Advancing Wazuh Parsing: The Automatic Wazuh Decoder Builder is Live!

By /

Listen to this Post

The Wazuh community now has a powerful tool that automates the creation of Wazuh decoders, eliminating the need for manual regex writing. This tool simplifies log parsing, making it easier for detection engineers and SOC teams to integrate logs into Wazuh efficiently.

Key Features:

✅ Smart Log Pattern Detection – Automatically identifies spacing, structure, and field boundaries.
✅ Multi-Decoder Layering – Supports <prematch>, <parent>, and nested structures.
✅ Regex-Free Experience – No manual regex writing required.
✅ Real-Time XML Generation – Export-ready, validated decoder outputs.
✅ Auto-Mapping for Common Fields – Timestamps, IPs, protocols, and actions.
✅ User-Friendly Web UI & Docker Support – Accessible via browser, easy deployment.

🔗 Sigma to Wazuh Rule Converter Tool: https://shorturl.at/mYUKh

You Should Know:

  1. How to Deploy the Wazuh Decoder Builder via Docker
    docker pull wazuh/decoder-builder 
docker run -d -p 8080:80 wazuh/decoder-builder

    Access the tool at `http://localhost:8080`.

#### **2. Sample Log Parsing with Wazuh**

If you have a log like:

2024-03-29 10:15:22 [WARNING] src_ip=192.168.1.100 action=blocked user=admin

The tool auto-generates the decoder:

<decoder name="custom-log"> 
<prematch>^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) [WARNING]</prematch> 
<regex>src_ip=(\S+) action=(\S+) user=(\S+)</regex> 
<order>timestamp, src_ip, action, user</order> 
</decoder>

#### **3. Linux Commands for Log Testing**


<h1>Simulate log entries for testing</h1>

echo "2024-03-29 10:15:22 [WARNING] src_ip=192.168.1.100 action=blocked user=admin" >> /var/log/test.log

<h1>Verify Wazuh agent picks up the log</h1>

tail -f /var/ossec/logs/alerts/alerts.log | grep "custom-log"

#### **4. Windows Event Log Integration**

Use `wevtutil` to check logs:

wevtutil qe Security /rd:true /f:text /q:"*[System[(EventID=4624)]]"

#### **5. Wazuh CLI for Rule Validation**

/var/ossec/bin/wazuh-logtest -f /var/log/test.log

### **What Undercode Say:**

Automating Wazuh decoders significantly reduces manual effort in log parsing. For SOC teams, this means faster threat detection and reduced misconfigurations. Key takeaways:
– Use Docker for quick deployment.
– Test logs with wazuh-logtest before deployment.
– Combine with Sigma rules for enhanced detection.

**Expected Output:**

<decoder name="custom-log"> 
<prematch>timestamp and log level</prematch> 
<regex>key=value pairs</regex> 
<order>fields</order> 
</decoder>

For more details, visit: https://shorturl.at/mYUKh

References:

Reported By: Mariskarthickm Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: