dpkg decoder does not notice removal of certain packages

[MIPMHannes]

I run Wazuh 4.9.2.
This issue appears on Ubuntu 20.04.

Issue

Removing packages from an agent is sometimes not registered with wazuh. Does not appear in the logs.

When I removed this package zabbix-agent:amd64 1:5.4.12-1+ubuntu18.04 on an agent yesterday, nothing happend in the wazuh log.
Other packages worked fine.
Here is the ruleset output:

**Messages:
	WARNING: (7003): '1827d631' token expires
	INFO: (7202): Session initialized with token '840fb87d'

**Phase 1: Completed pre-decoding.
	full event: '2025-01-02 14:39:12 remove zabbix-agent:amd64 1:5.4.12-1+ubuntu18.04 <none>'

**Phase 2: Completed decoding.
	name: 'dpkg-decoder'
	arch: '5.4.12-1+ubuntu18.04'
	dpkg_status: 'remove zabbix-agent:amd64'
	package: '1'
	version: '<none>'

**Phase 3: Completed filtering (rules).
	id: '2900'
	level: '0'
	description: 'Dpkg (Debian Package) log.'
	groups: '["syslog","dpkg"]'
	firedtimes: '1'
	mail: 'false'

Cause

This happens with all the packages which have a second : in their name. For example:

• update-manager-core:all 1:20.04.10.23
• python3-update-manager:all 1:20.04.10.23
• iputils-tracepath:amd64 3:20190709-3ubuntu1

The additional : causes the first regex rule in the Decoder to match. The second regex rule would be correct.

Possible fix/ Possible Workaround

Changing the order of the two regex rule in the dpkg decoder could be enough.