Custom decoders
You can customize the Wazuh decoders on the Wazuh server to suit your requirements and improve your detection capabilities. Wazuh allows you to:
Add custom decoders
Note
Add your new decoders in the /var/ossec/etc/decoders/local_decoder.xml
file. We recommend creating new decoder files in the /var/ossec/etc/decoders/
directory for changes on a larger scale.
Check out this example on how to create new decoders and rules. The following log corresponds to a program called example
:
Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'
Add a new decoder to
/var/ossec/etc/decoders/local_decoder.xml
to decode the log information:<decoder name="example"> <program_name>^example</program_name> </decoder> <decoder name="example"> <parent>example</parent> <regex>User '(\w+)' logged from '(\d+.\d+.\d+.\d+)'</regex> <order>user, srcip</order> </decoder>
Run
/var/ossec/bin/wazuh-logtest
utility on the Wazuh server and enter the example log above to test the decoder and rule:Type one log per line Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100' **Phase 1: Completed pre-decoding. full event: 'Dec 25 20:45:02 MyHost example[12345]: User 'admin' logged from '192.168.1.100'' timestamp: 'Dec 25 20:45:02' hostname: 'MyHost' program_name: 'example' **Phase 2: Completed decoding. name: 'example' dstuser: 'admin' srcip: '192.168.1.100'
To test your rules and decoders using the
/var/ossec/bin/wazuh-logtest
utility, simply save the changes made to the decoder and rule files. However, you need to restart the Wazuh manager to generate alerts based on these modifications.Restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
# service wazuh-manager restart
Modify default decoders
To modify a default decoder, you can rewrite its file in the /var/ossec/etc/decoders/
directory on the Wazuh server, make the changes, and exclude the original decoder file from the loading list.
For example, if you want to customize decoders in the /var/ossec/ruleset/decoders/0310-ssh_decoders.xml
file, follow these steps:
Copy the decoder file
/var/ossec/ruleset/decoders/0310-ssh_decoders.xml
to the user directory/var/ossec/etc/decoders/
. This ensures that your changes are saved when upgrading to a newer version.Edit the Wazuh server
/var/ossec/etc/ossec.conf
configuration file. Set the<decoder_exclude>
tag to exclude the original/var/ossec/ruleset/decoders/0310-ssh_decoders.xml
decoder file from the loading list. With this configuration, Wazuh loads the decoder file located in the/var/ossec/etc/decoders/
user directory instead of the file in the default directory.<ruleset> <!-- Default ruleset --> <decoder_dir>ruleset/decoders</decoder_dir> <rule_dir>ruleset/rules</rule_dir> <rule_exclude>0215-policy_rules.xml</rule_exclude> <list>etc/lists/audit-keys</list> <!-- User-defined ruleset --> <decoder_dir>etc/decoders</decoder_dir> <rule_dir>etc/rules</rule_dir> <decoder_exclude>ruleset/decoders/0310-ssh_decoders.xml</decoder_exclude> </ruleset>
Make the changes into the
/var/ossec/etc/decoders/0310-ssh_decoders.xml
file.Restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
# service wazuh-manager restart
Warning
By excluding the original decoder file, you won't receive the updates it may receive. Your custom file will remain unchanged during upgrades. So, consider applying relevant changes manually.