ruleset hot reload problem

[DK]

Hello!

I have cluster with 1 master and 2 workers.
I updated wazuh to version 4.14.2 and encountered an issue when changing rules. 

When I change them in the web interface, I click buttons "Save" and "Reload". Everything seems to work correctly, no errors. If I look at the rules file management, the changes are saved. 

The logs show events "wazuh-analysisd INFO  Ruleset reloaded successfully" and "wazuh-analysisd INFO  Reloading ruleset". 

However, the changes aren't actually applied.The system is running using the old rules file. If I perform a full restart, the changed rules are applied correctly. 

What could be the problem?

[Julián Morales]

Hi laboulle1987,

`wazuh-analysisd INFO  Ruleset reloaded successfully`  ->If you see this message in the ossec.log log, it means that the ruleset was reloaded correctly. What we need to analyze is whether the files on the master and workers are up to date at the time of reloading.

Have you seen this message on the master and workers? How did you detect that it has not been updated?

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/6178da01-634c-45d0-a3d1-9c16b23f4ea9n%40googlegroups.com.

[DK]

Hi,  Julián Morales!
I change level and description in custom rule, save and reload. With "Mange rules files" I see, that file is changed.

Logs on master after reload:

Jan 22, 2026 @ 07:56:44.000 wazuh-analysisd INFO Reloading ruleset Jan 22, 2026 @ 07:56:44.000 wazuh-analysisd INFO Ruleset reloaded successfully Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:router INFO Loaded router module. Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:content_manager INFO Loaded content_manager module. Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:inventory-harvester INFO Loaded Inventory harvester module.

Logs on both workers are same:

Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:router INFO Loaded router module. Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:content_manager INFO Loaded content_manager module. Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:inventory-harvester INFO Loaded Inventory harvester module.

But the changes aren't applied, and the level and descriptions remain the same. Only a restart will apply the changes.

среда, 21 января 2026 г. в 17:59:21 UTC+3, Julián Morales:

[Julián Morales]

Hi laboulle1987,

I see that in the master you have the logs for `Reloading ruleset` and `INFO Ruleset reloaded successfully`, but you didn't share them in the workers. 
It may take a while for the workers to synchronize, but eventually you should see those logs.
Until you see the log `INFO Ruleset reloaded successfully` on the workers, the workers will continue to process events with the old ruleset. 

Can you check if you see those logs on the workers?

To view this discussion visit https://groups.google.com/d/msgid/wazuh/d4f5fbf9-8015-4832-b431-8311f99ac9aen%40googlegroups.com.

[DK]

Hi,  Julián Morales!
I checked and waited, but there are no such logs on the workers. They definitely get the command because there are logs at same time from wazuh-modulesd, but no logs from wazuh-analysisd.
The problem is probably clear. What could be the cause and how can I fix it?

четверг, 22 января 2026 г. в 17:12:49 UTC+3, Julián Morales:

[Julián Morales]

Hi laboulle1987,

What could be the cause and how can I fix it?

This is what we need to figure out, let's start by looking for a log like this in the workers: `Reloading ruleset`.  
Use command grep -i "Reloading ruleset" ossec.log), this log is generated after the ruleset has been reloaded on the master, so try searching for it with grep.

If this log does not appear in the workers, it is because you have not attempted to reload. It would be helpful if you could analyze or share the cluster.log (located in /var/ossec/logs), as there may be information of interest in the next few minutes after reloading the rules on the master.

To view this discussion visit https://groups.google.com/d/msgid/wazuh/06e81b7e-929a-4487-aa23-716462ea4140n%40googlegroups.com.

[DK]

Hi,  Julián Morales!

grep -i "Reloading ruleset" ossec.log gives no result on workers.

there is an error in  cluster.log:
2026/01/27 09:40:37 INFO: [Worker wazuh-manager-worker-0] [Integrity sync] Files to create: 0 | Files to update: 1 | Files to delete: 0
2026/01/27 09:40:37 ERROR: [Worker wazuh-manager-worker-0] [Integrity sync] Error synchronizing files: 'coroutine' object has no attribute 'is_ok'
2026/01/27 09:40:37 INFO: [Worker wazuh-manager-worker-0] [D API] Receiving request: reload_ruleset from master (416836)
There is no another errors.

Seems like problem is here.

понедельник, 26 января 2026 г. в 18:24:26 UTC+3, Julián Morales:

[Julián Morales]

Hi!,

There is a synchronization problem, which is why the ruleset is not reloading on the workers.
Could you create an issue at github.com/wazuh/wazuh/issues with the necessary information to replicate it?
OS version, Wazuh version, number of workers, steps you followed to update the Wazuh version, which version you were using before, etc.

This will allow the development team to evaluate it and find a solution to this problem.

Regards

To view this discussion visit https://groups.google.com/d/msgid/wazuh/32c2809f-a9ee-4cbb-ade8-f68134480a3dn%40googlegroups.com.

[DK]

Hi, Julián Morales! 
Thanks for your help. We found bug in code for v4.14.2.

This fix worked for me:
https://github.com/wazuh/wazuh/pull/34161/changes
Now hot reload ruleset works good.

вторник, 27 января 2026 г. в 19:02:27 UTC+3, Julián Morales:

[Julián Morales]

Good catch DK!!

Thanks for the PR, we've already merged it and the change will be in production in the next release patch.

ref: https://github.com/wazuh/wazuh/issues/34174

To view this discussion visit https://groups.google.com/d/msgid/wazuh/123d97c9-e3b1-4ce0-b89c-8c0be5c08267n%40googlegroups.com.