Good afternoon, please tell me what am I doing wrong? my goal is to write a decoder for accepting logs wazuh I get these logs in the format:

Feb 17 10:08:43 2.2.2.2 %AAA-I-DISCONNECT: http connection for user admin, source 1.1.1.1 destination 2.2.2.2 TERMINATED

Feb 17 10:08:47 2.2.2.2 %AAA-I-CONNECT: New http connection for user admin, source 1.1.1.1 destination 2.2.2.2, local user table ACCEPTED.

I wrote a regular expression and checked it on the site rexeg101 and I saw my meanings there. "^(\w{3} \d{1,2} \d{2}:\d{2}:\d{2}) (\S+) %AAA-I-(CONNECT|DISCONNECT): New http connection for user (\S+), source (\S+) destination (\S+), (.*)$" Next I'm writing a decoder for wazuh:

"""

<decoder name="switch_log">
  <prematch>^\w{3} \d{1,2} \d{2}:\d{2}:\d{2}</prematch>
  <regex>^(\w{3} \d{1,2} \d{2}:\d{2}:\d{2}) (\S+) %AAA-I-(CONNECT|DISCONNECT): New http connection for user (\S+), source (\S+) destination (\S+), (.*)$</regex>
  <order>timestamp, hostname, action, user, source_ip, destination_ip, message</order>
</decoder>

""" and then I insert the data and it doesn’t work + it still doesn’t pass the decoder verification test. And when I try to save it says a syntax error. Help fix the problem. I don’t understand where to dig

screenshots for 1 answer

Good afternoon, please tell me what am I doing wrong? my goal is to write a decoder for accepting logs wazuh I get these logs in the format:

Feb 17 10:08:43 2.2.2.2 %AAA-I-DISCONNECT: http connection for user admin, source 1.1.1.1 destination 2.2.2.2 TERMINATED

Feb 17 10:08:47 2.2.2.2 %AAA-I-CONNECT: New http connection for user admin, source 1.1.1.1 destination 2.2.2.2, local user table ACCEPTED.

I wrote a regular expression and checked it on the site rexeg101 and I saw my meanings there. "^(\w{3} \d{1,2} \d{2}:\d{2}:\d{2}) (\S+) %AAA-I-(CONNECT|DISCONNECT): New http connection for user (\S+), source (\S+) destination (\S+), (.*)$" Next I'm writing a decoder for wazuh:

"""

<decoder name="switch_log">
  <prematch>^\w{3} \d{1,2} \d{2}:\d{2}:\d{2}</prematch>
  <regex>^(\w{3} \d{1,2} \d{2}:\d{2}:\d{2}) (\S+) %AAA-I-(CONNECT|DISCONNECT): New http connection for user (\S+), source (\S+) destination (\S+), (.*)$</regex>
  <order>timestamp, hostname, action, user, source_ip, destination_ip, message</order>
</decoder>

""" and then I insert the data and it doesn’t work + it still doesn’t pass the decoder verification test. And when I try to save it says a syntax error. Help fix the problem. I don’t understand where to dig

screenshots for 1 answer

• regex
• xml
• wazuh

1 Answer 1

Here is the regex to match both the DISCONNECT-TERMINATED and CONNECT-ACCEPTED log instances information see: new_pattern:

REGEX PATTERNS:

old_pattern = /^(\w{3} \d{1,2} \d{2}:\d{2}:\d{2}) (\S+) %AAA-I-(CONNECT|DISCONNECT): New http connection for user (\S+), source (\S+) destination (\S+), (.*)$/gm

new_pattern = /^(\w\w\w \d\d? \d\d:\d\d:\d\d) (\S+) %AAA-I-(CONNECT|DISCONNECT): (New )?http connection for user (\S+), source (\S+) destination (\S+),? (.*)$/gm

CHANGES TO old_pattern:

• (New )? I placed New in parenthesis and made it optional ?.
• ,? I made the comma , before the message optional ?

DEMO old_pattern: https://regex101/r/NaJhrN/3

DEMO new_pattern: https://regex101/r/NaJhrN/4

wazuh example (2025.02.18 edit):

I found this: The regex flavor can be enabled with type in the <regex> tag. I.e. PCRE can be enabled in rules and decoders using the type="pcre2" attribute. https://documentation.wazuh/current/user-manual/ruleset/ruleset-xml-syntax/pcre2.html#configuring-pcre

Below is a simple example of data extraction with PCRE. Here is a log message of a program called switch_log:

CODE (wazuh):

<decoder name="switch_log">
  <program_name>^switch_log$</program_name>
</decoder>

<decoder name="switch_log">
  <parent>switch_log</parent>
  <regex type="pcre2>^(\w{3} \d{1,2} \d{2}:\d{2}:\d{2}) (\S+) %AAA-I-(CONNECT|DISCONNECT): New http connection for user (\S+), source (\S+) destination (\S+), (.*)$</regex>
  <order>timestamp, hostname, action, user, source_ip, destination_ip, message</order>
</decoder>