Custom Decoder Not Extracting Field
9 views
Skip to first unread message
abhishek gahane
Feb 11, 2026, 10:21:53 AM (17 hours ago) Feb 11
to Wazuh | Mailing List
I have a custom decoder that should extract a number from a log, but the field is not being captured in Phase 2 decoding. 
The Log
ossec: output: 'days_since_last_patch': 227
Decoder (NOT working)
<decoder name="windows_update_days">
<parent>ossec</parent>
<regex>'days_since_last_patch': (\d+)</regex>
<order>last_update</order>
</decoder>
Rule
<rule id="880004" level="3">
<if_sid>530</if_sid>
<match>'days_since_last_patch':</match>
<description>Last Windows Update (HotFix): $(last_update) days ago</description>
<group>last_upgrade_check,windows,</group>
</rule>
wazuh-logtest output
In Phase 2: Completed decoding.
Log:
ossec: output: 'echo $(( ( $(date +%s) - $(stat -c %Y /var/lib/apt/extended_states) ) / 86400 ))': 0
Decoder:
<decoder name="apt_extended_states">
<parent>ossec</parent>
<regex>/var/lib/apt/extended_states\) \) / \d+ \)\)':\s(\d+)</regex>
<order>extended_states_timestamp</order>
</decoder>
Rule:
<rule id="770012" level="3">
<if_sid>530</if_sid>
<match>86400 ))':</match>
<description>Last APT extended_states file modification: $(extended_states_timestamp) days ago</description>
<group>last_upgrade_check,</group>
</rule>
wazuh-logtest output:
Output (works correctly):
In Phase 2: extended_states_timestamp field is extracted!
Both decoders are in the same file, same structure, but only the Linux one works.
I've tried multiple regex patterns, with and without prec2 in the regex field.
Why would one decoder work but not the other when they follow the same structure?
The rule (880004) successfully matches the log, which proves the decoder file is being loaded. However, the regex capture group isn't extracting the value.
Any help would be greatly appreciated!
I have a similar working decoder for Linux that uses the exact same structure, which makes this even more confusing.
Environment:
Wazuh Version: 4.14.2
Log Source (localfile configuration in ossec.conf):
Wazuh Version: 4.14.2
Log Source (localfile configuration in ossec.conf):
<localfile>
<log_format>eventchannel</log_format>
<command>powershell -NoP -C "[int]((Date)-(Get-HotFix|sort InstalledOn)[-1].InstalledOn).TotalDays"</command>
<frequency>10</frequency>
<alias>days_since_last_patch</alias>
</localfile>
<log_format>eventchannel</log_format>
<command>powershell -NoP -C "[int]((Date)-(Get-HotFix|sort InstalledOn)[-1].InstalledOn).TotalDays"</command>
<frequency>10</frequency>
<alias>days_since_last_patch</alias>
</localfile>
The Log
ossec: output: 'days_since_last_patch': 227
Decoder (NOT working)
<decoder name="windows_update_days">
<parent>ossec</parent>
<regex>'days_since_last_patch': (\d+)</regex>
<order>last_update</order>
</decoder>
Rule
<rule id="880004" level="3">
<if_sid>530</if_sid>
<match>'days_since_last_patch':</match>
<description>Last Windows Update (HotFix): $(last_update) days ago</description>
<group>last_upgrade_check,windows,</group>
</rule>
wazuh-logtest output
In Phase 2: Completed decoding.
Only name: 'ossec' appears, the last_update field is missing.
Phase 3: Completed filtering (rules) and matched
---------
Working Comparison: Linux Decoder (for reference)
I have an almost identical decoder for Linux that WORKS PERFECTLY:
Log Source (localfile configuration in ossec.conf):
Working Comparison: Linux Decoder (for reference)
I have an almost identical decoder for Linux that WORKS PERFECTLY:
Log Source (localfile configuration in ossec.conf):
Log:
ossec: output: 'echo $(( ( $(date +%s) - $(stat -c %Y /var/lib/apt/extended_states) ) / 86400 ))': 0
Decoder:
<decoder name="apt_extended_states">
<parent>ossec</parent>
<regex>/var/lib/apt/extended_states\) \) / \d+ \)\)':\s(\d+)</regex>
<order>extended_states_timestamp</order>
</decoder>
Rule:
<rule id="770012" level="3">
<if_sid>530</if_sid>
<match>86400 ))':</match>
<description>Last APT extended_states file modification: $(extended_states_timestamp) days ago</description>
<group>last_upgrade_check,</group>
</rule>
wazuh-logtest output:
Output (works correctly):
In Phase 2: extended_states_timestamp field is extracted!
Both decoders are in the same file, same structure, but only the Linux one works.
I've tried multiple regex patterns, with and without prec2 in the regex field.
Why would one decoder work but not the other when they follow the same structure?
The rule (880004) successfully matches the log, which proves the decoder file is being loaded. However, the regex capture group isn't extracting the value.
Any help would be greatly appreciated!
Victor Carlos Erenu
Feb 11, 2026, 11:33:36 AM (15 hours ago) Feb 11
to Wazuh | Mailing List
Hi abhishek
From what I can see, the decoder is failing to detect the regex you added in the log.
Could you try changing the regex? It might be that the whitespace character isn't being detected correctly.
<decoder name="windows_update_days">
<parent>ossec</parent>
<regex>'days_since_last_patch':\s+(\d+)</regex>
<order>last_update</order>
</decoder>
In the decoder that works for you, you have the blank space declared like this:
<decoder name="apt_extended_states">
<parent>ossec</parent>
<regex>/var/lib/apt/extended_states\) \) / \d+ \)\)':\s(\d+)</regex>
<order>extended_states_timestamp</order>
</decoder>
From what I can see, the decoder is failing to detect the regex you added in the log.
Could you try changing the regex? It might be that the whitespace character isn't being detected correctly.
<decoder name="windows_update_days">
<parent>ossec</parent>
<order>last_update</order>
</decoder>
In the decoder that works for you, you have the blank space declared like this:
<decoder name="apt_extended_states">
<parent>ossec</parent>
<regex>/var/lib/apt/extended_states\) \) / \d+ \)\)':\s(\d+)</regex>
<order>extended_states_timestamp</order>
</decoder>
Reply all
Reply to author
Forward
0 new messages