1. Understanding Decoders #
Decoders are used to parse incoming log data, extract relevant fields, and map the data into a normalized structure that rules can process. Without proper decoders, Argus rules may not be able to accurately interpret the logs, leading to missed alerts or incorrect analysis.
- Location of decoders: Argus decoders are configured in XML files, located under the /var/ossec/decoders/ directory.
- Default decoders: Argus comes with a large number of preconfigured decoders for common log formats like syslog, Apache, Nginx, AWS, and more.
2. Basic Decoder Structure #
A decoder is defined using an XML structure similar to rules. Here’s an example of a basic decoder for SSH logs:
<decoder name=”sshd”>
<program_name>sshd</program_name>
<type>ssh</type>
</decoder>
Key components:
- name: Name of the decoder.
- program_name: Specifies the log source or application name to decode (e.g., sshd for SSH logs).
- type: A general category or grouping for the logs being decoded (e.g., ssh).
3. Creating and Configuring Custom Decoders #
You can create custom decoders for new log formats not covered by the default Argus decoders. This is especially useful if your environment generates logs in a proprietary format.
To create a custom decoder:
- Create a new XML file under /var/ossec/decoders/, for example:
sudo nano /var/ossec/decoders/custom_decoders.xml
- Define your custom decoder, like this:
<decoder name=”custom-app”>
<program_name>custom-app</program_name>
<regex>^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) – – \[(.*)\] “(\w+) (.*)”</regex>
<order>program_name</order>
</decoder>
In this example:
- name: Name of the decoder (custom-app).
- program_name: Defines the application or log source this decoder applies to.
- regex: Regular expression used to extract fields from the log message.
- order: Specifies the order in which decoders should be applied (useful if multiple decoders might match the same logs).
4. Regex for Parsing Logs #
Decoders often rely on regular expressions (regex) to parse and extract log fields. Argus decoders support powerful regex matching to handle a wide variety of log formats. In the decoder example above, the regex extracts fields like the IP address, timestamp, HTTP method, and requested URL from a custom log.
5. Decoder Hierarchy and Inheritance #
Argus supports a hierarchical structure for decoders:
- Parent decoders: You can define a general decoder and create more specific child decoders that inherit the parent’s properties but refine them further.
- parent tag: In a child decoder, you can use the parent attribute to refer to the parent decoder.
Example:
<decoder name=”syslog-sshd” parent=”syslog”>
<program_name>sshd</program_name>
<type>ssh</type>
</decoder>
This inherits general syslog decoding rules but refines them for sshd logs.
6. Testing Decoders #
Once you configure a new decoder, it’s essential to test it to ensure it works properly.
- Test logs: You can use real log data to see how Argus decodes the log entries. Argus’s logs (in /var/ossec/logs/ossec.log) can help you identify whether the decoder is working correctly.
- Testing utility: You can use ossec-logtest to quickly test how Argus decodes and processes logs. Run:
/var/ossec/bin/ossec-logtest
Paste a log sample into the test window, and it will show how Argus decodes and processes it.
7. Reloading Decoders #
After modifying or adding a decoder, you need to reload the Argus manager to apply the changes.
sudo systemctl restart argus-manager