Parsing decoder fallido
16 views
Skip to first unread message
bastian Caro
Apr 24, 2026, 1:24:35 PM (3 days ago) Apr 24
to Wazuh | Mailing List
Tengo un decoder que se llama "Sap-hanna" el cual es un SQL y los campos que trae el payload (log) son solo variables separadas por ;
Este es el log de ejemplo:
2026-04-24 14:55:12;indexserver;hostdemo;DB1;00;30003;192.168.1.100;CLIENT01;123456;78901;Data Query Manipulation;ALERT;SELECT;APP_CONN;DEMO_DB;CUSTOMERS;;;;;SUCCESSFUL;;;;;;SELECT T0."CustomerID", T0."Name", T0."Balance" FROM "DEMO_DB"."CUSTOMERS" T0 WHERE T0."Balance" > 1000 ORDER BY T0."CustomerID";987654;demo_user;;;;;APP_CONN;Demo Application;APP_CONN;;;;;;;;;;;;;;
Este es el XML para poder capturar los campos, necesito su ayuda para poder corregir errores y que me pueda traer los campos necesarios para poder crear alertas.
Lo que sucede es que cuando guardo este XML, no vuelven a aparecer eventos cuando el decoder.name = sap-hanna y solo llegan eventos nuevos sin parsear y los demas se pierden.
Solicito su apoyo para poder utilizar de manera correcta el XML del decoder con los campos necesarios que trae el full_log
Este es el log de ejemplo:
2026-04-24 14:55:12;indexserver;hostdemo;DB1;00;30003;192.168.1.100;CLIENT01;123456;78901;Data Query Manipulation;ALERT;SELECT;APP_CONN;DEMO_DB;CUSTOMERS;;;;;SUCCESSFUL;;;;;;SELECT T0."CustomerID", T0."Name", T0."Balance" FROM "DEMO_DB"."CUSTOMERS" T0 WHERE T0."Balance" > 1000 ORDER BY T0."CustomerID";987654;demo_user;;;;;APP_CONN;Demo Application;APP_CONN;;;;;;;;;;;;;;
Este es el XML para poder capturar los campos, necesito su ayuda para poder corregir errores y que me pueda traer los campos necesarios para poder crear alertas.
<decoder name="sap-hanna">
<prematch>;indexserver;</prematch>
</decoder>
<decoder name="sap-hanna-fields">
<parent>sap-hanna</parent>
<regex type="pcre2">^([^;]*);[^;]*;([^;]*);([^;]*);[^;]*;([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*)</regex>
<order>timestamp,hostname,tenant,port,srcip,extra_data,id,protocol,extra_data2,log_level,action</order>
</decoder>
<decoder name="sap-hanna-dbfields">
<parent>sap-hanna</parent>
<regex type="pcre2">;([^;]*);([^;]*);([^;]*);;;;;;(SUCCESSFUL|FAILURE|FAILED)</regex>
<order>extra_data3,extra_data4,extra_data5,status</order>
</decoder>
<decoder name="sap-hanna-sql">
<parent>sap-hanna</parent>
<regex type="pcre2">(?:SUCCESSFUL|FAILURE|FAILED);;;;;;([\s\S]*?);(\d+);([^;]+);;;;;</regex>
<order>extra_data6,extra_data7,srcuser</order>
</decoder>
<decoder name="sap-hanna-app">
<parent>sap-hanna</parent>
<regex type="pcre2">;([^;]+);([^;]+);;;;;;;;;;;;;;$</regex>
<order>extra_data8,extra_data9</order>
</decoder>
Lo que sucede es que cuando guardo este XML, no vuelven a aparecer eventos cuando el decoder.name = sap-hanna y solo llegan eventos nuevos sin parsear y los demas se pierden.
Solicito su apoyo para poder utilizar de manera correcta el XML del decoder con los campos necesarios que trae el full_log
Victor Carlos Erenu
Apr 24, 2026, 2:20:54 PM (3 days ago) Apr 24
to Wazuh | Mailing List
Hi bastian Caro
Regarding your environment, can you tell me which version of Wazuh you're using?
Regarding your decoders, have you been able to run wazuh-logtest to see how the decoder is behaving? I recommend that you manually take some logs and run them with the wazuh-logtest binary to verify the response this decoder is giving you in your environment. We'd need to see if you have any problems within the decoder chain itself or possibly with other decoders you might have.
When you run the test, please send me the results you get with wazuh-logtest on several sample logs from your system.
Regarding the problem of losing logs, keep in mind that decoders in Wazuh work as pipelines. Therefore, if one decoder has a log match, it won't leave any log available for the other decoders. You should simplify things a bit.
Regarding your environment, can you tell me which version of Wazuh you're using?
Regarding your decoders, have you been able to run wazuh-logtest to see how the decoder is behaving? I recommend that you manually take some logs and run them with the wazuh-logtest binary to verify the response this decoder is giving you in your environment. We'd need to see if you have any problems within the decoder chain itself or possibly with other decoders you might have.
When you run the test, please send me the results you get with wazuh-logtest on several sample logs from your system.
Regarding the problem of losing logs, keep in mind that decoders in Wazuh work as pipelines. Therefore, if one decoder has a log match, it won't leave any log available for the other decoders. You should simplify things a bit.
Reply all
Reply to author
Forward
0 new messages