Decoder successful on testing but decoded fields doesnt appear in archives logs detail
26 views
Skip to first unread message
wazuh user
Mar 24, 2026, 5:41:20 AM (3 days ago) Mar 24
to Wazuh | Mailing List
Hi Wazuh Community,
I have a situation where i successfully run my custom decoder by performing testing on it, however when i want to look at the wazuh-archives logs it doesnt display the decoded field, only the decoder name as below :
**Phase 1: Completed pre-decoding. full event: '2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' **Phase 2: Completed decoding. name: 'manage-engine-access-api' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.31' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-18' protocol: 'GET' response_time: '0.012' srcip: '10.0.0.136' srcport: '46816' url: '/api/json/device/test' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '1' mail: 'false' **Phase 1: Completed pre-decoding. full event: '2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}' **Phase 2: Completed decoding. name: 'manage-engine-access-internal' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.235' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-2' protocol: 'GET' response_time: '0.008' srcip: '10.0.0.135' url: '/client/api/json/device/test' username: 'username' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '2' mail: 'false'**Phase 1: Completed pre-decoding. full event: '2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' **Phase 2: Completed decoding. name: 'manage-engine-access-api' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.31' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-18' protocol: 'GET' response_time: '0.012' srcip: '10.0.0.136' srcport: '46816' url: '/api/json/device/test' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '1' mail: 'false' **Phase 1: Completed pre-decoding. full event: '2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}' **Phase 2: Completed decoding. name: 'manage-engine-access-internal' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.235' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-2' protocol: 'GET' response_time: '0.008' srcip: '10.0.0.135' url: '/client/api/json/device/test' username: 'username' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '2' mail: 'false'**Phase 1: Completed pre-decoding. full event: '2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' **Phase 2: Completed decoding. name: 'manage-engine-access-api' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.31' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-18' protocol: 'GET' response_time: '0.012' srcip: '10.0.0.136' srcport: '46816' url: '/api/json/device/test' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '1' mail: 'false' **Phase 1: Completed pre-decoding. full event: '2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}' **Phase 2: Completed decoding. name: 'manage-engine-access-internal' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.235' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-2' protocol: 'GET' response_time: '0.008' srcip: '10.0.0.135' url: '/client/api/json/device/test' username: 'username' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '2' mail: 'false'
appreciate any advice on this. thankyou
I have a situation where i successfully run my custom decoder by performing testing on it, however when i want to look at the wazuh-archives logs it doesnt display the decoded field, only the decoder name as below :
**Phase 1: Completed pre-decoding. full event: '2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' **Phase 2: Completed decoding. name: 'manage-engine-access-api' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.31' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-18' protocol: 'GET' response_time: '0.012' srcip: '10.0.0.136' srcport: '46816' url: '/api/json/device/test' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '1' mail: 'false' **Phase 1: Completed pre-decoding. full event: '2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}' **Phase 2: Completed decoding. name: 'manage-engine-access-internal' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.235' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-2' protocol: 'GET' response_time: '0.008' srcip: '10.0.0.135' url: '/client/api/json/device/test' username: 'username' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '2' mail: 'false'**Phase 1: Completed pre-decoding. full event: '2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' **Phase 2: Completed decoding. name: 'manage-engine-access-api' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.31' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-18' protocol: 'GET' response_time: '0.012' srcip: '10.0.0.136' srcport: '46816' url: '/api/json/device/test' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '1' mail: 'false' **Phase 1: Completed pre-decoding. full event: '2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}' **Phase 2: Completed decoding. name: 'manage-engine-access-internal' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.235' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-2' protocol: 'GET' response_time: '0.008' srcip: '10.0.0.135' url: '/client/api/json/device/test' username: 'username' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '2' mail: 'false'**Phase 1: Completed pre-decoding. full event: '2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' **Phase 2: Completed decoding. name: 'manage-engine-access-api' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.31' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-18' protocol: 'GET' response_time: '0.012' srcip: '10.0.0.136' srcport: '46816' url: '/api/json/device/test' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '1' mail: 'false' **Phase 1: Completed pre-decoding. full event: '2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}' **Phase 2: Completed decoding. name: 'manage-engine-access-internal' parent: 'windows-date-format' charset: 'UTF-8' dstip: '10.0.0.235' id: '200' process: 'https-test-test2-0.0.0.0-443-exec-2' protocol: 'GET' response_time: '0.008' srcip: '10.0.0.135' url: '/client/api/json/device/test' username: 'username' **Phase 3: Completed filtering (rules). id: '31108' level: '0' description: 'Ignored URLs (simple queries).' groups: '["web","accesslog"]' firedtimes: '2' mail: 'false'
appreciate any advice on this. thankyou
Stuti Gupta
Mar 24, 2026, 6:37:41 AM (2 days ago) Mar 24
to Wazuh | Mailing List
Hi,
I tested the log (full_log), and it matches the default Windows date format decoder. However, it does not match any rule.
