To report a found bug,
please select the text with the bug and click Report a Bug
or CTRL+ENTER.
Help
system 10.9 of 26/11/2025,
©
FORESIGHT
To install and set up Wazuh, and to connect data import from file via rsyslog/Logstash, see the manufacturer documentation.
To parse an event from CEF file, create a decoder. Each event requires an individual decoder.
The example of decoder for parsing the FAP_EV_LOGONS event that is system logon:
Wazuh
<!--
08/08/2025
Log Sample:
CEF:0|Foresight|Foresight Analytics Platform|10.9.0|FSAP_EV_LOGONS_IN|AuditLog|Unknown|act= cs1Label=MetabaseId cs1=WAREHOUSE rt=Aug 05 2025 12:00:10+05:00 outcome=Success shost=IVANOV suser=ivan.ivanov cs2Label=PlatformUser cs2=ADMIN cs3Label=IPAddresses cs3=10.10.10.1 msg=Platform version: 10.9.15.0 x64 Desktop application
-->
<decoder name= "fap-cef-logon">
<prematch>CEF:0\|Foresight\|Foresight Analytics Platform\|\d+.\d+.\d+\|FSAP_EV_LOGONS_IN\|AuditLog\|Unknown\|</prematch>
</decoder>
<decoder name="fap-cef-logon-fields">
<parent>fap-cef-logon</parent>
<regex>act=(\.+) cs1Label=(\.+) cs1=(\.+) rt=(\.+) outcome=(\.+) shost=(\.+) suser=(\.+) cs2Label=(\.+) cs2=(\.+) cs3Label=(\.+) cs3=(\.+) msg=(\.*)</regex>
<order>audit.act, audit.cs1Label, audit.cs1, audit.rt, audit.outcome, audit.shost, audit.suser, audit.cs2Label, audit.cs2, audit.cs3Label, audit.cs3, audit.msg</order>
</decoder>
To parse other events, create decoders similarly to that in the example.
See also:
Support of Work with Security Information and Event Management Systems