Error with the decoding of logs sent by Rsyslog.

[ocerna0721]

Hello community,

I am presenting my case below, attached image:

A custom decoder has been created from the Wazuh web administration panel. However, during the decoding tests, it is indicated that the decoding is being done by another decoder file instead of the custom one being developed. Here is part of the information from the test results:

**Messages:
  WARNING: (7003): 'a1cc1c98’
  token expires INFO: (7202): Session initialized with token 'da8cd1a6’
**Phase 1: Completed pre-decoding. full event: 'Aug 21 13:50:36 TSS kernel: [6031296.121710] [TS-bridge-inbound-17-D] IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 MAC=70:4c:a5:46:cd:61:f8:75:a4:10:dd:9a:08:00 SRC=192.168.1.131 DST=34.120.195.249 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7632 DF PROTO=TCP SPT=49541 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0' timestamp: 'Aug 21 13:50:36' hostname: 'TSS' program_name: 'kernel’

**Phase 2:
  Completed decoding. name: 'kernel' parent: 'kernel' action: '[TS-bridge-inbound-17-D]' dstip: '34.120.195.249' dstport: '443' protocol: 'TCP' srcip: '192.168.1.131' srcport: '49541’

**Phase 3:
  Completed filtering (rules). id: '4100' level: '0' description: 'Firewall rules grouped.' groups: '["firewall"]' firedtimes: '1' mail: 'false'

Upon seeing this result, it seems that the logs could potentially be decoded by this decoder. However, why is there no data visible within the dashboards that corresponds to the device sending these logs? Is there any other method to ensure my decoder works and displays the information in the dashboards?

[Mauricio Ruben Santillan]

Hello!

As shown in the logtest output you provide, your event is matching the decoder called kernel and the rule with ID 4100, which as you can see has level=0.

In order to get alerts from Wazuh rules, the rule level needs to be equal to/above the value set to log_alert_level in the Wazuh Manager's confiuguration file (/var/ossec/etc/ossec.conf). The default log_alert_level is 3.

So unless you've changed this setting, you could start ingesting your event by customizing the rule with ID 4100 as explained here so it can have a higher level, or add some child rule with a specific criteria so it can trigger this type of events.

You can find information related to custom decoders and rules next:

• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
• https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

I hope this helps. Let me know how it goes!

[ocerna0721]

Thank you very much for all the information. It worked, and the data is now being decoded and displayed in the Wazuh dashboards.