How to replicate existing decoders?

[Vilaysack Vorachack]

Dear Wazuh Team,
I was trying to develop my own decoder where the log source is from nginx, and I configured nginx to log the request body. However, I found that there is no decoder that collect the information on this case, so I decided to do it by myself.

To problem I found is when I use the `wazuh-logtest` to try to use my decoder which I wrote on local_decoders.xml. I found that the decoder detected was the one it comes with wazuh instead. How can I solve this?
```

192.168.176.1 - - [04/Jul/2023:04:16:15 +0000] "POST /login HTTP/1.1" 200 41 "http://192.168.176.129/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "{"user":"admin","password":"admin"}"

``` The log above is my testing log and the decoders below is what I wrote.

And the picture below is my testing on logtest.

Best regards,

[Himanshu Sharma]

Hi Vilay,

Thanks for using the wazuh!!
Thanks for the details. I will test this in my local lab and update you as soon as possible.

Regards,

[Himanshu Sharma]

Hi Vilaysack,Thanks for waiting and Sorry for the delay.I have created a custom decoder using the existing one according to your requirement you can update it according to your requirement.
You can follow the below steps:
1. Copy the decoder file /var/ossec/ruleset/decoders/0375-web-accesslog_decoders.xml to the user folder /var/ossec/etc/decoders. This keeps the changes you make when updating to a newer version.
2. Edit the /var/ossec/etc/ossec.conf configuration file. Set the <decoder_exclude> tag to exclude the original ruleset/decoders/0375-web-accesslog_decoders.xml decoder file from the loading list.
3. Make changes to /var/ossec/etc/decoders/0375-web-accesslog_decoders.xml.and add the below decoder to the file.
4. Restart the Wazuh manager so the changes take effect.

systemctl restart wazuh-manager

Custom decoder:

<decoder name="web-accesslog-ip">
    <type>web-log</type>
    <parent>web-accesslog</parent>
    <regex>^(\S+) \S+ \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) \d+ "(\.+)" "(\.+)" "{(\.+)}"</regex>
    <order>srcip,protocol,type,response,url,browser,credentialds</order>
</decoder>

Output:

**Phase 1: Completed pre-decoding.
        full event: '192.168.176.1 - - [04/Jul/2023:04:16:15 +0000] "POST /login HTTP/1.1" 200 41 "http://192.168.176.129/login" "Mozilla/5.0 (Windows NT 10.0; Win
64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "{"user":"admin","password":"admin"}"'

**Phase 2: Completed decoding.
        name: 'web-accesslog'
        browser: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36'
        credentialds: '"user":"admin","password":"admin"'
        id: '200'
        protocol: 'POST'
        response: '200'
        srcip: '192.168.176.1'
        type: '/login'
        url: 'http://192.168.176.129/login'

Reference:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-decoder
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/Hope this information helps you. Please feel free to reach out to us for any information/issues.Regards,