filter docoder and rules but not show on Wazuh display

[owen Um]

hi I have a problem to show general alert on Wazuh display

I try to send Maria-DB Audit Log for Wazuh and it is success
so that is shared on /var/ossec/log/archive/archive.log && archive.json

and then i create Decoder in '/var/ossec/etc/decoders/local_decoder.xml'

and also create rules in '/var/ossec/etc/rules/local_rules.xml'
<group name="Maria">
 <rule id="919191" level="4">
   <decoded_as>Maria Audit</decoded_as>
   <match>mysql-server_auditing</match>
   <description>MariaDB Audit Log</description>
   <group>gpg13_4.3,</group>
 </rule>
</group>

when i check wazuh-logtest it looks like work
**Phase 1: Completed pre-decoding.
    full event: '2022 Jun 13 02:56:45 (visa-db01) any->/var/log/messages Jun 12 22:48:20 visa-db01 mysql-server_auditing: visa-db01,app,xxx.xxx.xx.xx,91562,5065561,QUERY,wb_card_kr,SELECT 1,0'
    timestamp: '2022 Jun 13 02:56:45'

**Phase 2: Completed decoding.
    name: 'Maria Audit'

**Phase 3: Completed filtering (rules).
    id: '919191'
    level: '4'
    description: 'MariaDB Audit Log'
    groups: '['Mariagpg13_4.3']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

but i can't check on display 'Security events' what can i do for display this event?
please give me some advice... 

[Mariano Koremblum]

Hi Owen!

Did you reset your manager?

Regards ,

Mariano Koremblum

[owen Um]

hi mariano

i try 'service wazuh-manager restart' but same result...

[Mariano Koremblum]

Hi again Owen,

Do you get to see any error or alert related to this on your manager’s ossec.log file?

You can check that by running the following command:

# cat /var/ossec/logs/ossec.log | grep -E "WARN|ERR"

I will be waiting for your reply

​