NAC Decoders and Rules
18 views
Skip to first unread message
perps grace
May 11, 2026, 6:58:29 AM (6 days ago) May 11
to Wazuh | Mailing List
Hello,
I have been working on generating a NAC solution decoders and rules, but I haven't succeeded. Kindly help me create the decoders and rules. Here is a log sample:
{"timestamp":"2026-04-22T08:50:54.326+0000","agent":{"id":"107","name":"PICS0017","ip":"192.168.1.17","labels":{"org":"PI"}},"manager":{"name":"WazuhServer"},"id":"1776847854.7698569177","full_log":"2026-04-22T11:50:53+03:00 pics0026 {\"userip\": \"192.168.106.86\",\"userid\":\"anjogu\",\"type\":\"application\",\"timestamp\":\"Apr 22 2026 11:50:53\",\"source\":\"web-grm\",\"name\":\"stop-networkaccess\",\"msg\":\"Device was disabled network access\",\"hostname\":\"pics0026\",\"hostid\":\"192.168.106.127\",\"data\":{\"username\":\"anjogu\",\"destinationMac\":\"E6:E9:0F:36:BB:33\",\"browserInfo\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\"}}","predecoder":{"timestamp":"2026-04-22T11:50:53+03:00"},"decoder":{"name":"json"},"data":{"userip":"192.168.106.86","userid":"anjogu","type":"application","timestamp":"Apr 22 2026 11:50:53","source":"web-grm","name":"stop-networkaccess","msg":"Device was disabled network access","hostname":"pics0026","hostid":"192.168.106.127","data":{"username":"anjogu","destinationMac":"E6:E9:0F:36:BB:33","browserInfo":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"}},"location":"/var/log/syslog"}
{"timestamp":"2026-04-22T07:35:23.878+0000","agent":{"id":"107","name":"PICS0017","ip":"192.168.1.17","labels":{"org":"PI"}},"manager":{"name":"WazuhServer"},"id":"1776843323.5571422352","full_log":"2026-04-22T10:35:22+03:00 pics0026 {\"type\": \"application\",\"timestamp\":\"Apr 22 2026 10:35:22\",\"time\":\"2026-04-22T07:35:22.728Z\",\"source\":\"core-npe\",\"name\":\"change-access\",\"msg\":\"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC\",\"hostname\":\"pics0026\",\"hostid\":\"192.168.0.235\",\"data\":{\"ruledescription\":\"Initialize role\",\"rolereason\":\"Untrusted device\",\"role\":\"untrusted\",\"destinationMac\":\"9A:AF:0E:81:9D:DC\",\"destinationAddress\":\"192.168.8.81\",\"accessgroup\":\"restricted\"}}","predecoder":{"timestamp":"2026-04-22T10:35:22+03:00"},"decoder":{"name":"json"},"data":{"type":"application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}},"location":"/var/log/syslog"}
I have been working on generating a NAC solution decoders and rules, but I haven't succeeded. Kindly help me create the decoders and rules. Here is a log sample:
{"timestamp":"2026-04-22T08:50:54.326+0000","agent":{"id":"107","name":"PICS0017","ip":"192.168.1.17","labels":{"org":"PI"}},"manager":{"name":"WazuhServer"},"id":"1776847854.7698569177","full_log":"2026-04-22T11:50:53+03:00 pics0026 {\"userip\": \"192.168.106.86\",\"userid\":\"anjogu\",\"type\":\"application\",\"timestamp\":\"Apr 22 2026 11:50:53\",\"source\":\"web-grm\",\"name\":\"stop-networkaccess\",\"msg\":\"Device was disabled network access\",\"hostname\":\"pics0026\",\"hostid\":\"192.168.106.127\",\"data\":{\"username\":\"anjogu\",\"destinationMac\":\"E6:E9:0F:36:BB:33\",\"browserInfo\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\"}}","predecoder":{"timestamp":"2026-04-22T11:50:53+03:00"},"decoder":{"name":"json"},"data":{"userip":"192.168.106.86","userid":"anjogu","type":"application","timestamp":"Apr 22 2026 11:50:53","source":"web-grm","name":"stop-networkaccess","msg":"Device was disabled network access","hostname":"pics0026","hostid":"192.168.106.127","data":{"username":"anjogu","destinationMac":"E6:E9:0F:36:BB:33","browserInfo":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"}},"location":"/var/log/syslog"}
{"timestamp":"2026-04-22T07:35:23.878+0000","agent":{"id":"107","name":"PICS0017","ip":"192.168.1.17","labels":{"org":"PI"}},"manager":{"name":"WazuhServer"},"id":"1776843323.5571422352","full_log":"2026-04-22T10:35:22+03:00 pics0026 {\"type\": \"application\",\"timestamp\":\"Apr 22 2026 10:35:22\",\"time\":\"2026-04-22T07:35:22.728Z\",\"source\":\"core-npe\",\"name\":\"change-access\",\"msg\":\"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC\",\"hostname\":\"pics0026\",\"hostid\":\"192.168.0.235\",\"data\":{\"ruledescription\":\"Initialize role\",\"rolereason\":\"Untrusted device\",\"role\":\"untrusted\",\"destinationMac\":\"9A:AF:0E:81:9D:DC\",\"destinationAddress\":\"192.168.8.81\",\"accessgroup\":\"restricted\"}}","predecoder":{"timestamp":"2026-04-22T10:35:22+03:00"},"decoder":{"name":"json"},"data":{"type":"application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}},"location":"/var/log/syslog"}
Henadence Anyam
May 11, 2026, 7:47:22 AM (6 days ago) May 11
to Wazuh | Mailing List
Hi Perps,
The events you shared can be decoded by the Wazuh built-in JSON decoder as you can see in the logtest results below:
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.5
Type one log per line
2026-04-22T11:50:53+03:00 pics0026 {"userip": "192.168.106.86","userid":"anjogu","type":"application","timestamp":"Apr 22 2026 11:50:53","source":"web-grm","name":"stop-networkaccess","msg":"Device was disabled network access","hostname":"pics0026","hostid":"192.168.106.127","data":{"username":"anjogu","destinationMac":"E6:E9:0F:36:BB:33","browserInfo":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"}}
