Vcenter decoders
29 views
Skip to first unread message
Bayu Sangkaya (bayusky.labs)
Sep 7, 2025, 3:19:01 AM (yesterday) Sep 7
to Wazuh | Mailing List
Dear team,
I've tried to create vcenter decoder like this:
<decoder name="vcenter-base">
<prematch>vcenter</prematch>
<regex offset="after_prematch">(vcenter\S*) (\S+) </regex>
<order>vcenter_hostname,vcenter_program_name</order>
</decoder>
<!-- Envoy Access Logs -->
<decoder name="vcenter-envoy-access">
<parent>vcenter-base</parent>
<regex>envoy-access - - - (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) envoy[(\d+)] [Originator@6876 sub=(\w+)] (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) (\S+) (\d+) (\S+) - (\d+) (\d+) (\w+) (\d+) (\d+) (\d+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) - (\S+) - (\.*)</regex>
I've tried to create vcenter decoder like this:
<decoder name="vcenter-base">
<prematch>vcenter</prematch>
<regex offset="after_prematch">(vcenter\S*) (\S+) </regex>
<order>vcenter_hostname,vcenter_program_name</order>
</decoder>
<!-- Envoy Access Logs -->
<decoder name="vcenter-envoy-access">
<parent>vcenter-base</parent>
<regex>envoy-access - - - (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) envoy[(\d+)] [Originator@6876 sub=(\w+)] (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) (\S+) (\d+) (\S+) - (\d+) (\d+) (\w+) (\d+) (\d+) (\d+) (\S+) (\S+) (\S+) (\S+) (\S+) (\S+) - (\S+) - (\.*)</regex>
<order>internal_timestamp,log_level,process_id,subsystem,request_timestamp,method,endpoint,status_code,upstream_status,request_size,response_size,encoding,duration1,duration2,duration3,client_address,protocol1,tls_version,server_address,upstream_address,protocol2,backend_address,api_method</order>
</decoder>
<!-- vPXD Main Logs -->
<decoder name="vcenter-vpxd-main">
<parent>vcenter-base</parent>
<regex>[VpxLRO] -- (\w+) (\S+) -- (\.*)</regex>
<order>lro_action,lro_id,lro_details</order>
</decoder>
This log match and decoded:
**Phase 1: Completed pre-decoding.
full event: '1 2025-09-06T23:52:00.595532+00:00 vcentersvt2 envoy-access - - - 2025-09-06T23:52:00.595Z info envoy[13501] [Originator@6876 sub=Default] 2025-09-06T23:51:54.612Z POST /sdk 200 via_upstream - 548 8059 - 1625 1623 0 10.100.8.20:44946 HTTP/1.1 TLSv1.2 10.100.4.58:443 127.0.0.1:41188 HTTP/2 - 127.0.0.1:8085 - ""WaitForUpdatesEx""'
**Phase 2: Completed decoding.
name: 'vcenter-base'
api_method: '""WaitForUpdatesEx""'
backend_address: '127.0.0.1:8085'
client_address: '10.100.8.20:44946'
duration1: '1625'
duration2: '1623'
duration3: '0'
encoding: '-'
endpoint: '/sdk'
internal_timestamp: '2025-09-06T23:52:00.595Z'
log_level: 'info'
method: 'POST'
process_id: '13501'
protocol1: 'HTTP/1.1'
protocol2: 'HTTP/2'
request_size: '548'
request_timestamp: '2025-09-06T23:51:54.612Z'
response_size: '8059'
server_address: '10.100.4.58:443'
status_code: '200'
subsystem: 'Default'
tls_version: 'TLSv1.2'
upstream_address: '127.0.0.1:41188'
upstream_status: 'via_upstream'
</decoder>
<!-- vPXD Main Logs -->
<decoder name="vcenter-vpxd-main">
<parent>vcenter-base</parent>
<regex>[VpxLRO] -- (\w+) (\S+) -- (\.*)</regex>
<order>lro_action,lro_id,lro_details</order>
</decoder>
This log match and decoded:
**Phase 1: Completed pre-decoding.
full event: '1 2025-09-06T23:52:00.595532+00:00 vcentersvt2 envoy-access - - - 2025-09-06T23:52:00.595Z info envoy[13501] [Originator@6876 sub=Default] 2025-09-06T23:51:54.612Z POST /sdk 200 via_upstream - 548 8059 - 1625 1623 0 10.100.8.20:44946 HTTP/1.1 TLSv1.2 10.100.4.58:443 127.0.0.1:41188 HTTP/2 - 127.0.0.1:8085 - ""WaitForUpdatesEx""'
**Phase 2: Completed decoding.
name: 'vcenter-base'
api_method: '""WaitForUpdatesEx""'
backend_address: '127.0.0.1:8085'
client_address: '10.100.8.20:44946'
duration1: '1625'
duration2: '1623'
duration3: '0'
encoding: '-'
endpoint: '/sdk'
internal_timestamp: '2025-09-06T23:52:00.595Z'
log_level: 'info'
method: 'POST'
process_id: '13501'
protocol1: 'HTTP/1.1'
protocol2: 'HTTP/2'
request_size: '548'
request_timestamp: '2025-09-06T23:51:54.612Z'
response_size: '8059'
server_address: '10.100.4.58:443'
status_code: '200'
subsystem: 'Default'
tls_version: 'TLSv1.2'
upstream_address: '127.0.0.1:41188'
upstream_status: 'via_upstream'
But this is is not decoded
**Phase 1: Completed pre-decoding.
full event: '1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)'
**Phase 2: Completed decoding.
name: 'vcenter-base'
**Phase 1: Completed pre-decoding.
full event: '1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)'
**Phase 2: Completed decoding.
name: 'vcenter-base'
if i used regex test, it's correct
/var/ossec/bin/wazuh-regex '[VpxLRO] -- (\w+) (\S+) -- (\.*)'
/var/ossec/bin/wazuh-regex '[VpxLRO] -- (\w+) (\S+) -- (\.*)'
1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)
+OSRegex_Execute: 1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)
-Substring: BEGIN
-Substring: lro-178317441
-Substring: session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)
-Substring: BEGIN
-Substring: lro-178317441
-Substring: session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)
+OS_Regex : 1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)
Where did I go wrong?
Regards,
Where did I go wrong?
Regards,
Bayu Sangkaya
Henadence Anyam
Sep 7, 2025, 9:37:40 AM (yesterday) Sep 7
to Wazuh | Mailing List
Hi Bayu Sangkaya,
<parent>vcenter-base</parent>
<regex>envoy-access - - - (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) envoy[(\d+)] [Originator@6876 sub=(\w+)] (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) (\S+) (\d+) (\>
</decoder>
<!-- vPXD Main Logs -->
<parent>vcenter-base</parent>
<regex>[VpxLRO] -- (\w+) (\S+) -- (\.*)</regex>
<order>lro_action,lro_id,lro_details</order>
</decoder>
[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.12.0
Type one log per line
lro_details: 'session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)'
lro_id: 'lro-178317441'
<regex>envoy-access - - - (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) envoy[(\d+)] [Originator@6876 sub=(\w+)] (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) (\S+) (\d+) (\>
<order>internal_timestamp,log_level,process_id,subsystem,request_timestamp,method,endpoint,status_code,upstream_status,request_size,response_size,encoding,du>
</decoder>
<!-- vPXD Main Logs -->
<decoder name="vcenter-vpxd-main">
<prematch>vcentersvt2 vpxd-main</prematch>
<regex>[VpxLRO] -- (\w+) (\S+) -- (\.*)</regex>
<order>lro_action,lro_id,lro_details</order>
</decoder>
Your children decoders should use the same name.
For example, I have changed the names to
vcenter-child as shown below:
<decoder name="vcenter-base">
<prematch>vcenter</prematch>
<regex offset="after_prematch">(vcenter\S*) (\S+) </regex>
<order>vcenter_hostname,vcenter_program_name</order>
</decoder>
<!-- Envoy Access Logs -->
<prematch>vcenter</prematch>
<regex offset="after_prematch">(vcenter\S*) (\S+) </regex>
<order>vcenter_hostname,vcenter_program_name</order>
</decoder>
<!-- Envoy Access Logs -->
<decoder name="vcenter-child">
<parent>vcenter-base</parent>
<regex>envoy-access - - - (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) envoy[(\d+)] [Originator@6876 sub=(\w+)] (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) (\S+) (\d+) (\>
<order>internal_timestamp,log_level,process_id,subsystem,request_timestamp,method,endpoint,status_code,upstream_status,request_size,response_size,encoding,du>
</decoder>
<!-- vPXD Main Logs -->
<decoder name="vcenter-child">
<parent>vcenter-base</parent>
<regex>[VpxLRO] -- (\w+) (\S+) -- (\.*)</regex>
<order>lro_action,lro_id,lro_details</order>
</decoder>
Testing the logs with the wazuh-logtest tool, we get the following result:
Starting wazuh-logtest v4.12.0
Type one log per line
1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)
**Phase 1: Completed pre-decoding.
full event: '1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)'
**Phase 2: Completed decoding.
name: 'vcenter-base'
lro_action: 'BEGIN'**Phase 1: Completed pre-decoding.
full event: '1 2025-09-06T23:52:00.788749+00:00 vcentersvt2 vpxd-main - - - 2025-09-06T23:52:00.788Z info vpxd[855888] [Originator@6876 sub=vpxLro opID=ebb1fe1] [VpxLRO] -- BEGIN lro-178317441 -- session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)'
**Phase 2: Completed decoding.
name: 'vcenter-base'
lro_details: 'session[52676508-9035-d137-02eb-ca65efbccc9c]5234c294-7f43-ca6f-7c61-1a38e753b218 -- vim.HistoryCollector.remove -- 52676508-9035-d137-02eb-ca65efbccc9c(52c118f2-76ba-1546-85d1-591bb4b5a28b)'
lro_id: 'lro-178317441'
You could equally use separate names and make each decoder independent, as shown below:
<!-- Envoy Access Logs -->
<decoder name="vcenter-envoy-access">
<prematch>vcentersvt2 envoy-access</prematch><decoder name="vcenter-envoy-access">
<regex>envoy-access - - - (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) envoy[(\d+)] [Originator@6876 sub=(\w+)] (\d+-\d+-\d+T\d+:\d+:\d+.\d+Z) (\w+) (\S+) (\d+) (\>
</decoder>
<!-- vPXD Main Logs -->
<decoder name="vcenter-vpxd-main">
<regex>[VpxLRO] -- (\w+) (\S+) -- (\.*)</regex>
<order>lro_action,lro_id,lro_details</order>
</decoder>
Kindly go through these guides for better understanding:
- Decoders Syntax - Ruleset XML syntax
- Sibling Decoders
- Sibling decoders: flexible extraction of information
Reply all
Reply to author
Forward
0 new messages