Custom decoders

Changing existing decoders


Changes in any decoder file in the /var/ossec/ruleset/decoders folder are lost in the update process. Use the following procedure to preserve your changes.

To change a default decoder, you can rewrite its file in the /var/ossec/etc/decoders directory, make the changes, and exclude the original decoder file from the loading list.

For example, if you want to customize decoders in the 0310-ssh_decoders.xml file, follow these steps:

  1. Copy the decoder file /var/ossec/ruleset/decoders/0310-ssh_decoders.xml to the user folder /var/ossec/etc/decoders. This keeps the changes you make when updating to a newer version.

  2. Edit the /var/ossec/etc/ossec.conf configuration file. Set the <decoder_exclude> tag to exclude the original ruleset/decoders/0310-ssh_decoders.xml decoder file from the loading list. With this configuration, Wazuh loads the decoder file located in the user folder and not the file in the default folder.

      <!-- Default ruleset -->
      <!-- User-defined ruleset -->
  3. Make changes to /var/ossec/etc/decoders/0310-ssh_decoders.xml.

  4. Restart the Wazuh manager so the changes take effect:

    # systemctl restart wazuh-manager


    Since you're excluding the original decoder file, you don't benefit from any updates it might get. Your custom file remains unchanged during upgrades so consider applying relevant changes manually.