Can't Delete Rules and Decoders in Wazuh 5.0 Spaces

Jörg Schin.

unread,

Jun 26, 2026, 1:51:03 AM (2 days ago) Jun 26

to Wazuh | Mailing List

Hi Wazuh Team,

I've been getting familiar with Wazuh 5.0 since last week. I followed a guide on creating decoders, rules, etc., and then started writing and promoting my own.

A few days ago, I wanted to perform a complete reset and delete all custom rules, decoders, and related objects.

In Security Analytics → Overview → Integrations, I deleted the corresponding entries in the Draft space. However, they still exist in the Test and Custom spaces. Unfortunately, I can no longer delete these rules in the Test or Custom spaces because deletion is only allowed in the Draft space.

How can I completely remove all rules and decoders?

I also noticed that under:

Normalization → Decoders
Detection → Rules

the rules and decoders are no longer present in the Draft space, but they are still visible in the Test and Custom spaces.

I have the impression that after the rules and decoders were indexed, and I immediately deleted them from the Draft space via Overview, some kind of internal ID or reference may have been lost. As a result, the objects still exist in the Test and Custom spaces, but they can no longer be managed or deleted.

I also searched through the indices to try to locate the corresponding rule and decoder documents so I could delete them manually using curl, but I couldn't find any of them.

Am I simply overlooking something, or is this a known issue because Wazuh 5.0 is currently still in beta? 🙂

Best regards,

Jörg Schin.

unread,

Jun 26, 2026, 2:50:16 AM (2 days ago) Jun 26

to Wazuh | Mailing List

I was able to delete the decoder via API:

Use the GUI first to identify the decoder ID, then remove everything that references it with a few manual API calls.

In the Wazuh GUI, open the decoder or the related integration/policy entry and note the decoder ID, for example 559c4252-b828-4c79-af43-a63026e2e003. After that, use Dev Tools in OpenSearch Dashboards to delete all matching entries from the threatintel indices.

POST wazuh-threatintel-decoders-b/_delete_by_query?refresh=true
{
"query": {
"term": {
"document.id.keyword": "559c4252-b828-4c79-af43-a63026e2e003"
}
}
}

POST wazuh-threatintel-integrations-b/_delete_by_query?refresh=true
{
"query": {
"term": {
"document.decoders.keyword": "559c4252-b828-4c79-af43-a63026e2e003"
}
}
}

POST wazuh-threatintel-policies-b/_delete_by_query?refresh=true
{
"query": {
"term": {
"document.root_decoder.keyword": "559c4252-b828-4c79-af43-a63026e2e003"
}
}
}

Then verify that nothing is left:
GET wazuh-threatintel-*/_search
{
"query": {
"query_string": {
"query": "\"559c4252-b828-4c79-af43-a63026e2e003\"",
"lenient": true
}
}
}

If the search still returns decoder documents, delete the remaining entries directly by their OpenSearch document _id.

Marcel Kemp

unread,

Jun 26, 2026, 5:36:57 AM (2 days ago) Jun 26

to Wazuh | Mailing List

Hi Jörg,

I’m glad you were able to sort out the problem.

For future reference, the usual way to delete rules found in test or custom spaces is via promotion, as these spaces are immutable and can only be modified through promotions.
Therefore, you would need to delete the rules in the draft and promote them to the relevant spaces, so that they are deleted in that way.

Ankit Tyagi

unread,

Jun 26, 2026, 8:02:51 AM (2 days ago) Jun 26

to Jörg Schin., Wazuh | Mailing List

Hello Jorg,

Any chance did you explore that version 5.0 provide reporting capabilities where we can extract full length reports in pdf format? And able to send via email as native capabilities

Warm Regards

Ankit Tyagi

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/0f89cb4c-f48d-4d0c-98c4-8796e7afa260n%40googlegroups.com.

Jörg Schin.

unread,

Jun 27, 2026, 8:33:47 AM (yesterday) Jun 27

to Wazuh | Mailing List

Hi Marcel,

Thank you very much for your quick response and for the clarification.

Next week I'll create a few test rules and decoders again and carefully go through the recommended workflow instead of simply deleting them as I did before.

I just have one question. If I delete a rule from the Draft space, it disappears immediately and I can no longer promote it. Could you clarify whether deleting a rule in Draft should create a pending deletion that can then be promoted to Test and Custom, or am I missing a step in the workflow?

Thanks again for your help!

Best regards,

Jörg

Jörg Schin.

unread,

Jun 27, 2026, 8:40:06 AM (yesterday) Jun 27

to Wazuh | Mailing List

Hi Ankit,

What exactly do you mean by a full-length report?

Wazuh 5.0 includes a PDF export feature in the Wazuh Dashboards for agent-related views. However, from what I've seen so far, it appears to generate more of a snapshot of the current dashboard view (e.g., Agent Alerts, Vulnerabilities, etc.). I haven't had much time to explore this feature in detail yet.

Apart from that, the OpenSearch version used by the Wazuh Indexer should also provide reporting capabilities, including PDF generation and email delivery. However, as far as I know, this functionality needs to be configured first.