The decoders extract the information from the received events. When an event is received, the decoders separate the information in blocks to prepare them for their subsequent analysis.
There are many options to configure the decoders:
- decoder
- parent
- accumulate
- program_name
- prematch
- regex
- order
- fts
- ftscomment
- plugin_decoder
- use_own_name
- json_null_field
- var
The attributes listed below define a decoder.
| Attribute | Description |
|---|---|
| name | The name of the decoder |
| type | The type of the decoder |
Example:
Set name and type of decoder to ossec:
<decoder name="ossec" type ="ossec">
...
</decoder>It is used to link a subordinate codeblock to his parent.
| Default Value | n/a |
| Allowed values | Any decoder name |
Example:
Assign the decoder which father it belongs:
<decoder name="decoder_junior">
<parent>decoder_father</parent>
...
</decoder>Allow Wazuh to track events over multiple log messages based on a decoded id.
Note
Requires a regex populating the id field.
| Example of use | <accumulate /> |
It defines the name of the program with which the decoder is associated.
| Default Value | n/a |
| Allowed values | Any sregex expression |
Example:
Define that the decoder is related with the syslogd process:
<decoder name="syslogd_decoder">
<program_name>syslogd</program_name>
...
</decoder>It attempts to find a match within the log for the string defined.
| Default Value | n/a |
| Allowed values | Any sregex expression |
The attribute below is optional, it allows to discard some of the content of the entry.
| Attribute | Value |
|---|---|
| offset | after_regex |
Regular expressions or regex are sequences of characters that define a pattern.
Decoders use them to find words or other patterns into the rules.
An example is this regex that matches any numeral:
<regex> [+-]?(\d+(\.\d+)?|\.\d+)([eE][+-]?\d+)? </regex>| Default Value | n/a |
| Allowed values | Any regex expression |
The attribute below is optional, it allows to discard some of the content of the entry.
| Attribute | Value |
|---|---|
| offset | after_regex after_parent after_prematch |
Example:
Show when an user executed the sudo command for the first time:
<decoder name="sudo-fields">
<parent>sudo</parent>
<prematch>\s</prematch>
<regex>^\s*(\S+)\s*:</regex>
<order>srcuser</order>
<fts>name,srcuser,location</fts>
<ftscomment>First time user executed the sudo command</ftscomment>
</decoder>It defines what the parenthesis groups contain and the order in which they were received.
| Default Value | n/a | |
| Static fields | srcuser | Extracts the source username |
| dstuser | Extracts the destination (target) username | |
| user | An alias to dstuser (only one of the two can be used) | |
| srcip | Source ip | |
| dstip | Destination ip | |
| srcport | Source port | |
| dstport | Destination port | |
| protocol | Protocol | |
| id | Event id | |
| url | Url of the event | |
| action | Event action (deny, drop, accept, etc) | |
| status | Event status (success, failure, etc) | |
| extra_data | Any extra data | |
| Dynamic fields | Any string not included in the previous list | |
It is used to designate a decoder as one in which the first time it matches the administrator would like to be alerted.
| Default Value | n/a | |
| Allowed values | location | Where the log came from |
| srcuser | Extracts the source username | |
| dstuser | Extracts the destination (target) username | |
| user | An alias to dstuser (only one of the two can be used) | |
| srcip | Source ip | |
| dstip | Destination ip | |
| srcport | Source port | |
| dstport | Destination port | |
| protocol | Protocol | |
| id | Event id | |
| url | Url of the event | |
| action | Event action (deny, drop, accept, etc) | |
| status | Event status (success, failure, etc) | |
| extra_data | Any extra data | |
Example:
The following decoder will extract the user who generated the alert and the location from where it comes:
</decoder>
<fts>srcuser, location</fts>
...
</decoder>The decoder will consider this option if the decoded event triggers a rule that uses if_fts.
It adds a comment to a decoder when <fts> tag is used.
| Default Value | n/a |
| Allowed values | Any string |
Use a specific plugin decoder to decode the incoming fields. It is useful for particular cases where it would be tricky to extract the fields by using regexes.
| Default Value | n/a |
| Allowed values | PF_Decoder |
| SymantecWS_Decoder | |
| SonicWall_Decoder | |
| OSSECAlert_Decoder | |
| JSON_Decoder |
The attribute below is optional, it allows to start the decode process after a particular point of the log.
| Attribute | Value |
|---|---|
| offset | after_parent after_prematch |
An example of its use is described at the :doc:`JSON decoder <../json-decoder>` section.
Allows to set the name of the child decoder from the name attribute instead of using the name of the parent decoder.
| Default Value | n/a |
| Allowed values | true |
Specify how to treat the NULL fields coming from the JSON events. Only for the JSON decoder.
| Default Value | string |
| Allowed values | string (It shows the NULL value as string) |
| discard (It discard NULL fields and doesn't store them into the alert) | |
| empty (It shows the NULL field as an empty field) |
Defines a variable that may be used in any place of the same file.
| Attribute | Value |
|---|---|
| name | Name for the variable. |
Example:
<var name="header">myprog</var>
<var name="offset">after_parent</var>
<var name="type">syscall</var>
<decoder name="syscall">
<prematch>^$header</prematch>
</decoder>
<decoder name="syscall-child">
<parent>syscall</parent>
<prematch offset="$offset">^: $type </prematch>
<regex offset="after_prematch">(\S+)</regex>
<order>syscall</order>
</decoder>