Local Rule based on rule id 92910 and match label text

74 views
Skip to first unread message

John Smith

unread,
Apr 18, 2024, 11:01:27 AM4/18/24
to Wazuh | Mailing List

Hi all
How can I write my own rule that will trigger on rule id 92910 and match agent label text ex.

<group name="my_custom_rules">

<rule id="330001" level="15">

<if_sid>92910</if_sid>

<match>security_admin_label</match>

<description>Exception !</description>

</rule>

</group>

Md. Nazmur Sakib

unread,
Apr 19, 2024, 12:24:58 AM4/19/24
to Wazuh | Mailing List

Hi John Smith,


Hope you are doing well.


Can you explain what you mean by “agent label text


Are you referring to the agent group level?




The match parameter is used as a requisite to trigger the rule based on the information on the log. It will search for a match in the log event. However, the agent group level is not present on the log. It is added on a higher level and the rule engine is not aware of the parameter agent group level. So it is not possible to trigger an alert on the Wazuh Dashboard based on the agent group.


As a workaround, you can use the OpenSearch alerting plugin to trigger alerts based on agent group level.

   




Check this document to get help with configuration: https://opensearch.org/docs/latest/observing-your-data/alerting/index/


Let me know if you need any further information.

Md. Nazmur Sakib

unread,
Apr 22, 2024, 5:05:47 AM4/22/24
to Wazuh | Mailing List
Hi John Smith,

Let me know if you need any further information.

Reply all
Reply to author
Forward
0 new messages