View Categories

Server Management- Decoders Configuration

2 min read

1. Understanding Decoders #

Decoders are used to parse incoming log data, extract relevant fields, and map the data into a normalized structure that rules can process. Without proper decoders, Argus rules may not be able to accurately interpret the logs, leading to missed alerts or incorrect analysis.

  • Location of decoders: Argus decoders are configured in XML files, located under the /var/ossec/decoders/ directory.
  • Default decoders: Argus comes with a large number of preconfigured decoders for common log formats like syslog, Apache, Nginx, AWS, and more.

2. Basic Decoder Structure #

A decoder is defined using an XML structure similar to rules. Here’s an example of a basic decoder for SSH logs:

<decoder name=”sshd”>

  <program_name>sshd</program_name>

  <type>ssh</type>

</decoder>

Key components:

  • name: Name of the decoder.
  • program_name: Specifies the log source or application name to decode (e.g., sshd for SSH logs).
  • type: A general category or grouping for the logs being decoded (e.g., ssh).

3. Creating and Configuring Custom Decoders #

You can create custom decoders for new log formats not covered by the default Argus decoders. This is especially useful if your environment generates logs in a proprietary format.

To create a custom decoder:

  • Create a new XML file under /var/ossec/decoders/, for example:

sudo nano /var/ossec/decoders/custom_decoders.xml

  • Define your custom decoder, like this:

<decoder name=”custom-app”>

  <program_name>custom-app</program_name>

  <regex>^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) – – \[(.*)\] “(\w+) (.*)”</regex>

  <order>program_name</order>

</decoder>

In this example:

  • name: Name of the decoder (custom-app).
  • program_name: Defines the application or log source this decoder applies to.
  • regex: Regular expression used to extract fields from the log message.
  • order: Specifies the order in which decoders should be applied (useful if multiple decoders might match the same logs).

4. Regex for Parsing Logs #

Decoders often rely on regular expressions (regex) to parse and extract log fields. Argus decoders support powerful regex matching to handle a wide variety of log formats. In the decoder example above, the regex extracts fields like the IP address, timestamp, HTTP method, and requested URL from a custom log.

5. Decoder Hierarchy and Inheritance #

Argus supports a hierarchical structure for decoders:

  • Parent decoders: You can define a general decoder and create more specific child decoders that inherit the parent’s properties but refine them further.
  • parent tag: In a child decoder, you can use the parent attribute to refer to the parent decoder.

Example:

<decoder name=”syslog-sshd” parent=”syslog”>

  <program_name>sshd</program_name>

  <type>ssh</type>

</decoder>

This inherits general syslog decoding rules but refines them for sshd logs.

6. Testing Decoders #

Once you configure a new decoder, it’s essential to test it to ensure it works properly.

  • Test logs: You can use real log data to see how Argus decodes the log entries. Argus’s logs (in /var/ossec/logs/ossec.log) can help you identify whether the decoder is working correctly.
  • Testing utility: You can use ossec-logtest to quickly test how Argus decodes and processes logs. Run:

/var/ossec/bin/ossec-logtest

Paste a log sample into the test window, and it will show how Argus decodes and processes it.

7. Reloading Decoders #

After modifying or adding a decoder, you need to reload the Argus manager to apply the changes.

sudo systemctl restart argus-manager

#

Leave a Reply

Your email address will not be published. Required fields are marked *