I am new to Wazuh and I have Aruba 6200 and Aruba 2540 switches.

I followed old thread on this mailing but it didnt work for me.

I am forwarding my logs to rsyslog server and configured wazuh agent.

I can see that my logs are reaching the Wazuh manager by enabling the logs in Ossec config.

This is the log from  cat /var/ossec/logs/archives/archives.json

{"timestamp":"2025-11-09T17:57:08.392+0000","agent":{"id":"001","name":"syslog","ip":"10.x.x.x"},"manager":{"name":"wazuh-server"},"id":"1762711028.8490","full_log":"2025-11-09T19:00:11.875628+01:00 sw6200 log-proxyd[799] Event|5209|LOG_INFO|CDTR|1|User XXX logged in from 10.x.x.x through SSH session.","predecoder":{"program_name":"log-proxyd","timestamp":"2025-11-09T19:00:11.875628+01:00"},"decoder":{},"location":"/var/log/aruba.log"}

This is my decoder but when I try to  test it via sudo /var/ossec/bin/wazuh-logtest then decoder does match with my switch output.

2025-11-09T19:00:11.875628+01:00 sw6200 log-proxyd[799]: Event|5209|LOG_INFO|CDTR|1|User XXX  logged in from 10.x.x.x through SSH session.

<decoder name="Switch_Events">

         <prematch>^\d \d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\d\d\d\d+\d\d:\d\d</prematch>
                  </decoder>

                   <decoder name="Switch_Events1">
                   <parent>Switch_Events</parent>
                   <regex>User (\.+) (\.+) of (\.+) session from (\.+)</regex>
                   <order>user,event_message,console,ip</order>
                   </decoder>

                   <decoder name="Switch_Events1">
                   <parent>Switch_Events</parent>
                   <regex offset="after_parent">User (\.+) (\.+) from (\.+) through (\.+) session</regex>
                   <order>user,event_message,ip,console</order>
                   </decoder>

I used the same example as below but that didnt work for me as well.

https://groups.google.com/g/wazuh/c/4nciVDlIwXM

Thanks for your help in this.

[Bony V John]

Hi,

Based on the log you shared, I have updated your decoder, and it’s now working correctly. Please try using the following updated decoder:

<decoder name="Switch_Events">
  <program_name>log-proxyd</program_name>

</decoder>

<decoder name="Switch_Events1">
  <parent>Switch_Events</parent>

  <regex>(\w*)\|(\d*)\|(\S*)\|(\S*)\|(\d*)\|</regex>
  <order>category,event_id,severity,module,session_id</order>

</decoder>

<decoder name="Switch_Events1">
  <parent>Switch_Events</parent>
  <regex offset="after_parent">User (\.+) (\.+) from (\.+) through (\.+) session</regex>
  <order>user,event_message,ip,console</order>
</decoder>

The decoder you previously shared will not work correctly with your log format. Based on your logs, Wazuh automatically identifies the log and pre-decode the program_name field, so you must use the <program_name> tag to match the decoder properly.

I also updated the first child decoder’s regex pattern to correctly decode the event type and other event details.

You can refer to the Wazuh regex documentation and Wazuh decoder syntax documentation for more details on creating and customizing decoders.

I have attached a screenshot of my test results for your reference.