[SOLVED] wazuh-logtest able to decode the mariadb log but no decoder in archive.json file for the same log

wazuh-logtest able to decode the mariadb log but no decoder in archive.json file for the same log

I am trying to push logs from cloudwatch to my wazuh, I added following configurations to my ossec.conf file and restarted, but I was not seeing the logs in Wazuh Dashboard (Kibana)

  <wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>2m</interval>
    <run_on_start>yes</run_on_start>

    <service type="cloudwatchlogs">
      <aws_profile>default</aws_profile>
      <aws_log_groups>/aws/rds/instance/my-oltp-rds/audit</aws_log_groups>
      <regions>ap-south-1</regions>
      <only_logs_after>2023-APR-25</only_logs_after>
  </service>

  </wodle>

I turned on the debugging and in archive.json after enabling logall_json I get following entry, it suggest the no decoder picked this log, this is the reason this log in not present in wazuh kibana. What is the issue? and how to fix this?

{
    "timestamp": "2023-04-25T20:34:32.597+0530",
    "agent": {
        "id": "000",
        "name": "REW-Wazuh"
    },
    "manager": {
        "name": "REW-Wazuh"
    },
    "id": "1682435072.11369736",
    "full_log": "DEBUG: The message is \"20230425 15:03:08,ip-10-30-0-100,karmendra,10.1.12.11,15514,681264,QUERY,REWOLTPDB,'/* ApplicationName=DataGrip 2022.3.2 */ select * from pg_transactions_thin',0,,\"",
    "decoder": {},
    "location": "aws-s3"
}

And when I run the wazuh-logtest for the same log line it does pick mariadb-syslog decoder and even shows the rule alert trigger.

20230425 15:03:08,ip-10-30-0-100,karmendra,10.1.12.11,15514,681264,QUERY,REWOLTPDB,'/* ApplicationName=DataGrip 2022.3.2 */ select * from pg_transactions_thin',0,,

**Phase 1: Completed pre-decoding.
        full event: '20230425 15:03:08,ip-10-30-0-100,karmendra,10.1.12.11,15514,681264,QUERY,REWOLTPDB,'/* ApplicationName=DataGrip 2022.3.2 */ select * from pg_transactions_thin',0,,'

**Phase 2: Completed decoding.
        name: 'mariadb-syslog'
        mariadb.action: 'QUERY'
        mariadb.host: '10.1.12.11'
        mariadb.ip: '10-30-0-100'
        mariadb.resource: 'REWOLTPDB,'/* ApplicationName=DataGrip 2022.3.2 */ select * from pg_transactions_thin',0,,'
        mariadb.username: 'karmendra'

**Phase 3: Completed filtering (rules).
        id: '88100'
        level: '0'
        description: 'MariaDB group messages.'
        groups: '['mariadb']'
        firedtimes: '1'
        mail: 'False'

Solution

It turned out to be an issue with Wazuh when Debugging is on. And for why logs were not appearing in Kibana is due to the fact that log level for mariadb-syslog is set to 0, over ride it in local_rules.xml and it worked fine.

More details and entire discussion is here. https://github.com/wazuh/wazuh/issues/16874