I am trying to parse a log as shown below with a child decoder in wazuh 4.x, for some reason its not parsing the needed field
Log entry
ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local
Child Decoder
<decoder name="ossec-domain">
<parent>ossec</parent>
<type>ossec</type>
<prematch>^ossec: output:</prematch>
<regex type="pcre2">^'domainjoin-cli[ \t]query|grep[ \t]-i[ \t]Domain':[ \t]Domain[ \t]=[ \t](\S+)</regex>
<order>domain</order>
</decoder>
Output
ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local
**Phase 1: Completed pre-decoding.
full event: 'ossec: output: 'domainjoin-cli query|grep -i Domain': Domain = mydomain.local'
**Phase 2: Completed decoding.
name: 'ossec'
parent: 'ossec'
**Phase 3: Completed filtering (rules).
id: '100008'
level: '3'
description: 'Server is in domain '
groups: '['ossec']'
firedtimes: '1'
hipaa: '['164.312.b']'
mail: 'False'
pci_dss: '['10.6.1']'
**Alert to be generated.
Taking into account the parent decoder:
First of all, you should delete the
prematchtag since the parent has already a prematch regex. In case you want to leave the prematch, you can also use theoffsetfield to indicate that the string output comes afterossec:.After that, note that the regex is wrong as you are using
^.^indicates the beginning of the log and in this case, the string after that character is not the beginning of the log. You have to remove that character from regex.Also, you have to take into account that
|indicates an OR operator which means that one regex (left) or the other (right) should match the log. In your use case, this should indicate the character so you will need to escape it not to use it as an OR operator.Taking into account these indications, the following decoder is the one you should use:
Logtest output:
I hope this helps, if you have more problems please tell me the Wazuh version you are using and I will be glad to help.