AI SECURITY logo AI SECURITY
Wazuh Decoders Rules Alerts SIEM Logs

Wazuh Log Flow: Decoders, Rules and Alerts

Understand how Wazuh processes logs: pre-decoder, decoder, rules and alerts. Configure notifications by email, Discord or Slack.

AI Security
12 min read
Background

When a log reaches Wazuh, it goes through four phases: pre-decoder (extracts the date and program), decoder (extracts fields with regex), rules (checks whether the event is relevant) and alert generation (if the rule matches, Wazuh notifies by email, Discord or Slack).

How do logs flow through Wazuh from entry to alert?

When a log enters Wazuh, it goes through several processing phases until it becomes an alert visible in the dashboard or sent by email/Discord/Slack. Understanding this flow is essential to create custom rules and configure effective alerts.

Video: Decoders, Rules and Alerts in Wazuh
Course content

Video: Decoders, Rules and Alerts

15 minutes - Complete processing flow

Professional implementation

Get hands-on help deploying Wazuh in production

Log processing flow

1 Log enters → Wazuh receives the log from the agent or syslog
2 Pre-decoder → Extracts timestamp, hostname, program
3 Decoder → Extracts specific variables (user, IP, action)
4 Rules → Evaluates whether it matches a rule and assigns a level
5 Indexing → Stored in the database if it exceeds the threshold
6 Alert → Sends a notification according to the configuration

1. Pre-decoder

The first processing phase. The pre-decoder extracts the basic fields from the log:

  • Timestamp: Date and time of the event
  • Hostname: Name of the machine that generates the log
  • Program: Application that generates the log (sshd, apache, etc.)

It normalizes the format so the decoder can work with a structured log.

2. Decoder

Analyzes the log content and extracts specific variables using regular expressions. For example, from an SSH log: 

Feb 14 12:30:45 server sshd[1234]: Failed password for admin from 192.168.1.100 port 22 ssh2

The decoder extracts:

  • User: admin
  • Source IP: 192.168.1.100
  • Port: 22
  • Result: Failed (failed attempt)

3. Rules

Rules evaluate the fields extracted by the decoder. If the log matches a rule, an event is generated with a severity level (0-15).

  • Level 0-3: Informational, usually not indexed
  • Level 4-7: Events of interest, indexed
  • Level 8-11: Important alerts
  • Level 12-15: Critical, requires immediate action

Rules can inherit from other parent rules using if_sid, allowing you to build detection hierarchies.

4. Indexing

Events that exceed the configured level threshold are indexed in the database (Elasticsearch/OpenSearch) and appear in the Wazuh dashboard.

5. Alerts

Depending on the configuration, events can trigger alerts through different channels:

  • Email: SMTP configured in ossec.conf
  • Discord: Webhook integration
  • Slack: Webhook integration
  • TheHive: Create cases automatically
  • PagerDuty: Incident escalation

Alert configuration is done in the manager's ossec.conf, using the <integration> block.

Flow summary

Phase Function Location
Pre-decoder Extracts basic fields /var/ossec/etc/decoders/
Decoder Extracts specific variables /var/ossec/etc/decoders/
Rules Evaluates and assigns a level /var/ossec/etc/rules/
Alerts Notifies via channel /var/ossec/etc/ossec.conf

Next steps

Our team can help you create custom decoders and rules, and set up integrations with Discord and Slack as part of a professional Wazuh deployment. Learn about professional implementation.

Background
Back to blog