Customizing rules for groups of agents

2,989 views
Skip to first unread message

Joaquim António

unread,
Feb 15, 2023, 5:08:24 AM2/15/23
to Wazuh mailing list
Hello Wazuh team,

Is it possible to add and modify existent rules for groups of agents? Suppose I want to create a group for each client. Where do I specify the rules for each client group?

Thank you and best regards,

Joaquim António

Chantal Belen Kelm

unread,
Feb 15, 2023, 5:53:53 AM2/15/23
to Wazuh mailing list
Hello how are you? Yes, it is possible to add and modify existing rules in Wazuh for groups of agents, and to specify different rules for different groups.

To specify rules for a group of agents, you can create a new rule file in the Wazuh ruleset directory and add rules to it that apply specifically to that group. For example, if you have a group of agents for a particular client, you can create a new rule file in the Wazuh ruleset directory and add rules to it that are specific to that client's environment.

Here are the general steps to create a new rule file for a specific group of agents:

Create a new directory under /var/ossec/rules with a name that is unique and identifies the group. For example, you could create a directory called client-a for a group of agents that belong to client A.

Create a new rule file in the new directory with a unique name that describes the purpose of the file. For example, you could create a file called webserver-rules.xml for rules that apply to web servers in the group.

Add rules to the new rule file that apply specifically to the group of agents. You can use the existing Wazuh rules as a reference and modify them as needed. The rules should be specific to the group's environment and should not interfere with the rules that apply to other groups or the entire infrastructure.

Add the new rule file to the ossec.conf configuration file of the agents that belong to the group. You can add the file to the rules parameter under the appropriate group definition.

For example, you could add the following line to the ossec.conf file of the agents that belong to client-a:

<group name="client-a">
  <ruleset>client-a/webserver-rules.xml</ruleset>
</group>

This tells the agents to use the webserver-rules.xml file that is located in the client-a directory under the Wazuh ruleset directory.

By following these steps, you can create separate rule files for each group of agents and specify different rules for each group. This can help you to tailor the Wazuh monitoring to the specific needs and requirements of each client or group.

Joaquim António

unread,
Feb 15, 2023, 6:09:03 AM2/15/23
to Wazuh mailing list
Thank you so much for the detailed response. I just have an extra-question: will my new rules be overwritten upon an update to a new wazuh release?

Chantal Belen Kelm

unread,
Feb 15, 2023, 6:40:01 AM2/15/23
to Wazuh mailing list

If you create new rule files or modify existing rules in the Wazuh ruleset directory, those changes will be preserved across upgrades to new versions of Wazuh, as long as you follow best practices for customizing the ruleset.

To ensure that your customizations are preserved across upgrades, you should avoid making changes to the original Wazuh rule files. Instead, create new rule files or modify copies of the original rule files and place them in a custom ruleset directory outside of the Wazuh installation directory. By doing so, your customizations will be stored in a separate location that is not affected by upgrades to the Wazuh software.

For example, you could create a new directory at /var/ossec/customrules to store your custom rule files. You could then copy the rules from the original Wazuh rule files into your custom rule files and make your modifications there. You can then add your custom ruleset to the ossec.conf configuration file of the agents as described in my previous response.

Another important consideration is to periodically review and update your custom rules to ensure that they continue to work as expected with new versions of Wazuh. New releases of Wazuh may introduce changes to the original rule files that could impact your customizations. Therefore, it is important to test your custom ruleset after upgrading Wazuh to ensure that it continues to function correctly. You may need to update your custom rules to account for changes to the original rules or to take advantage of new features introduced in the new version.

By following these best practices, you can create a customized ruleset for your environment that is preserved across upgrades and tailored to your specific needs.

Joaquim António

unread,
Feb 16, 2023, 6:31:06 AM2/16/23
to Wazuh mailing list
Hello,

Where would I insert this block? :

<group name="client-a">
  <ruleset>client-a/webserver-rules.xml</ruleset>
</group>

I tried putting it in the group's shared config in the manager, but it wouldn't take effect. Then I tried in an individual agent, by inserting it in its ossec.conf inside <ossec_config></ossec_config>. The wazuh agent service wouldn't start giving me an invalid element error. What am i missing here?

Thank you and best regards

Chantal Belen Kelm

unread,
Feb 16, 2023, 11:33:43 AM2/16/23
to Wazuh mailing list
Hi, how are you? I was checking the information I sent you yesterday, and I realized that it is not correct, I apologize for that.

Unfortunately, it is not possible to filter rules by agent at the moment. Here are some options with which you can achieve something similar:
  • Use labels: It is possible to add labels to the agent's groups that will be applied to every alert triggered by those agents. To do that you can apply a centralized configuration to set up the label for each specific group.
    Captura de Pantalla 2023-02-16 a la(s) 09.55.42.png
    Captura de Pantalla 2023-02-16 a la(s) 09.56.49.png
    Captura de Pantalla 2023-02-16 a la(s) 09.57.13.png
    Once that is done you can verify the new alerts from those agents and confirm that the label is applied. You can also filter by the labels in wazuh dashboard.
    Screenshot at Feb 16 10-46-20.png
    Screenshot at Feb 16 10-47-28.png
  • Use a specific field: If you have a specific field in the alert that is common to all the agents of a group, you can edit the rules only to be triggered when that field is the expected. For example: if all the agent hostnames of the group "lab" start with "lab-" and you want to filter the rule 5701, you can create a child rule similar to this:

      <rule id="100002" level="8">
         <if_sid>5701</if_sid>
         <hostname type="PCRE2">lab-.+</hostname>
         <description>sshd: Possible attack on the ssh server </description>
         <description>(or version gathering). - Known agetn</description>
      </rule>

    This way the rule will only be triggered when the agent hostname starts with "lab-".


    image.png

    As you can see in the previous image, agents starting with "lab-" trigger the custom rule, while agents that don't start with "lab-" trigger the original rule. 

You can find more information about labels and custom rules on the following links: 

I hope you find this information helpful. Let me know if you have any questions. 

Andréw Hüang

unread,
Aug 30, 2023, 3:45:38 PM8/30/23
to Wazuh | Mailing List
Does this work? I tried your steps and can't restart the manger, it timed out with configuration file is marked world inaccessible error.
Reply all
Reply to author
Forward
0 new messages