I also created a custom decoder like the following:
<decoder name="manage-engine-access-api"><parent>windows-date-format</parent>
<prematch>https-test-test</prematch>
<regex>apiKey : (\.+), interfaceName : (\.+), isFluidic : (\.+),</regex>
<order>apiKey, interfaceName, isFluidic</order>
</decoder>
This decoder works correctly in my test environment, as shown in the attached image.
To identify the cause of the issue in your setup, please share the following information:
The decoder configuration you created.
The related log from archives.json.
You can extract the log using the following command:
cat /var/ossec/logs/archives/archives.json| grep <part_of_the_log>Please make sure to hide any sensitive information before sharing the logs.
Also, to learn more about decoders, please refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/index.html
wazuh user
Mar 24, 2026, 11:53:40 PM (2 days ago) Mar 24
to Stuti Gupta, Wazuh | Mailing List
Hi,
This is my custom decoder:
<decoder name="manage-engine-access-internal">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\S+ "\S+" \d+\.\d+ \S+</prematch>
<regex offset="after_parent">^(\S+) "(\S+)" (\d+\.\d+) (\S+) "(\S+)" (\d+) (\S+) (\S+) (\S+)</regex>
<order>process,username,response_time,protocol,charset,id,url,dstip,srcip</order>
</decoder>
This is my custom decoder:
<decoder name="manage-engine-access-internal">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\S+ "\S+" \d+\.\d+ \S+</prematch>
<regex offset="after_parent">^(\S+) "(\S+)" (\d+\.\d+) (\S+) "(\S+)" (\d+) (\S+) (\S+) (\S+)</regex>
<order>process,username,response_time,protocol,charset,id,url,dstip,srcip</order>
</decoder>
<decoder name="manage-engine-access-api">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\S+ - \d+\.\d+ \S+ "\S+"</prematch>
<regex offset="after_parent">^(\S+) - (\d+\.\d+) (\S+) "(\S+)" (\d+) (\S+) (\S+) (\S+) (\d+) <!--{(\S+)}--></regex>
<order>process,response_time,protocol,charset,id,url,dstip,srcip,srcport,request_body</order>
</decoder>
for the logs, you may test with the previously shared logs since it is the logs that i have masked sensitive information and replace with random info but remain the logs structure. the samples are :
2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' 2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}'
Thankyou, appreciate your help on this.
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\S+ - \d+\.\d+ \S+ "\S+"</prematch>
<regex offset="after_parent">^(\S+) - (\d+\.\d+) (\S+) "(\S+)" (\d+) (\S+) (\S+) (\S+) (\d+) <!--{(\S+)}--></regex>
<order>process,response_time,protocol,charset,id,url,dstip,srcip,srcport,request_body</order>
</decoder>
for the logs, you may test with the previously shared logs since it is the logs that i have masked sensitive information and replace with random info but remain the logs structure. the samples are :
2026-03-01 23:57:58 https-test-test2-0.0.0.0-443-exec-18 - 0.012 GET "UTF-8" 200 /api/json/device/test 10.0.0.31 10.0.0.136 46816 {apiKey : ***, interfaceName : IF-test-70000008314, isFluidic : false, graphName : traffic, period : custom, startDate : 26%2F02%2F2026+23%3A56, endDate : 01%2F03%2F2026+23%3A57}' 2026-03-05 10:03:07 https-test-test2-0.0.0.0-443-exec-2 "username" 0.008 GET "UTF-8" 200 /client/api/json/device/test 10.0.0.235 10.0.0.135 508 {_ : 1772676115630}'
Thankyou, appreciate your help on this.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/vGYThjMhL7c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c857a780-f498-4023-9a85-ffa53c15dfe1n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages