Can't find the wazuh default decoder "windows_eventchannel"

[XYZ Company]

Hello team,

I have been sending my windows security event logs to the wazuh. These logs are decoded with default wazuh decoder such that, "data.win.system.channel" : "Security".

1. Looking at the decoder name in kibana, I can see "decoder.name" : "windows_eventchannel" (shown in the screenshot ss-1)

2. But, while searching for "windows_eventchannel" decoder in default decoder files, I can't find it anywhere. If this decoder doesn't exist then, how the logs are beinng decoded by it as shown in the screenshot ss-1 ?

3. Also, while doing logtest (var/ossec/bin/wazuh-logtest) with the same event log, I see decoder name as json (shown in the screenshot ss-2). How ?

Waiting for the answers to my queries. Thank you.

[Mariano Koremblum]

Hi!

There is no Windows’ Eventchannel XML decoder, as it is embedded inside Wazuh’s code. That is why you can’t find it along with the Wazuh installation files. If you know about the C language, you may want to take a look at this file where Eventchannel events are processed.

Unfortunately, at this moment, it is not possible to directly evaluate a Windows Eventchannel log using the logtest tool, but our team has on its roadmap the improvement of this tool, in order to be able to evaluate such logs, as you can see on the following Github’s Issue: Make ossec-logtest support for implicit decoders #2765.

Despite this, there is a workaround to test Windows Events with the logtest tool, which is very well explained on the following Github Issue: Windows Wazuh Agent not collecting some logs - EventChannel - Windows Server 2016 #7651.

If you still have doubts, please let us know and we will help you.

Best Regards,

Mariano Koremblum

​

[XYZ Company]

Thank you for the quick response. I have a further query now:

1. I want to further decode the message field "data.win.system.message" decoded by windows_eventchannel decoder. (Screenshot ss-3) From this single field, I want to decode individual fields like "Subject" "Logon Information" and others. I think its possible to do it by writing sibling decoder from windows_eventchannel decoder but since this decoder is embedded inside Wazuh’s code, how can I achieve my goal?

[XYZ Company]

Please hep me with this.

[XYZ Company]

[Mariano Koremblum]

Hi again,

Unfortunately, because of how it has been designed the windows_eventchannel decoders, it is not possible, currently, to create sibling decoders for it.

I strongly suggest you open an issue on Wazuh’s Github repository, exposing your concerns regarding this, so the corresponding Wazuh team takes action on the matter.

If you need further assistance, please let us know,

Best Regards,

Mariano Koremblum

​

[XYZ Company]

Thank You so much. Will definitely open an issue on Wazuh’s Github repository, exposing this concerns.

[Mariano Koremblum]

Great! We are always glad to help our community.

Do not hesitate to reach out again whenever you need us.

Best Regards,

Mariano Koremblum

[Павел Покровский]

Hi.

I'm also interested in this functionality - an ability to further decode event log message (if I understood correctly what this topic is about).

Could you point me to relevant issue if there is any? Could not find it in Wazuh Github repo.

четверг, 13 января 2022 г. в 20:15:36 UTC+3, Mariano Koremblum:

[Dmitry Mikheev]

Same problem. 

I don't understand who should be the parent to split the win.system.message field

<decoder name="dSQL01">
  <parent>windows_eventchannel</parent>
  <regex type="pcre2">"providerName":"([^"]+).*Audit event: audit_schema_version:1\\nevent_time:(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\..*\\nsession_server_principal_name:([\w]+)\\.*\\nserver_instance_name:([\w]+)\\ndatabase_name:([\w]+).*\\nobject_name:([\w]+)\\nstatement:([^\\]+).*\\napplication_name:([\w\s\-]+).*\\nhost_name:([\w]+)</regex>
  <order>audit.providerName,audit.dataTime,audit.sessionName,audit.serverInstance,audit.database,audit.objectName,audit.statement,audit.appname,audit.host</order>
</decoder>

 wazuh-analysisd: ERROR: (2101): Parent decoder name invalid: 'windows_eventchannel'.
wazuh-analysisd: ERROR: (2106): Error adding decoder plugin.
wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/local_decoder.xml'.
logserv env[268452]: wazuh-analysisd: Configuration error. Exiting

[Md. Nazmur Sakib]

Hello Everyone,

You can check this workaround.
https://groups.google.com/g/wazuh/c/aVzDvRVQgdI