Upload files to "configs"

configs/local_decoder.xml

@@ -0,0 +1,75 @@
+<!-- Local Decoders -->
+
+<!-- Modify it at your will. -->
+<!-- Copyright (C) 2015, Wazuh Inc. -->
+
+<!--
+  - Allowed static fields:
+  - location   - where the log came from (only on FTS)
+  - srcuser    - extracts the source username
+  - dstuser    - extracts the destination (target) username
+  - user       - an alias to dstuser (only one of the two can be used)
+  - srcip      - source ip
+  - dstip      - dst ip
+  - srcport    - source port
+  - dstport    - destination port
+  - protocol   - protocol
+  - id         - event id
+  - url        - url of the event
+  - action     - event action (deny, drop, accept, etc)
+  - status     - event status (success, failure, etc)
+  - extra_data - Any extra data
+-->
+
+<decoder name="pfsense-wrapped">
+  <prematch>filterlog</prematch>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex>filterlog\S* \S*,\S*,\S*,(\S*),\S*,\S*,(\S*),</regex>
+  <order>id,action</order>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex offset="after_regex">\S*,\S*,\S*,\S*,\S*,\S*,\S*,\S*,\S*,(\S*),\S*,(\S*),(\S*),</regex>
+  <order>protocol,srcip,dstip</order>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex offset="after_regex">(\d*),(\d*),\S*</regex>
+  <order>srcport,dstport</order>
+</decoder>
+
+<decoder name="pfsense-wrapped-fields">
+  <parent>pfsense-wrapped</parent>
+  <regex offset="after_regex">datalength=(\S*)|(\d*)</regex>
+  <order>length</order>
+</decoder>
+
+<decoder name="mailcow-journald-unwrap">
+  <prematch>postfix\(\d+\): \w+ \d+ \d+:\d+:\d+ \w+ \.+\(\d+\):</prematch>
+</decoder>
+
+<decoder name="mailcow-journald-unwrap-child">
+  <parent>mailcow-journald-unwrap</parent>
+  <regex offset="after_parent">\.+</regex>
+  <order>extra_data</order>
+</decoder>
+
+<!-- Gitea: matches lines like:
+     2026/05/29 14:19:59 routers/web/auth/auth.go:309:SignInPost() [W] Failed authentication attempt...
+     2026/05/29 14:19:59 HTTPRequest [I] router: completed POST /user/login for ...
+-->
+<decoder name="gitea">
+  <program_name>gitea</program_name>
+</decoder>
+
+<decoder name="gitea-auth-fail">
+  <parent>gitea</parent>
+  <prematch>Failed authentication attempt</prematch>
+  <regex>Failed authentication attempt for (\S+) from (\d+.\d+.\d+.\d+)</regex>
+  <order>user, srcip</order>
+</decoder>