Extra space in log affecting the decoder
47 views
Skip to first unread message
Mani Bharathi
Mar 6, 2025, 2:16:55 AM3/6/25
to Wazuh | Mailing List
Hi Team,
There is an extra space in the log near month. but, previous month i didn't faced this issue. it's affecting me to decode the hostname from log. can you please help me to resolve this issue.
Decoder
Aruba-logs: Mar 6 12:28:01 SW2005 hpe-restd[1052] Event|4655|LOG_INFO|AMM|-|User mani logged in from 192.168.0.110 through REST session
Thanks!
Mani Bharathi K
There is an extra space in the log near month. but, previous month i didn't faced this issue. it's affecting me to decode the hostname from log. can you please help me to resolve this issue.
Decoder
<decoder name="Switch_Events1">
<parent>Aruba_Switch_Events</parent>
<regex>Aruba-logs: \S+ \d+ \d+:\d+:\d+\s(\S+)\s</regex>
<order>Hostname</order>
</decoder>
<parent>Aruba_Switch_Events</parent>
<regex>Aruba-logs: \S+ \d+ \d+:\d+:\d+\s(\S+)\s</regex>
<order>Hostname</order>
</decoder>
Logs
Aruba-logs: Feb 20 14:43:39 SW2005 hpe-restd[1091] Event|4655|LOG_INFO|AMM|-|User mani logged in from 192.168.0.110 through REST session
Aruba-logs: Mar 6 12:28:01 SW2005 hpe-restd[1052] Event|4655|LOG_INFO|AMM|-|User mani logged in from 192.168.0.110 through REST session
Thanks!
Mani Bharathi K
Bony V John
Mar 6, 2025, 4:02:41 AM3/6/25
to Wazuh | Mailing List
Hi,
<decoder name="Switch_Events1">
<parent>Aruba_Switch_Events</parent>
Based on both of your log structures, I have updated your custom decoder, and now it properly decodes the hostname without any issues. You can test the decoder below from your end and check if it works fine for you.
<decoder name="Aruba_Switch_Events">
<prematch>^Aruba-logs:</prematch>
</decoder>
<prematch>^Aruba-logs:</prematch>
</decoder>
<decoder name="Switch_Events1">
<parent>Aruba_Switch_Events</parent>
<regex>Aruba-logs:\s*\S+\s*\d+ \d+:\d+:\d+\s(\S+)\s</regex>
<order>Hostname</order>
</decoder>
<order>Hostname</order>
</decoder>
Changes from your custom decoder:
- I have added a parent decoder. I assume you already have a parent decoder for this.
- I have used \s* in the regex to match spaces. In your custom decoder, you directly used spaces to match them in the log, but this may not work in certain scenarios. Using \s* ensures that it matches one or more spaces, or even if there are no spaces in the log.
I have tested both logs that you shared, and this decoder is working fine for me for both log. I have attached a screenshot for your reference.
Additionally, you can refer to the Wazuh regex documentation to learn more about regex, which can help you in similar cases. You can also check the Wazuh decoder syntax documentation for writing custom decoders.
Mani Bharathi
Mar 14, 2025, 1:10:29 AM3/14/25
to Wazuh | Mailing List
Hi Bony,
Thanks a lot for your support. it's worked.
Thanks!
Mani Bharathi K
Thanks a lot for your support. it's worked.
Thanks!
Mani Bharathi K
Reply all
Reply to author
Forward
0 new messages