Error on custom decoder
137 views
Skip to first unread message
Jaime
Feb 20, 2025, 3:34:23 AM2/20/25
to Wazuh | Mailing List
Hi, I'm doing a custom decoder for cassandra but the logs of the manager are giving me some errors and manager won't start. Here is my logs:
2025/02/20 08:24:32 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Element 'details' not closed. (line 3).
2025/02/20 08:24:32 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
2025/02/20 08:28:16 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Comment not closed. (line 7).
2025/02/20 08:28:16 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
2025/02/20 08:29:53 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Comment not closed. (line 14).
2025/02/20 08:29:53 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
2025/02/20 08:31:33 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Comment not closed. (line 8).
2025/02/20 08:31:33 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
And here is my custom decoder:
<!-- Cassandra Audit Decoder -->
<decoder name="cassandra_audit">
<program_name>cassandra-audit</program_name>
<regex><![CDATA[^(?P<timestamp>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2},\d+)\s+(?P<user>\w+)\s+(?P<action>INSERT|UPDATE|DELETE|SELECT|DROP|ALTER|TRUNCATE|GRANT|REVOKE)\s+(?P<table>\w+)\s+(?P<details>.*)$]]></regex>
<order>timestamp,user,action,table,details</order>
</decoder>
2025/02/20 08:24:32 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Element 'details' not closed. (line 3).
2025/02/20 08:24:32 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
2025/02/20 08:28:16 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Comment not closed. (line 7).
2025/02/20 08:28:16 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
2025/02/20 08:29:53 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Comment not closed. (line 14).
2025/02/20 08:29:53 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
2025/02/20 08:31:33 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/decoders/cassandra_audit_decoders.xml': XMLERR: Comment not closed. (line 8).
2025/02/20 08:31:33 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/decoders/cassandra_audit_decoders.xml'.
And here is my custom decoder:
<!-- Cassandra Audit Decoder -->
<decoder name="cassandra_audit">
<program_name>cassandra-audit</program_name>
<regex><![CDATA[^(?P<timestamp>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2},\d+)\s+(?P<user>\w+)\s+(?P<action>INSERT|UPDATE|DELETE|SELECT|DROP|ALTER|TRUNCATE|GRANT|REVOKE)\s+(?P<table>\w+)\s+(?P<details>.*)$]]></regex>
<order>timestamp,user,action,table,details</order>
</decoder>
Message has been deleted
hasitha.u...@wazuh.com
Feb 20, 2025, 4:58:23 AM2/20/25
to Wazuh | Mailing List
Hi Jaime,
Your cassandra_audit_decoders.xml file has errors related to unclosed XML elements and comments.
However, It looks like you have multiple syntax errors in the regex in your custom decoder file.
Could you please share a sample full log then I can replicate this issue on my end?
If you have already forwarded logs to the Wazuh manager then enable the archives.json log and share me the full log.
To that you can enable archive JSON format log from your manager's ossec.conf
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making the changes make sure to restart the manager.
systemctl restart wazuh-manager
Then try to find the relevant log by following this command by replacing part of your log with the log content.
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
If you find relevant logs, please share the full_log field from the archives.json file.
For example, if you receive a log like this:
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Please share the full_log part:
Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'
Note: Don't forget to disable the logall parameter once you have finished troubleshooting.
Leaving it enabled could lead to high disk space consumption.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
Regards,
Hasitha Upekshitha
Your cassandra_audit_decoders.xml file has errors related to unclosed XML elements and comments.
However, It looks like you have multiple syntax errors in the regex in your custom decoder file.
Could you please share a sample full log then I can replicate this issue on my end?
If you have already forwarded logs to the Wazuh manager then enable the archives.json log and share me the full log.
To that you can enable archive JSON format log from your manager's ossec.conf
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making the changes make sure to restart the manager.
systemctl restart wazuh-manager
Then try to find the relevant log by following this command by replacing part of your log with the log content.
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
If you find relevant logs, please share the full_log field from the archives.json file.
For example, if you receive a log like this:
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Please share the full_log part:
Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'
Note: Don't forget to disable the logall parameter once you have finished troubleshooting.
Leaving it enabled could lead to high disk space consumption.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages