AWS RDS-PGSQL Integration with wazuh for monitoring DAM
40 views
Skip to first unread message
Suvadip Ghosh
Jan 30, 2026, 9:06:21 AM (3 days ago) Jan 30
to Wazuh | Mailing List
Dear Team,
I have aws rds with pgsql configured, and i want to integrate it with wazuh, before that i want to create the decoder to match with the raw logs.
Raw logs: 2026-01-30 03:00:29 UTC:172.30.4.44(54293):hello@prod:[12961]:LOG: AUDIT: SESSION,25,1,DDL,CREATE EXTENSION,,,"CREATE EXTENSION IF NOT EXISTS ""uuid-ossp""",<not logged>
Want decoder for this raw logs.
Guide me please
I have aws rds with pgsql configured, and i want to integrate it with wazuh, before that i want to create the decoder to match with the raw logs.
Raw logs: 2026-01-30 03:00:29 UTC:172.30.4.44(54293):hello@prod:[12961]:LOG: AUDIT: SESSION,25,1,DDL,CREATE EXTENSION,,,"CREATE EXTENSION IF NOT EXISTS ""uuid-ossp""",<not logged>
Want decoder for this raw logs.
Guide me please
diego....@wazuh.com
Jan 30, 2026, 9:48:53 AM (3 days ago) Jan 30
to Wazuh | Mailing List
Hello Suvadip,
I have created the decoder for you:
<decoder name="postgres_audit">
<parent>windows-date-format</parent>
<regex>(\S+ \S+ \w+):(\d+.\d+.\d+.\d+)\((\d+)\):(\w+):\p(\d+)\p:LOG: (\.+)AUDIT: (\w+),(\d+,\d+),(\.+),(\.+),"(\.+""\.+"""),(\.+)</regex>
<order>timestamp, srcip, srcport, user, pid, log_level, audit_type, session_info, action, command, sql, extra</order>
</decoder>
If you need more information on creating decoders:
I have created the decoder for you:
<decoder name="postgres_audit">
<parent>windows-date-format</parent>
<regex>(\S+ \S+ \w+):(\d+.\d+.\d+.\d+)\((\d+)\):(\w+):\p(\d+)\p:LOG: (\.+)AUDIT: (\w+),(\d+,\d+),(\.+),(\.+),"(\.+""\.+"""),(\.+)</regex>
<order>timestamp, srcip, srcport, user, pid, log_level, audit_type, session_info, action, command, sql, extra</order>
</decoder>
If you need more information on creating decoders:
Suvadip Ghosh
Jan 30, 2026, 12:02:07 PM (3 days ago) Jan 30
to Wazuh | Mailing List
Hey Diego,
I have used your decoder, then while testing i am not getting the expected output. And it's matching with this decoder:
windows-date-format
I have used your decoder, then while testing i am not getting the expected output. And it's matching with this decoder:
windows-date-format
diego....@wazuh.com
Jan 31, 2026, 3:52:57 AM (3 days ago) Jan 31
to Wazuh | Mailing List
Hello Suvadip,
Please make sure to save the decoder file and restart the manager before testing.
It's also important to click on the clear session button in the decoder test.
Please make sure to save the decoder file and restart the manager before testing.
It's also important to click on the clear session button in the decoder test.
Suvadip Ghosh
Feb 1, 2026, 12:09:10 PM (yesterday) Feb 1
to diego....@wazuh.com, Wazuh | Mailing List
Hello Diego,
Yes this decoder is now working for me.
But while creating same type of decoder for my login success events, i am getting error.
Raw logs: 2026-01-30 13:13:03 UTC:172.30.4.44(26465):reward_service@lxme_prod:[540]:LOG: connection authorized: user=reward_service database=lxme_prod
Can u please create the decoder for that.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ttrx2u3y2Lk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/aa20c45e-e1ea-4dab-8297-40c9c221274en%40googlegroups.com.
diego....@wazuh.com
2:31 AM (16 hours ago) 2:31 AM
to Wazuh | Mailing List
Hello Suvadip,
Here is the new decoder plus some modifications I made to the decoder we had before:
<regex>(\S+ \S+ \w+):(\d+.\d+.\d+.\d+)\((\d+)\):(\w+):\p(\d+)\p:LOG: (\.+)AUDIT: (\w+),(\d+,\d+),(\.+),(\.+),"(\.+""\.+"""),(\.+)</regex>
<order>timestamp, srcip, srcport, user, pid, log_level, audit_type, session_info, action, command, sql, extra</order>
</decoder>
Here is the new decoder plus some modifications I made to the decoder we had before:
<decoder name="postgres_audit">
<parent>windows-date-format</parent>
<parent>windows-date-format</parent>
<prematch>AUDIT</prematch>
<regex>(\S+ \S+ \w+):(\d+.\d+.\d+.\d+)\((\d+)\):(\w+):\p(\d+)\p:LOG: (\.+)AUDIT: (\w+),(\d+,\d+),(\.+),(\.+),"(\.+""\.+"""),(\.+)</regex>
<order>timestamp, srcip, srcport, user, pid, log_level, audit_type, session_info, action, command, sql, extra</order>
</decoder>
<decoder name="postgres_database">
<parent>windows-date-format</parent>
<prematch>database</prematch>
<regex>(\S+ \S+ \w+):(\d+.\d+.\d+.\d+)\((\d+)\):(\w+):\p(\d+)\p:LOG:(\.+)connection authorized: user=(\.+) database=(\.+)</regex>
<order>timestamp, srcip, srcport, user, pid, log_level, user, database</order>
</decoder>
<parent>windows-date-format</parent>
<prematch>database</prematch>
<regex>(\S+ \S+ \w+):(\d+.\d+.\d+.\d+)\((\d+)\):(\w+):\p(\d+)\p:LOG:(\.+)connection authorized: user=(\.+) database=(\.+)</regex>
<order>timestamp, srcip, srcport, user, pid, log_level, user, database</order>
</decoder>
Please make sure to save the decoder file, restart your Wazuh manager and click on the clear session button when log testing.
Let me know if you need anything else.
Let me know if you need anything else.
Reply all
Reply to author
Forward
0 new messages