issue with local_rules.xml
38 views
Skip to first unread message
Hunter Goncalves
Nov 7, 2025, 1:35:24 PM (3 days ago) Nov 7
to Wazuh | Mailing List
hi everyone. i am having an issue with local_rules.xml file. I have checked with validators and there are no errors in the xml file. There is also no line 43, which is what the error points to:
thank you
hgoncalves@ip-10-16-1-248:~$ sudo systemctl status wazuh-manager
× wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Fri 2025-11-07 13:30:01 EST; 3s ago
Duration: 11min 27.589s
Process: 2153538 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
CPU: 1.048s
Nov 07 13:30:00 ip-10-16-1-248 systemd[1]: Starting wazuh-manager.service - Wazuh manager...
Nov 07 13:30:01 ip-10-16-1-248 env[2153566]: 2025/11/07 13:30:01 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/rules/local_rules.xml': XMLERR: Comment not closed. (line 43).
Nov 07 13:30:01 ip-10-16-1-248 env[2153566]: 2025/11/07 13:30:01 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.
Nov 07 13:30:01 ip-10-16-1-248 env[2153538]: wazuh-analysisd: Configuration error. Exiting
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: Failed to start wazuh-manager.service - Wazuh manager.
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: wazuh-manager.service: Consumed 1.048s CPU time.
hgoncalves@ip-10-16-1-248:~$ sudo cat /var/ossec/etc/rules/local_rules.xml
<group name="monit,availability,">
<!-- Suppress expected 401s from secured OpenSearch -->
<rule id="100519" level="0">
<field name="location">/var/log/monit.log</field>
<match>HTTP error: Server returned status 401</match>
<description>Monit: expected 401 (suppressed)</description>
</rule>
<!-- Endpoint down / protocol test failed -->
<rule id="100520" level="7">
<field name="location">/var/log/monit.log</field>
<regex><![CDATA['[^']+'[ ]*failed protocol test]]></regex>
<description>Monit: endpoint down</description>
</rule>
<!-- Recovered -->
<rule id="100521" level="3">
<field name="location">/var/log/monit.log</field>
<match>succeeded</match>
<description>Monit: service recovered</description>
</rule>
<!-- Certificate expiring soon (6 days or fewer) -->
<rule id="100522" level="9">
<field name="location">/var/log/monit.log</field>
<regex><![CDATA[(Certificate|certificate|SSL|TLS)]]></regex>
<regex><![CDATA[([^0-9]|^)(0|1|2|3|4|5|6)[ ]*days([^0-9]|$)]]></regex>
<description>Monit: certificate expiring soon (6 days or fewer)</description>
<group>tls,certificate,</group>
</rule>
<!-- Optional alternate phrasing "less than 6 days" -->
<rule id="100523" level="9">
<field name="location">/var/log/monit.log</field>
<regex><![CDATA[(Certificate|certificate|SSL|TLS)]]></regex>
<regex><![CDATA[less[ ]+than[ ]+6]]></regex>
<description>Monit: certificate expiring soon (less than 6 days)</description>
<group>tls,certificate,</group>
</rule>
</group>
hgoncalves@ip-10-16-1-248:~$ sudo vi /var/ossec/etc/rules/local_rules.xml
hgoncalves@ip-10-16-1-248:~$ sudo /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.13.1"
WAZUH_REVISION="rc1"
WAZUH_TYPE="server"
hgoncalves@ip-10-16-1-248:~$
× wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Fri 2025-11-07 13:30:01 EST; 3s ago
Duration: 11min 27.589s
Process: 2153538 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)
CPU: 1.048s
Nov 07 13:30:00 ip-10-16-1-248 systemd[1]: Starting wazuh-manager.service - Wazuh manager...
Nov 07 13:30:01 ip-10-16-1-248 env[2153566]: 2025/11/07 13:30:01 wazuh-analysisd: ERROR: (1226): Error reading XML file 'etc/rules/local_rules.xml': XMLERR: Comment not closed. (line 43).
Nov 07 13:30:01 ip-10-16-1-248 env[2153566]: 2025/11/07 13:30:01 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/local_rules.xml'.