**Phase 1: Completed pre-decoding.
full event: '2026-04-22T11:50:53+03:00 pics0026 {"userip": "192.168.106.86","userid":"anjogu","type":"application","timestamp":"Apr 22 2026 11:50:53","source":"web-grm","name":"stop-networkaccess","msg":"Device was disabled network access","hostname":"pics0026","hostid":"192.168.106.127","data":{"username":"anjogu","destinationMac":"E6:E9:0F:36:BB:33","browserInfo":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"}}'
timestamp: '2026-04-22T11:50:53+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.browserInfo: 'Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148'
data.destinationMac: 'E6:E9:0F:36:BB:33'
data.username: 'anjogu'
hostid: '192.168.106.127'
hostname: 'pics0026'
msg: 'Device was disabled network access'
name: 'stop-networkaccess'
source: 'web-grm'
timestamp: 'Apr 22 2026 11:50:53'
type: 'application'
userid: 'anjogu'
userip: '192.168.106.86'
2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}
**Phase 1: Completed pre-decoding.
full event: '2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}'
timestamp: '2026-04-22T10:35:22+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.accessgroup: 'restricted'
data.destinationAddress: '192.168.8.81'
data.destinationMac: '9A:AF:0E:81:9D:DC'
data.role: 'untrusted'
data.rolereason: 'Untrusted device'
data.ruledescription: 'Initialize role'
hostid: '192.168.0.235'
hostname: 'pics0026'
msg: 'New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
name: 'change-access'
source: 'core-npe'
time: '2026-04-22T07:35:22.728Z'
timestamp: 'Apr 22 2026 10:35:22'
type: 'application'
2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}
We can also create an additional rule to address policy violation as the case with the second event log sample.
<rule id="111002" level="3">
<if_sid>111001</if_sid>
<field name="data.accessgroup">^restricted$</field>
<description>NAC: $(msg)</description>
</rule>
Logtest result:
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.5
Type one log per line
2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}
**Phase 1: Completed pre-decoding.
full event: '2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}'
timestamp: '2026-04-22T10:35:22+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.accessgroup: 'restricted'
data.destinationAddress: '192.168.8.81'
data.destinationMac: '9A:AF:0E:81:9D:DC'
data.role: 'untrusted'
data.rolereason: 'Untrusted device'
data.ruledescription: 'Initialize role'
hostid: '192.168.0.235'
hostname: 'pics0026'
msg: 'New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
name: 'change-access'
source: 'core-npe'
time: '2026-04-22T07:35:22.728Z'
timestamp: 'Apr 22 2026 10:35:22'
type: 'application'
**Phase 3: Completed filtering (rules).
id: '111002'
level: '3'
description: 'NAC: New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
groups: '['syslog', 'nac']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
The events you shared can be decoded by the Wazuh built-in JSON decoder as you can see in the logtest results below:
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.5
Type one log per line
2026-04-22T11:50:53+03:00 pics0026 {"userip": "192.168.106.86","userid":"anjogu","type":"application","timestamp":"Apr 22 2026 11:50:53","source":"web-grm","name":"stop-networkaccess","msg":"Device was disabled network access","hostname":"pics0026","hostid":"192.168.106.127","data":{"username":"anjogu","destinationMac":"E6:E9:0F:36:BB:33","browserInfo":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"}}
full event: '2026-04-22T11:50:53+03:00 pics0026 {"userip": "192.168.106.86","userid":"anjogu","type":"application","timestamp":"Apr 22 2026 11:50:53","source":"web-grm","name":"stop-networkaccess","msg":"Device was disabled network access","hostname":"pics0026","hostid":"192.168.106.127","data":{"username":"anjogu","destinationMac":"E6:E9:0F:36:BB:33","browserInfo":"Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"}}'
timestamp: '2026-04-22T11:50:53+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.browserInfo: 'Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148'
data.destinationMac: 'E6:E9:0F:36:BB:33'
data.username: 'anjogu'
hostid: '192.168.106.127'
hostname: 'pics0026'
msg: 'Device was disabled network access'
name: 'stop-networkaccess'
source: 'web-grm'
timestamp: 'Apr 22 2026 11:50:53'
type: 'application'
userid: 'anjogu'
userip: '192.168.106.86'
2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}
full event: '2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}'
timestamp: '2026-04-22T10:35:22+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.accessgroup: 'restricted'
data.destinationAddress: '192.168.8.81'
data.destinationMac: '9A:AF:0E:81:9D:DC'
data.role: 'untrusted'
data.rolereason: 'Untrusted device'
data.ruledescription: 'Initialize role'
hostid: '192.168.0.235'
hostname: 'pics0026'
msg: 'New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
name: 'change-access'
source: 'core-npe'
time: '2026-04-22T07:35:22.728Z'
timestamp: 'Apr 22 2026 10:35:22'
type: 'application'
With the information above, we can now create custom rules based on this decoder. Custom rules are designed to address specific use cases.
For example, the custom rule below triggers for all NAC events that arrive the Wazuh server:
<group name="syslog,nac,">
<rule id="111001" level="3">
<decoded_as>json</decoded_as>
<field name="type">\.+</field>
<field name="source">\.+</field>
<description>NAC: Grouped events.</description>
</rule>
</group>
<rule id="111001" level="3">
<decoded_as>json</decoded_as>
<field name="type">\.+</field>
<field name="source">\.+</field>
<description>NAC: Grouped events.</description>
</rule>
</group>
The logtest result is shown below, and the rule is triggered as highlighted in Phase 3:
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.5
Type one log per line
Starting wazuh-logtest v4.14.5
Type one log per line
2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}
**Phase 1: Completed pre-decoding.
full event: '2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}'
timestamp: '2026-04-22T10:35:22+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.accessgroup: 'restricted'
data.destinationAddress: '192.168.8.81'
data.destinationMac: '9A:AF:0E:81:9D:DC'
data.role: 'untrusted'
data.rolereason: 'Untrusted device'
data.ruledescription: 'Initialize role'
hostid: '192.168.0.235'
hostname: 'pics0026'
msg: 'New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
name: 'change-access'
source: 'core-npe'
time: '2026-04-22T07:35:22.728Z'
timestamp: 'Apr 22 2026 10:35:22'
type: 'application'
**Phase 3: Completed filtering (rules).
id: '111001'
level: '3'
description: 'NAC: Grouped events.'
groups: '['syslog', 'nac']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
full event: '2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}'
timestamp: '2026-04-22T10:35:22+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.accessgroup: 'restricted'
data.destinationAddress: '192.168.8.81'
data.destinationMac: '9A:AF:0E:81:9D:DC'
data.role: 'untrusted'
data.rolereason: 'Untrusted device'
data.ruledescription: 'Initialize role'
hostid: '192.168.0.235'
hostname: 'pics0026'
msg: 'New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
name: 'change-access'
source: 'core-npe'
time: '2026-04-22T07:35:22.728Z'
timestamp: 'Apr 22 2026 10:35:22'
type: 'application'
**Phase 3: Completed filtering (rules).
id: '111001'
level: '3'
description: 'NAC: Grouped events.'
groups: '['syslog', 'nac']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
We can also create an additional rule to address policy violation as the case with the second event log sample.
Add the rule below within the </group>
tag:
<if_sid>111001</if_sid>
<field name="data.accessgroup">^restricted$</field>
<description>NAC: $(msg)</description>
</rule>
Logtest result:
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.5
Type one log per line
2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}
full event: '2026-04-22T10:35:22+03:00 pics0026 {"type": "application","timestamp":"Apr 22 2026 10:35:22","time":"2026-04-22T07:35:22.728Z","source":"core-npe","name":"change-access","msg":"New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC","hostname":"pics0026","hostid":"192.168.0.235","data":{"ruledescription":"Initialize role","rolereason":"Untrusted device","role":"untrusted","destinationMac":"9A:AF:0E:81:9D:DC","destinationAddress":"192.168.8.81","accessgroup":"restricted"}}'
timestamp: '2026-04-22T10:35:22+03:00'
**Phase 2: Completed decoding.
name: 'json'
data.accessgroup: 'restricted'
data.destinationAddress: '192.168.8.81'
data.destinationMac: '9A:AF:0E:81:9D:DC'
data.role: 'untrusted'
data.rolereason: 'Untrusted device'
data.ruledescription: 'Initialize role'
hostid: '192.168.0.235'
hostname: 'pics0026'
msg: 'New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
name: 'change-access'
source: 'core-npe'
time: '2026-04-22T07:35:22.728Z'
timestamp: 'Apr 22 2026 10:35:22'
type: 'application'
**Phase 3: Completed filtering (rules).
id: '111002'
level: '3'
description: 'NAC: New access restricted assigned to device 192.168.8.81/9A:AF:0E:81:9D:DC'
groups: '['syslog', 'nac']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
You can get more information on the blogpost Creating decoders and rules from scratch
Reply all
Reply to author
Forward
0 new messages