WARNING: This library is under development and may break
Libdecoder is a library created to replace wazuh analysisd. I'ts written in C and fast as possible.
Libraries used for libdecoder
- pcre2 + JIT: Fastest regex, used for match + capture groups
- yyjson: Fastest json parsing library for C
Author @souzomain
Clickdecoder works like wazuh decoders.
- Decoder: main structure, you have your "name", "prematch", "full_log", "tags" and "product"
- name(str): Is the name of decoder
- match(regex): Is the "prematch" of log to run the "parents"
- full_log(bool): A flag to define if the decoder will put the entire first "log" in field ".full_log"
- tags(array(str)): Tags are set in final decoded log
- product(str): a decoder target for your decoder
- Parents: Parents are executed after decoder "match".
- description(str): :/
- action(Enum(decoder_parent_action_t)): the action that will be performed like: decode, get, rename, delete. Look at
decoder_parent_action_t - helper(str): used for decoding
- from_field(str): perform action in this field
- to_field(str): send action result to this field
- expression(regex): array of expressions linked to fields used by regex
- expression_fields(array(str)): array of fields. used to get the values of "expression" regex group match.
Look at src/decoder.h. This file contain the core structure to use libdecoder.
If you have more time, look at tests/0_test.c. This file contains more implementations and tests.
mkdir build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug
makeThis will generate the cmake lsp config