Nov 07 13:30:01 ip-10-16-1-248 env[2153538]: wazuh-analysisd: Configuration error. Exiting
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: Failed to start wazuh-manager.service - Wazuh manager.
Nov 07 13:30:01 ip-10-16-1-248 systemd[1]: wazuh-manager.service: Consumed 1.048s CPU time.
hgoncalves@ip-10-16-1-248:~$ sudo cat /var/ossec/etc/rules/local_rules.xml
<group name="monit,availability,">
<!-- Suppress expected 401s from secured OpenSearch -->
<rule id="100519" level="0">
<field name="location">/var/log/monit.log</field>
<match>HTTP error: Server returned status 401</match>
<description>Monit: expected 401 (suppressed)</description>
</rule>
<!-- Endpoint down / protocol test failed -->
<rule id="100520" level="7">
<field name="location">/var/log/monit.log</field>
<regex><![CDATA['[^']+'[ ]*failed protocol test]]></regex>
<description>Monit: endpoint down</description>
</rule>
<!-- Recovered -->
<rule id="100521" level="3">
<field name="location">/var/log/monit.log</field>
<match>succeeded</match>
<description>Monit: service recovered</description>
</rule>
<!-- Certificate expiring soon (6 days or fewer) -->
<rule id="100522" level="9">
<field name="location">/var/log/monit.log</field>
<regex><![CDATA[(Certificate|certificate|SSL|TLS)]]></regex>
<regex><![CDATA[([^0-9]|^)(0|1|2|3|4|5|6)[ ]*days([^0-9]|$)]]></regex>
<description>Monit: certificate expiring soon (6 days or fewer)</description>
<group>tls,certificate,</group>
</rule>
<!-- Optional alternate phrasing "less than 6 days" -->
<rule id="100523" level="9">
<field name="location">/var/log/monit.log</field>
<regex><![CDATA[(Certificate|certificate|SSL|TLS)]]></regex>
<regex><![CDATA[less[ ]+than[ ]+6]]></regex>
<description>Monit: certificate expiring soon (less than 6 days)</description>
<group>tls,certificate,</group>
</rule>
</group>
hgoncalves@ip-10-16-1-248:~$ sudo vi /var/ossec/etc/rules/local_rules.xml
hgoncalves@ip-10-16-1-248:~$ sudo /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.13.1"
WAZUH_REVISION="rc1"
WAZUH_TYPE="server"
hgoncalves@ip-10-16-1-248:~$
Olamilekan Abdullateef Ajani
Nov 7, 2025, 3:21:26 PM (3 days ago) Nov 7
to Wazuh | Mailing List
Hello Sow,
<group name="monit,availability,">
<!-- Suppress expected 401s from secured OpenSearch -->
<rule id="100519" level="0">
<field name="location">/var/log/monit.log</field>
<match>HTTP error: Server returned status 401</match>
<description>Monit: expected 401 (suppressed)</description>
</rule>
<!-- Endpoint down / protocol test failed -->
<rule id="100520" level="7">
<field name="location">/var/log/monit.log</field>
<description>Monit: endpoint down</description>
</rule>
<!-- Recovered -->
<rule id="100521" level="3">
<field name="location">/var/log/monit.log</field>
<match>succeeded</match>
<description>Monit: service recovered</description>
</rule>
<!-- Certificate expiring soon (6 days or fewer) -->
<rule id="100522" level="9">
<field name="location">/var/log/monit.log</field>
<description>Monit: certificate expiring soon (6 days or fewer)</description>
<group>tls,certificate,</group>
</rule>
<rule id="100523" level="9">
<field name="location">/var/log/monit.log</field>
<description>Monit: certificate expiring soon (less than 6 days)</description>
<group>tls,certificate,</group>
</rule>
</group>
When you experience errors like this, you can also check the ossec.log file to get an idea what the error could be.
One thing I noticed from your rules is you were using pcre2 syntax undeclared with regex, that would first trigger an error because pcre2 is not the default syntax, you should always specify in front of the regex field.
Secondly, the syntax is not accurate hence the reason for the error, wazuh would interprete the angle brackets <> as tags and would complain they need to be closed and would flag an error.
