Re: Logs only match with parent decoder, not child decoders

80 views
Skip to first unread message
Message has been deleted

Juan Edmundo Paul

unread,
Oct 20, 2023, 10:18:07 AM10/20/23
to Wazuh | Mailing List
Hi Joaquim Antonio,

Thanks for reaching out.

There seems to be an issue in the regex since you did not put " \ " before " .+ ". Note that for regex, this format is necessary. I went ahead and modified the docoder and I believe I was able to find a solution. Please try the following decoder to see if it works on your side.

You can also check out the following documentation for a better understanding.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html


<decoder name="mikro-clientsname">
<prematch>^clientsname</prematch> </decoder> <decoder name="clientsname-loggedin"> <parent>mikro-clientsname</parent> <regex offset="after_parent">^\s\((\.+)\): logged in</regex> <order>ipaddress</order> </decoder>
Result:

Starting wazuh-logtest v4.5.2
Type one log per line Oct 19 11:21:44 MTK clientsname (10.10.20.103): logged in **Phase 1: Completed pre-decoding. full event: 'Oct 19 11:21:44 MTK clientsname (10.10.20.103): logged in' timestamp: 'Oct 19 11:21:44' hostname: 'MTK' **Phase 2: Completed decoding. name: 'mikro-clientsname'
ipaddress: '10.10.20.103'

Let me know if that did help!

Thanks,
Juan Paul


On Thursday, October 19, 2023 at 11:39:57 AM UTC-3 Joaquim António wrote:
Hello Wazuh team,

I'm trying to parse this log:

Oct 19 11:21:44 MTK clientsname (10.10.20.103): logged in

using these decoders:

<decoder name="mikro-clientsname">
  <prematch>^clientsname</prematch>
</decoder>

<decoder name="clientsname-loggedin">
  <parent>mikro-clientsname</parent>
  <regex offset="after_parent">^\s\((.+)\): logged in</regex>
  <order>ipaddress</order>
</decoder>

I used the wazuh-logtest tool to see if the log was being correctly parsed, but it just matches with the parent rule: mikro-clientsname and not clientsname-loggedin as intended. The only way I could parse the child rule was by removing the parents rule and writing the decoder like this:

<decoder name="clientsname-loggedin">
  <prematch>^clientsname</prematch>
  <regex>^clientsname\s\((.+)\): logged in</regex>
  <order>ipaddress</order>
</decoder>

However this doesn't scale very well in the future and is less organized and readable. Can someone help me understand why the parent-child decoders approach didn't work?

Thank you for you help,

Best regards,

Joaquim Antonio



Joaquim António

unread,
Oct 20, 2023, 10:35:23 AM10/20/23
to Wazuh | Mailing List
Hello Juan Paul,

Thank you for your help, the decoder now works.

Best Regards,

Joaquim Antonio
Reply all
Reply to author
Forward
0 new messages