Custom Decoders Configuration

23 views
Skip to first unread message

Anand Kumar

unread,
Sep 7, 2025, 9:14:08 AM (yesterday) Sep 7
to Wazuh | Mailing List

Dear Team,

I want to achieve a specific log format that makes it easier to run queries. Since we have many different log sources connected, they produce logs in varying JSON formats. For example, one source may record the source IP address under win.eventdata.ipAddress, while another may use srcIp.

To test this, I created a custom decoder as shown below:

<decoder name="express-custom">
  <parent>json</parent>
  <regex>"ipAddress":"(\d+.\d+.\d+.\d+)"</regex>
  <order>central_key.sourceIp</order>
</decoder>

I added this to a separate file for custom decoders.

When I parse the following log:

I added this to a separate file for custom decoders.

When I parse the following log:

{"agent":{"name":"agentName","id":"003"},"manager":{"name":"monitoring"},"data":{"win":{"eventdata":{"ipAddress":"192.168.10.2","originalFileName":"Cmd.Exe","image":"C:\\\\Windows\\\\SysWOW64\\\\cmd.exe","product":"Microsoft® Windows® Operating System","parentProcessGuid":"{d9e9da40-0d98-68af-b300-000000000f00}","description":"Windows Command Processor","logonGuid":"{d9e9da40-99f8-68af-e703-000000000000}","parentCommandLine":"\\\"active-response/bin/restart-wazuh.exe\\\"","processGuid":"{d9e9da40-0d98-68af-b800-000000000f00}","logonId":"0x3e7","parentProcessId":"4772","processId":"3972","currentDirectory":"C:\\\\Program Files (x86)\\\\ossec-agent\\\\","utcTime":"2025-08-27 13:52:24.248","hashes":"SHA256=B94D1C553C7EF81DF040D6BE59120EB0A8F67AEC1A787A2B6B537309CBAF8CC4","parentImage":"C:\\\\Program Files (x86)\\\\ossec-agent\\\\active-response\\\\bin\\\\restart-wazuh.exe","company":"Microsoft Corporation","commandLine":"C:\\\\Windows\\\\system32\\\\cmd.exe /c %%WINDIR%%\\\\system32\\\\net.exe start Wazuh","integrityLevel":"System","fileVersion":"10.0.17763.1697 (WinBuild.160101.0800)","user":"NT AUTHORITY\\\\SYSTEM","terminalSessionId":"0","parentUser":"NT AUTHORITY\\\\SYSTEM"},"system":{"eventID":"1","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2025-08-27 13:52:24.248\r\nProcessGuid: {d9e9da40-0d98-68af-b800-000000000f00}\r\nProcessId: 3972\r\nImage: C:\\Windows\\SysWOW64\\cmd.exe\r\nFileVersion: 10.0.17763.1697 (WinBuild.160101.0800)\r\nDescription: Windows Command Processor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: Cmd.Exe\r\nCommandLine: C:\\Windows\\system32\\cmd.exe /c %%WINDIR%%\\system32\\net.exe start Wazuh\r\nCurrentDirectory: C:\\Program Files (x86)\\ossec-agent\\\r\nUser: NT AUTHORITY\\SYSTEM\r\nLogonGuid: {d9e9da40-99f8-68af-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA256=B94D1C553C7EF81DF040D6BE59120EB0A8F67AEC1A787A2B6B537309CBAF8CC4\r\nParentProcessGuid: {d9e9da40-0d98-68af-b300-000000000f00}\r\nParentProcessId: 4772\r\nParentImage: C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\restart-wazuh.exe\r\nParentCommandLine: \"active-response/bin/restart-wazuh.exe\"\r\nParentUser: NT AUTHORITY\\SYSTEM\"","version":"5","systemTime":"2025-08-27T13:52:24.251884400Z","eventRecordID":"162","threadID":"5080","computer":"pc","task":"1","processID":"2416","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}},"rule":{"firedtimes":2,"mail":false,"level":4,"description":"Windows command prompt started by an abnormal process","groups":["sysmon","sysmon_eid1_detections","windows"],"mitre":{"technique":["Windows Command Shell"],"id":["T1059.003"],"tactic":["Execution"]},"id":"92052"},"decoder":{"name":"windows_eventchannel"},"input":{"type":"log"},"@timestamp":"2025-08-27T13:52:25.191Z","location":"EventChannel","id":"1756302745.26883","timestamp":"2025-08-27T13:52:25.191+0000"}


It does parse the log and extracts the source IP into the central_key field. However, the issue is that the rest of the JSON log is not shown, as seen in the attached screenshot.

What I would like is to keep the complete log, but normalize the source IP so that regardless of whether the value appears in win.eventdata.ipAddress, srcIp, or another field, it is always mapped to central_key.sourceIp.

Can this be achieved with decoders, or am I approaching this incorrectly?

Screenshot 2025-09-07 153252.png

hasitha.u...@wazuh.com

unread,
1:10 AM (15 hours ago) 1:10 AM
to Wazuh | Mailing List

Hi Anand, It seems you’re testing a log that has already been processed, most likely taken from alerts.json.

When analyzing, you can safely ignore the section:

{"agent":{"name":"agentName","id":"003"},"manager":{"name":"monitoring"},"data":

This portion is simply an additional header.

