Custom decoders
Changing existing decoders
Warning
Changes in any decoder file in the /var/ossec/ruleset/decoders
folder are lost in the update process. Use the following procedure to preserve your changes.
To change a default decoder, you can rewrite its file in the /var/ossec/etc/decoders
directory, make the changes, and exclude the original decoder file from the loading list.
For example, if you want to customize decoders in the 0310-ssh_decoders.xml
file, follow these steps:
Copy the decoder file
/var/ossec/ruleset/decoders/0310-ssh_decoders.xml
to the user folder/var/ossec/etc/decoders
. This keeps the changes you make when updating to a newer version.Edit the
/var/ossec/etc/ossec.conf
configuration file. Set the<decoder_exclude>
tag to exclude the originalruleset/decoders/0310-ssh_decoders.xml
decoder file from the loading list. With this configuration, Wazuh loads the decoder file located in the user folder and not the file in the default folder.<ruleset> <!-- Default ruleset --> <decoder_dir>ruleset/decoders</decoder_dir> <rule_dir>ruleset/rules</rule_dir> <rule_exclude>0215-policy_rules.xml</rule_exclude> <list>etc/lists/audit-keys</list> <!-- User-defined ruleset --> <decoder_dir>etc/decoders</decoder_dir> <rule_dir>etc/rules</rule_dir> <decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude> </ruleset>
Make changes to
/var/ossec/etc/decoders/0310-ssh_decoders.xml
.Restart the Wazuh manager so the changes take effect:
# systemctl restart wazuh-manager
# service wazuh-manager restart
Warning
Since you're excluding the original decoder file, you don't benefit from any updates it might get. Your custom file remains unchanged during upgrades so consider applying relevant changes manually.