I'm trying to get my feet wet in writing custom decoders and rules. I have been fighting with this problem for about a week now and hoping someone can help. When I run a log through the wazuh logtest, I get the expected results. However, when a log gets fed to Wazuh via a Windows agent, the alert doesn't get triggered. I've checked the archives.log and the log entry does contain "account" and ' "computer":" ' in it. Any suggestions would be very much appreciated!!
I have the following decoder
<decoder name="uchtest">
<prematch>\.*account\.*</prematch>
</decoder>
<decoder name="uchtest_login_child1">
<parent>uchtest</parent>
<regex>"computer":"(\.)"\.*Accoun</regex>
<order>servername</order>
</decoder>
And the following rule.
<group name="uchtest_login">
<rule id="100002" level="13">
<decoded_as>uchtest</decoded_as>
<description>just logged into $(servername)</description>
</rule>
</group>
I've tried many things, for some reason, it isn't matching with log feeds.
In order to help you in a more accurate way, you should provide the following information:
Rule configuration, omitting sensitive information
Example event to be able to replicate your case.
configuration of the decoders, omitting sensitive information.
To better guide you, you can follow the official documentation for building custom decoders: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
You can also review the official documentation for creating custom rules: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html