pre-decoder does not take the hostname

[jorgetomasguerra]

|Wazuh version| Component | Action type | |4.7.2| Decoder | --- |

Description

if the log has the year the hostname information is not taken from the log

Examples: -->2024 Apr 14 19:28:21 gorilla named Phase 1: Completed pre-decoding. full event: '2024 Apr 14 19:28:21 gorilla named: ' timestamp: '2024 Apr 14 19:28:21' program_name: 'named' Phase 2: Completed decoding. name: 'named' **Phase 3: Completed filtering (rules). id: '12100' level: '0' description: 'Grouping of the named rules' groups: '["syslog","named"]' firedtimes: '1' mail: 'false'

--> Apr 14 19:28:21 gorilla named: Phase 1: Completed pre-decoding. full event: 'Apr 14 19:28:21 gorilla named: ' timestamp: 'Apr 14 19:28:21' hostname: 'gorilla' program_name: 'named' Phase 2: Completed decoding. name: 'named' **Phase 3: Completed filtering (rules). id: '12100' level: '0' description: 'Grouping of the named rules' groups: '["syslog","named"]' firedtimes: '2' mail: 'false'

[juliancnn]

Hello @jorgetomasguerra

From the examples you've provided, it appears that the hostname is not being captured when the year is present in the log's timestamp. Wazuh should normally parse syslog formats with or without the year. Here's an example of a successful parsing:

2024 Apr 14 19:28:21 hostnameTest processName[123]: Message Test

**Phase 1: Completed pre-decoding.
    full event: '2024 Apr 14 19:28:21 hostnameTest processName[123]: Message Test'
    timestamp: '2024 Apr 14 19:28:21'
    hostname: 'hostnameTest'
    program_name: 'processName'

To assist you further, could you please provide the exact logs that are not being decoded as expected? This will help us replicate the issue and provide a more accurate solution.

regards,

[jorgetomasguerra]

Hi,

Using you example, we can see that the hostname is not parsed:

But if I remove the year, yes:

Greetings.

Jorge

De: Julian Morales @.> Enviado el: miércoles, 28 de febrero de 2024 14:52 Para: wazuh/wazuh @.> CC: jorgetomasguerra @.>; Mention @.> Asunto: Re: [wazuh/wazuh] pre-decoder does not take the hostname (Issue

22192)

Hello @jorgetomasguerra https://github.com/jorgetomasguerra

From the examples you've provided, it appears that the hostname is not being captured when the year is present in the log's timestamp. Wazuh should normally parse syslog formats with or without the year. Here's an example of a successful parsing:

2024 Apr 14 19:28:21 hostnameTest processName[123]: Message Test

**Phase 1: Completed pre-decoding. full event: '2024 Apr 14 19:28:21 hostnameTest processName[123]: Message Test' timestamp: '2024 Apr 14 19:28:21' hostname: 'hostnameTest' program_name: 'processName'

To assist you further, could you please provide the exact logs that are not being decoded as expected? This will help us replicate the issue and provide a more accurate solution.

regards,

— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/22192#issuecomment-1969030921 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AQRPDHY2T7YOBAAIWPVDFDTYV 4ZAZAVCNFSM6AAAAABD5VMYMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRZGAZTA OJSGE . You are receiving this because you were mentioned. https://github.com/notifications/beacon/AQRPDH7BJFL7EAGUDY4TDYTYV4ZAZA5CNFS M6AAAAABD5VMYMSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT VLUDQS.gif Message ID: @. @.> >

[juliancnn]

Hi Jorge,

It seems that the output you intended to share didn't come through; this might be due to trying to attach images or text directly via email, which GitHub does not support in comments. To share the output effectively, it would be best to post directly on the GitHub issue. If you're trying to include screenshots, you can drag and drop the images into the comment box on the GitHub issue page or use the Markdown syntax:

![Description of image](image-url-here)

Once you've uploaded the images or shared the output text, I'll be able to assist you further with the issue at hand.

[OSSAASSO]

Experiencing the same problem. All our syslog data has the year so we're never getting the hostname parsed on this new Wazuh 4.7.2 instance. If the year is absent from the log data, the hostname is successfully parsed.

With the year, hostname is not parsed:

$ sudo /var/ossec/bin/wazuh-logtest <<< '2024 Apr 14 19:28:21 hostnameTest processName[123]: Message Test'

**Phase 1: Completed pre-decoding.
        full event: '2024 Apr 14 19:28:21 hostnameTest processName[123]: Message Test'
        timestamp: '2024 Apr 14 19:28:21'
        program_name: 'processName'

Without the year, hostname is parsed:

$ sudo /var/ossec/bin/wazuh-logtest <<< 'Apr 14 19:28:21 hostnameTest processName[123]: Message Test'

**Phase 1: Completed pre-decoding.
        full event: 'Apr 14 19:28:21 hostnameTest processName[123]: Message Test'
        timestamp: 'Apr 14 19:28:21'
        hostname: 'hostnameTest'
        program_name: 'processName'

Should I open a new issue?

[juliancnn]

Thanks for reporting this, I was checking and indeed, many times when the year is present in the different formats we support the hostname is not extracted correctly. I have marked this issue as a bug and you can follow the progress here.

It is not possible to extract the hostname in the following logs when it should:

2015 Dec 29 10:00:01 hostnameTest processName[123]: Message Test
2007-06-14T15:48:55-04:00 hostnameTest processName[123]: Message Test
2022-12-19T15:02:53.288+00:00 hostnameTest processName[123]: Message Test
2009-05-22T09:36:46.214994-07:00 hostnameTest processName[123]: Message Test
2015-04-16 21:51:02,805 hostnameTest processName[123]: Message Test
2021-04-21 10:16:09.404756-0700 hostnameTest processName[123]: Message Test

[lnxipsum]

Hi! any update on this issue? I have plenty of syslog events without hostname and is very difficult filter and search.