I have made some adjustments to your rule, please follow that syntax and also check the documentation below for further guidelines on wazuh rule creation and their equivalent syntax.
<group name="monit,availability,">
<!-- Suppress expected 401s from secured OpenSearch -->
<rule id="100519" level="0">
<field name="location">/var/log/monit.log</field>
<match>HTTP error: Server returned status 401</match>
<description>Monit: expected 401 (suppressed)</description>
</rule>
<!-- Endpoint down / protocol test failed -->
<rule id="100520" level="7">
<field name="location">/var/log/monit.log</field>
<regex type="pcre2">'[^']+'\s*failed\s+protocol\s+test</regex>
<description>Monit: endpoint down</description>
</rule>
<!-- Recovered -->
<rule id="100521" level="3">
<field name="location">/var/log/monit.log</field>
<match>succeeded</match>
<description>Monit: service recovered</description>
</rule>
<!-- Certificate expiring soon (6 days or fewer) -->
<rule id="100522" level="9">
<field name="location">/var/log/monit.log</field>
<regex type="pcre2">(Certificate|certificate|SSL|TLS)</regex>
<regex type="pcre2">(^|[^0-9])(0|1|2|3|4|5|6)\s*days([^0-9]|$)</regex>
<regex type="pcre2">(^|[^0-9])(0|1|2|3|4|5|6)\s*days([^0-9]|$)</regex>
<description>Monit: certificate expiring soon (6 days or fewer)</description>
<group>tls,certificate,</group>
</rule>
<!-- Alternate phrasing: "less than 6 days" -->
<rule id="100523" level="9">
<field name="location">/var/log/monit.log</field>
<regex type="pcre2">(Certificate|certificate|SSL|TLS)</regex>
<regex type="pcre2">less\s+than\s+6</regex>
<regex type="pcre2">less\s+than\s+6</regex>
<description>Monit: certificate expiring soon (less than 6 days)</description>
<group>tls,certificate,</group>
</rule>
</group>
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#pcre2-syntax
Hunter Goncalves
Nov 7, 2025, 5:22:14 PM (3 days ago) Nov 7
to Wazuh | Mailing List
thank you for the quick response. this rule loads correctly, however i still can't get it to trigger on my log. this is some of the log file:
[2025-11-07T17:18:52-0500] error : 'App-QATest-100' failed protocol test [HTTP] at [app-qatest100.mysitecom]:443 [TCP/IP TLS] -- Connection timed out
[2025-11-07T17:18:52-0500] error : 'App-QATest-100' certificate expiry in 0 days matches check limit [valid > 6 days]
[2025-11-07T17:19:07-0500] error : 'IE-QATest-100' failed protocol test [HTTP] at [ie-qatest100.stationmd.com]:443 [TCP/IP TLS] -- Connection timed out
[2025-11-07T17:18:52-0500] error : 'App-QATest-100' certificate expiry in 0 days matches check limit [valid > 6 days]
[2025-11-07T17:19:07-0500] error : 'IE-QATest-100' failed protocol test [HTTP] at [ie-qatest100.stationmd.com]:443 [TCP/IP TLS] -- Connection timed out
Olamilekan Abdullateef Ajani
Nov 10, 2025, 9:39:58 AM (15 hours ago) Nov 10
to Wazuh | Mailing List
Hello Sow,
So I ran a test on the log with the rule you shared, and there was a match. Please see attached for reference. P.S.,cat /var this was without the location field.
I believe the reason the rules failed to match is because of the field name location you have used above. Location is a static field, so you cannot use it in the way you have done above, you need to define a tag for it specifically, like <location>var-check$</location>
I believe the reason the rules failed to match is because of the field name location you have used above. Location is a static field, so you cannot use it in the way you have done above, you need to define a tag for it specifically, like <location>var-check$</location>
So your rule has to be defined with the sample below:
<rule id="100521" level="3">
<location>/var/log/monit.log</location>
<match>succeeded</match>
<description>Monit: service recovered</description>
</rule>
<description>Monit: service recovered</description>
</rule>
The above is to assume /var/log/monit.log is the location where the logs originated from. You can find more references explaining the location tag in the documentation below:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#location
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#location
Reply all
Reply to author
Forward
0 new messages