Similarly, you should also exclude the following part:

,"rule":{"firedtimes":2,"mail":false,"level":4,"description":"Windows command prompt started by an abnormal process","groups":["sysmon","sysmon_eid1_detections","windows"],"mitre":{"technique":["Windows Command Shell"],"id":["T1059.003"],"tactic":["Execution"]},"id":"92052"},"decoder":{"name":"windows_eventchannel"},"input":{"type":"log"},"@timestamp":"2025-08-27T13:52:25.191Z","location":"EventChannel","id":"1756302745.26883","timestamp":"2025-08-27T13:52:25.191+0000"}

As it contains metadata added by Wazuh during alert generation.

From what I see, this log corresponds to the Windows Command Prompt being launched by an abnormal process (rule ID 92052).

That means Wazuh matches the rule without any issues.
For Windows logs source IP is decoded as win.eventdata.ipAddress
Please refer to this guide to have more details: https://documentation.wazuh.com/current/user-manual/ruleset/decoders/dynamic-fields.html
If you want to test Windows logs, here’s what you can do:
When working with logs in JSON Escape format, make sure to unescape them first.

This is the content of your actual log; the rule engine is processing. So you need to use this for testing.

  1. {"win":{"eventdata":{"ipAddress":"192.168.10.2","originalFileName":"Cmd.Exe","image":"C:\\Windows\\SysWOW64\\cmd.exe","product":"Microsoft® Windows® Operating System","parentProcessGuid":"{d9e9da40-0d98-68af-b300-000000000f00}","description":"Windows Command Processor","logonGuid":"{d9e9da40-99f8-68af-e703-000000000000}","parentCommandLine":"\"active-response/bin/restart-wazuh.exe\"","processGuid":"{d9e9da40-0d98-68af-b800-000000000f00}","logonId":"0x3e7","parentProcessId":"4772","processId":"3972","currentDirectory":"C:\\Program Files (x86)\\ossec-agent\\","utcTime":"2025-08-27 13:52:24.248","hashes":"SHA256=B94D1C553C7EF81DF040D6BE59120EB0A8F67AEC1A787A2B6B537309CBAF8CC4","parentImage":"C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\restart-wazuh.exe","company":"Microsoft Corporation","commandLine":"C:\\Windows\\system32\\cmd.exe /c %%WINDIR%%\\system32\\net.exe start Wazuh","integrityLevel":"System","fileVersion":"10.0.17763.1697 (WinBuild.160101.0800)","user":"NT AUTHORITY\\SYSTEM","terminalSessionId":"0","parentUser":"NT AUTHORITY\\SYSTEM"},"system":{"eventID":"1","keywords":"0x8000000000000000","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","level":"4","channel":"Microsoft-Windows-Sysmon/Operational","opcode":"0","message":"Process Create:\nRuleName: -\nUtcTime: 2025-08-27 13:52:24.248\nProcessGuid: {d9e9da40-0d98-68af-b800-000000000f00}\nProcessId: 3972\nImage: C:\\Windows\\SysWOW64\\cmd.exe\nFileVersion: 10.0.17763.1697 (WinBuild.160101.0800)\nDescription: Windows Command Processor\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: Cmd.Exe\nCommandLine: C:\\Windows\\system32\\cmd.exe /c %%WINDIR%%\\system32\\net.exe start Wazuh\nCurrentDirectory: C:\\Program Files (x86)\\ossec-agent\\\nUser: NT AUTHORITY\\SYSTEM\nLogonGuid: {d9e9da40-99f8-68af-e703-000000000000}\nLogonId: 0x3E7\nTerminalSessionId: 0\nIntegrityLevel: System\nHashes: SHA256=B94D1C553C7EF81DF040D6BE59120EB0A8F67AEC1A787A2B6B537309CBAF8CC4\nParentProcessGuid: {d9e9da40-0d98-68af-b300-000000000f00}\nParentProcessId: 4772\nParentImage: C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\restart-wazuh.exe\nParentCommandLine: \"active-response/bin/restart-wazuh.exe\"\nParentUser: NT AUTHORITY\\SYSTEM","version":"5","systemTime":"2025-08-27T13:52:24.251884400Z","eventRecordID":"162","threadID":"5080","computer":"pc","task":"1","processID":"2416","severityValue":"INFORMATION","providerName":"Microsoft-Windows-Sysmon"}}}

By default, the logtest is not able to test the logs that come via eventchannel.
However, there is a workaround: Back up the file /var/ossec/ruleset/rules/0575-win-base_rules.xml
Modify the rule 60000 inside that file, removing the category and changing the decoded_as to json.

  1. <rule id="60000" level="0">
  2.     <decoded_as>json</decoded_as>
  3.     <field name="win.system.providerName">\.+</field>
  4.     <options>no_full_log</options>
  5.     <description>Group of windows rules.</description>
  6.   </rule>

Now you can test your log with the logtest tool and confirm if the rule is working. It is not necessary to restart the manager after modifying this or any rules file in order to use the logtest tool in CIL.
Use this command on the CLI to run  wazuh-logtest tool .
/var/ossec/bin/wazuh-logtest
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager, all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.

If the logs do not match the decoder and rules, it will not write into alerts.json file. In that case, you need to write custom decoders and rules.

Let me know the update on this.
Reply all
Reply to author
Forward
0 new messages