Wazuh child decoder not parsing field correctly

Question

I am trying to parse a log as shown below with a child decoder in wazuh 4.x, for some reason its not parsing the needed field

Log entry

ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local

Child Decoder

<decoder name="ossec-domain">
  <parent>ossec</parent>
  <type>ossec</type>
  <prematch>^ossec: output:</prematch>
  <regex type="pcre2">^'domainjoin-cli[ \t]query|grep[ \t]-i[ \t]Domain':[ \t]Domain[ \t]=[ \t](\S+)</regex>
  <order>domain</order>
</decoder>

Output

ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local

**Phase 1: Completed pre-decoding.
        full event: 'ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local'

**Phase 2: Completed decoding.
        name: 'ossec'
        parent: 'ossec'

**Phase 3: Completed filtering (rules).
        id: '100008'
        level: '3'
        description: 'Server is in  domain '
        groups: '['ossec']'
        firedtimes: '1'
        hipaa: '['164.312.b']'
        mail: 'False'
        pci_dss: '['10.6.1']'
**Alert to be generated.

score 0 · Answer 1 · answered Nov 04 '21 at 08:54

Taking into account the parent decoder:

<decoder name="ossec">
  <prematch>^ossec: </prematch>
  <type>ossec</type>
</decoder>

First of all, you should delete the prematch tag since the parent has already a prematch regex. In case you want to leave the prematch, you can also use the offset field to indicate that the string output comes after ossec: .

<decoder name="ossec-domain">
  <parent>ossec</parent>
  <type>ossec</type>
  <prematch offset="after_parent>^output:</prematch>
  <regex type="pcre2">^'domainjoin-cli[ \t]query|grep[ \t]-i[ \t]Domain':[ \t]Domain[ \t]=[ \t](\S+)</regex>
  <order>domain</order>
</decoder>

After that, note that the regex is wrong as you are using ^. ^ indicates the beginning of the log and in this case, the string after that character is not the beginning of the log. You have to remove that character from regex.

Also, you have to take into account that | indicates an OR operator which means that one regex (left) or the other (right) should match the log. In your use case, this should indicate the character so you will need to escape it not to use it as an OR operator.

Taking into account these indications, the following decoder is the one you should use:

<decoder name="ossec-domain">
  <parent>ossec</parent>
  <type>ossec</type>
  <prematch offset="after_parent">^output:</prematch>
  <regex type="pcre2">'domainjoin-cli[ \t]query\|grep[ \t]-i[ \t]Domain':[ \t]Domain[ \t]=[ \t](\S+)</regex>
  <order>domain</order>
</decoder>

Logtest output:

ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local

**Phase 1: Completed pre-decoding.
    full event: 'ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local'

**Phase 2: Completed decoding.
    name: 'ossec'
    parent: 'ossec'
    domain: 'mydomain.local'

I hope this helps, if you have more problems please tell me the Wazuh version you are using and I will be glad to help.

Wazuh child decoder not parsing field correctly

1 Answers1