Feature Request: A new output format raw

[zbalkan]

Wazuh version	Component	Install type	Install method	Platform
N/A	Wazuh component	N/A	N/A	N/A

Problem

Since the default log format is syslog, the predecoder kicks in logs that do not comply with syslog or any other supported log format. Accidental decoder matches may occur, preventing the user to write proper decoders

Workaround

Using out_format to prepend a unique keyword to prevent predecoders and default decoders catch the log.

Proposed solution

Using a new log_format called raw, which will skip predecoder matching, would prevent workarounds, and allow configuration to be cleaner. The actual load would be on decoders as it should be.

[juliancnn]

Hello @zbalkan,

Your proposal for a new log_format called raw is interesting. We are aware of the limitations with the current predecoder, which is why we are developing a new rules engine that addresses these and other challenges.

Here are some key improvements planned:

• Parsers: These will replace regular expressions in decoders, offering more precision and easier configuration.
• Configuration Simplification: The new engine will eliminate the pre-decoding stage, streamlining how logs are processed through configurations described in YAML, enhancing clarity and reducing errors. A chain of operations described in YAML.

For more details on the upcoming changes and to follow the progress, please see the epic on our development here.

If you have a specific use case with example logs for this new format, would you like to share it? Your detailed input could be very helpful for our development.

Best regards,