diff --git a/Auditd/decoders/README.md b/Auditd/decoders/README.md
deleted file mode 100644
index cfc96af..0000000
--- a/Auditd/decoders/README.md
+++ /dev/null
@@ -1,26 +0,0 @@
-Use custom decoders rather than the ones provided by Wazuh. I was seeing issues during testing with their provided decoders.
-
-Remember to exclude Wazuh's default auditd decoder and rules within the `ossec.conf` of the manager:
-
-```
-
-
- ruleset/decoders
- ruleset/decoders/0040-auditd_decoders.xml
- ruleset/rules
- 0215-policy_rules.xml
- 0365-auditd_rules.xml
- etc/lists/audit-keys
- etc/lists/amazon/aws-eventnames
- etc/lists/security-eventchannel
- etc/lists/software-vendors
- etc/lists/common-ports
- etc/lists/rfc-1918
- etc/lists/cve
- etc/lists/malicious-powershell
- etc/lists/bash_profile
-
- etc/decoders
- etc/rules
-
- ```
diff --git a/Auditd/decoders/auditd-config_change.xml b/Auditd/decoders/auditd-config_change.xml
deleted file mode 100644
index 3cf57dd..0000000
--- a/Auditd/decoders/auditd-config_change.xml
+++ /dev/null
@@ -1,38 +0,0 @@
-
- ^type=CONFIG_CHANGE
-
-
-
-
-
- auditd-config_change
-
- msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
- audit.id
-
-
-
- auditd-config_change
- auid=(\S+) ses=(\S+) subj=(\S+) op=(\S+)
- audit.auid,audit.session,audit.subj,audit.op
-
-
-
- auditd-config_change
- key=\((\S+)\)|key="(\S+)"|key=(\S+)
- audit.key
-
-
-
- auditd-config_change
- list=(\S+)
- audit.list
-
-
-
- auditd-config_change
- res=(\S+)
- audit.res
-
diff --git a/Auditd/decoders/auditd-execve.xml b/Auditd/decoders/auditd-execve.xml
deleted file mode 100644
index 0862097..0000000
--- a/Auditd/decoders/auditd-execve.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-
- ^type=EXECVE
-
-
-
-
-
- auditd-execve
-
- msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
- audit.id
-
-
-
- auditd-execve
- argc=\d+ a0="(\.*)"
- audit.execve.a0
-
-
-
- auditd-execve
- a1="(\.*)"
- audit.execve.a1
-
-
-
- auditd-execve
- a2="(\.*)"
- audit.execve.a2
-
-
-
- auditd-execve
- a3="(\.*)"
- audit.execve.a3
-
-
-
- auditd-execve
- a4="(\.*)"
- audit.execve.a4
-
-
-
- auditd-execve
- a5="(\.*)"
- audit.execve.a5
-
-
-
- auditd-execve
- a6="(\.*)"
- audit.execve.a6
-
-
-
- auditd-execve
- a7="(\.*)"
- audit.execve.a7
-
diff --git a/Auditd/decoders/auditd-path.xml b/Auditd/decoders/auditd-path.xml
deleted file mode 100644
index 21ad6ec..0000000
--- a/Auditd/decoders/auditd-path.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-
- ^type=PATH
-
-
-
-
-
- auditd-path
-
- msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ rdev=\S+ nametype=(\S+)
- audit.id,audit.directory.name, audit.directory.inode, audit.directory.mode,audit.directory.nametype
-
-
-
- auditd-path
- type=PATH msg=audit\(\S+\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ |type=PATH msg=audit\(\S+\): item=\S+ name=\((null)\) inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+
- audit.file.name, audit.file.inode, audit.file.mode
-
diff --git a/Auditd/decoders/auditd-syscall.xml b/Auditd/decoders/auditd-syscall.xml
deleted file mode 100644
index b865238..0000000
--- a/Auditd/decoders/auditd-syscall.xml
+++ /dev/null
@@ -1,43 +0,0 @@
-
- ^type=SYSCALL
-
-
-
-
-
-
- auditd-syscall
-
- msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
- audit.id
-
-
-
-
- auditd-syscall
- ^arch=(\S+) syscall=(\d+) success=(\S+) exit=(\S+) a0=\S+ a1=\S+ a2=\S+ a3=\S+ items=\S+ ppid=(\S+) pid=(\S+) auid=(\S+) uid=(\S+) gid=(\S+) euid=(\S+) suid=(\S+) fsuid=(\S+) egid=(\S+) sgid=(\S+) fsgid=(\S+) tty=(\S+) ses=(\S+) comm=\p(\S+)\p exe=\p(\S+)\p
- audit.arch,audit.syscall,audit.success,audit.exit,audit.ppid,audit.pid,audit.auid,audit.uid,audit.gid,audit.euid,audit.suid,audit.fsuid,audit.egid,audit.sgid,audit.fsgid,audit.tty,audit.session,audit.command,audit.exe
-
-
-
-
- auditd-syscall
- comm=\p*(\w+)\p*
- audit.command
-
-
-
-
- auditd-syscall
- exe=\p(\S+)\p
- audit.exe
-
-
-
-
- auditd-syscall
- key=\((\S+)\)|key="(\S+)"|key=(\S+)
- audit.key
-
diff --git a/Auditd/decoders/auditd-user_and_cred.xml b/Auditd/decoders/auditd-user_and_cred.xml
deleted file mode 100644
index 5587812..0000000
--- a/Auditd/decoders/auditd-user_and_cred.xml
+++ /dev/null
@@ -1,52 +0,0 @@
-
- ^type=
-
-
-
-
-
- auditd-user_and_cred
- ^USER_ACCT |^CRED_ACQ |^USER_START |^CRED_REFR|^CRYPTO_KEY_USER|^CRYPTO_SESSION |^USER_AUTH |^USER_ROLE_CHANGE|^SERVICE_STOP
- ^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
- audit.type,audit.id
-
-
-
- auditd-user_and_cred
- ^pid=(\S+) uid=(\S+) auid=(\S+) ses=(\S+)
- audit.pid,audit.uid,audit.auid,audit.session
-
-
-
- auditd-user_and_cred
- subj=(\S+)
- audit.subj
-
-
-
- auditd-user_and_cred
- acct="(\S+)"
- audit.acct
-
-
-
- auditd-user_and_cred
- unit=(\S+)
- audit.unit
-
-
-
- auditd-user_and_cred
- exe="(\S+)"
- audit.exe
-
-
-
- auditd-user_and_cred
- addr=(\S+)
- srcip
-