-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Child Decoders for WinEvtLog are Broken #14832
Comments
This appears to be a result of Wazuh having written a dedicated EventChannel decoder into
|
Thanks for checking in on this @juliancnn. Any thoughts within the team about my proposed approach? You guys put in some hefty effort to write that decoder (kudos) right in C, but enterprise use-cases effectively require the ability to parse-out fields from event channel streams as enterprise applications running on windows log there and require context-specific decoders for field extraction. That said, same enterprise workloads generate a metric tonne of EPS, most of which is OS-native stuff that can be handled by your optimized implementation. So i figure that if we handle the majority with the optimized code and the domain-specific stuff in classic pipeline, it should permit the EPS to stay quite high but avoid turning people away because they just can't use Wazuh to extract the critical data they need for their context. |
Hi @sempervictus, Thank you for your contributions to the Wazuh community. The new engine tries to handle json, when it receives any type of log, it adds it to a json field. This event enters in the chain of operations that will be defined by the 'Assets' (they would be like filters, decoders and rules). These assets will be defined by the user in YMl documents and will perform the task of enriching and normalizing the event. I encourage you to take a look at the epic and share your thoughts with us! |
Description
Decoders added to
local_decoders.xml
are ignored when they specify the<parent>windows</parent>
flow.Asked about this in slack and received confirmation that this workflow is known to be broken:
it's not possible to write child decoders for WinEvtLog logs as they are decoded internally
.I'm a bit at a loss as to what "internally" means. The processing which occurs in the log reader stage of the pipeline is specific to dealing with the charming flavors of character encoding used by MS platforms and streaming data out of an API vs a file source (i modeled the journald reader after it) but actual decoding should be happening higher up in the stack as with all other data streams - logcollectors aren't privy to the logic and contents of decoders...
Service/Product/Module
WinEvtLog decoding is broken
Errors/Improvements
Current results
Field extractors from
are ignored
Expected results
All field extractors work, not just the ones used by the Wazuh team.
Resources
Log source / integration
WinEvtLog
Log reference
should produce field extractions for relevant terms
The text was updated successfully, but these errors were encountered: