wazuh-regex
The wazuh-regex program is used to validate a regex expression. The pattern should be enclosed in single quotes to help prevent any unintended interactions with the shell.
The syntax for wazuh-regex is as follows: /var/ossec/bin/wazuh-regex '<PATTERN>'
It then reads strings from stdin and outputs matches to stdout. +OSRegex_Execute
and +OS_Regex
are displayed if a match is successful.
Note
The wazuh-regex tool works with OSRegex. It does not support PCRE2.
Example
Validate a regex expression:
# /var/ossec/bin/wazuh-regex '^(\d\d\d\d-\d\d-\d\d)'
2025-08-04T08:31:43.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='abc'
+OSRegex_Execute: 2025-08-04T08:31:43.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='abc'
-Substring: 2025-08-04
+OS_Regex : 2025-08-04T08:31:43.115608Z 21 Query SELECT * FROM users where username='' or 123=123 -- ' and password='abc'