| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546 |
- <!--
- SOC custom decoders (production-focused baseline)
- - Decodes real correlation payloads produced by SOC Integrator
- - Decodes real DNS IOC payloads
- - Decodes modern ESXi 7/8 syslog format (groups: vmware)
- -->
- <!--
- Modern VMware ESXi / vCenter syslog decoder
- Matches ESXi 7.x and 8.x syslog output (built-in vmware decoder only handles old ESX 4.x format).
- How if_group=vmware works: rule 19100 (decoded_as vmware) fires first and places the event in
- the vmware group. Our B1 rules then match via if_group=vmware.
- To hook into this chain, our decoder must also be NAMED "vmware" (Wazuh allows multiple
- decoders with the same name — they are evaluated in order).
- ESXi 7.x format: <ISO-TS> <HOSTNAME> <PROCESS>: <SEV> <proc[pid]> [<meta>] <msg>
- ESXi 8.x format: <ISO-TS> <HOSTNAME> <process[pid]>: [<sev>] <msg>
- Known process names seen from FPVM70-H1/H2 (ESXi 7) and ESXi 8.0:
- Hostd, Vpxa, Rhttpproxy, vmkernel, vmkwarning, healthd, healthdPlugins,
- hostd-probe, net-cdp, vdtc, envoy-access, fdm, kmxa, sandboxd, crond
- -->
- <decoder name="vmware">
- <program_name type="pcre2">(?i)^(Hostd|Vpxa|Rhttpproxy|vmkernel|vmkwarning|vmkdump|healthd|healthdPlugins|hostd-probe|net-cdp|vdtc|envoy-access|fdm|kmxa|sandboxd|vpxd|dcui|crond|ImageConfigManager|sysboot|sfcb|vsanmgmtd)$</program_name>
- </decoder>
- <decoder name="vmware-esxi-severity">
- <parent>vmware</parent>
- <prematch type="pcre2">^(?:verbose|info|warning|error|critical|debug) </prematch>
- <regex type="pcre2">^(verbose|info|warning|error|critical|debug)</regex>
- <order>status</order>
- </decoder>
- <decoder name="soc-prod-dns">
- <prematch>soc_event=dns_ioc</prematch>
- <regex type="pcre2">event_type=(\S+)(?:.*?src_ip=([\d.]+))?</regex>
- <order>status, srcip</order>
- </decoder>
- <decoder name="soc-prod-integrator">
- <prematch>soc_event=correlation</prematch>
- <regex type="pcre2">event_type=(\S+)(?:.*?user="([^"]+)")?(?:.*?src_ip=([\d.]+))?</regex>
- <order>status, srcuser, srcip</order>
- </decoder>
|
