Coming soon - Get a detailed view of why an account is flagged as spam!
view details

This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

1
Need Help with a Decoder
Post Body

Hey all. I am still fairly new to Wazuh and I am having some issues creating a decoder to match a log.

I am sending my Unifi Dream Router logs to my syslog server and collecting them using an agent. However I cannot get the decoder to match to the log.

Example log:

Jun 15 15:46:50 UDR [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br3 OUT= MAC=d8:b3:70:93:8a:29:c4:9d:ed:11:3b:9e:08:00 SRC=192.168.4.222 DST=192.168.1.1 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=24374 DF PROTO=TCP SPT=58869 DPT=443 SEQ=1993123410 ACK=3304338753 WINDOW=513 ACK URGP=0 UID=125 GID=132 MARK=1a0000

Here is what I am trying for the prematch:

<!-- General decoder -->

<decoder name="udr">

<type>syslog</type>

<prematch type="pcre2">*UDR*</prematch>

</decoder>

Can someone help?

Author
Account Strength
100%
Account Age
8 years
Verified Email
Yes
Verified Flair
No
Total Karma
6,949
Link Karma
631
Comment Karma
6,227
Profile updated: 6 days ago
Posts updated: 1 day ago
waverider1883

Subreddit

r/Wazuh

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.
Posted
6 months ago
Reddit URL
View post on reddit.com
External URL
reddit.com/r/Wazuh/comme...