Problem to open local_decoder and local_rules files
80 views
Skip to first unread message
Vando Nascimento
May 12, 2025, 5:43:44 PM5/12/25
to Wazuh | Mailing List
Hello,
I'm working on the configuration of a Wazuh on version 4.11.2. At the moment I'm trying to create some local decoders and after a lot of time spent without success I noticed the following lines on ossec.log:
2025/05/12 21:32:38 wazuh-analysisd: WARNING: (1103): Could not open file '/var/ossec/etc/decoders/local_decoder.xml' due to [(2)-(No such file or directory)].
2025/05/12 21:32:38 wazuh-analysisd: WARNING: (1103): Could not open file '/var/ossec/etc/rules/local_rules.xml' due to [(2)-(No such file or directory)].
The strange part is that both files exist. After that I tried removing what I had changed but the message persists. I tried even recreating the files with their original content, copied from another server, and keeping the same permissions and ownership, but still no luck. What else can I try to fix this?
Thank you.
I'm working on the configuration of a Wazuh on version 4.11.2. At the moment I'm trying to create some local decoders and after a lot of time spent without success I noticed the following lines on ossec.log:
2025/05/12 21:32:38 wazuh-analysisd: WARNING: (1103): Could not open file '/var/ossec/etc/decoders/local_decoder.xml' due to [(2)-(No such file or directory)].
2025/05/12 21:32:38 wazuh-analysisd: WARNING: (1103): Could not open file '/var/ossec/etc/rules/local_rules.xml' due to [(2)-(No such file or directory)].
The strange part is that both files exist. After that I tried removing what I had changed but the message persists. I tried even recreating the files with their original content, copied from another server, and keeping the same permissions and ownership, but still no luck. What else can I try to fix this?
Thank you.
Bony V John
May 13, 2025, 6:48:56 AM5/13/25
to Wazuh | Mailing List
Hi,
Could you please let me know the changes you made before encountering this issue? If you followed any documentation, please share the exact steps you performed or provide the link to the documentation you used.
To begin troubleshooting, run the following commands to check the file permissions of your custom decoder and rule files:
ls -la /var/ossec/etc/decoders/local_decoder.xml
ls -la /var/ossec/etc/rules/local_rules.xml
Ensure that both files have the following permissions and ownership:
-rw-rw---- 1 wazuh wazuh 1249 Feb 7 17:36 /var/ossec/etc/decoders/local_decoder.xml
-rw-rw---- 1 wazuh wazuh 4111 Mar 24 16:40 /var/ossec/etc/rules/local_rules.xml
If the permissions are incorrect, you can set them using the following commands:
chown wazuh:wazuh /var/ossec/etc/decoders/local_decoder.xml
chown wazuh:wazuh /var/ossec/etc/rules/local_rules.xml
chown wazuh:wazuh /var/ossec/etc/rules/local_rules.xml
chmod 660 /var/ossec/etc/decoders/local_decoder.xml
chmod 660 /var/ossec/etc/rules/local_rules.xml
chmod 660 /var/ossec/etc/rules/local_rules.xml
After updating the permissions, restart the Wazuh manager service:
systemctl restart wazuh-manager
To further investigate the issue, please share the following files:
-
Full Wazuh manager log file: /var/ossec/logs/ossec.log
-
Wazuh manager configuration file: /var/ossec/etc/ossec.conf
Also, for more information about creating custom decoders and rules, you can refer to the Wazuh documentation: https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Vando Nascimento
May 13, 2025, 10:49:02 AM5/13/25
to Wazuh | Mailing List
Hi,
Thank you for you reply. My goal with this changes is to receive syslog messages sent by a Ubiquiti UDM. At the moment I'm able to see the messages on archives.log when I activate the logall option. To have this result so far I've created a new remote session on ossec.conf creating the port 1514/udp. Besides that, I don't think I've made any other complex change on this file.
Regarding the permissions and ownership of the custom files, this is the situation:
root@wazuh:/var/ossec/etc# ls -la decoders/local_decoder.xml
-rw-rw---- 1 wazuh wazuh 815 May 12 14:54 decoders/local_decoder.xml
root@wazuh:/var/ossec/etc# ls -la rules/local_rules.xml
-rw-rw---- 1 wazuh wazuh 497 May 12 14:52 rules/local_rules.xml
I'm also sending the ossec.conf and ossec.log as attachment.
Thank you.
Thank you for you reply. My goal with this changes is to receive syslog messages sent by a Ubiquiti UDM. At the moment I'm able to see the messages on archives.log when I activate the logall option. To have this result so far I've created a new remote session on ossec.conf creating the port 1514/udp. Besides that, I don't think I've made any other complex change on this file.
Regarding the permissions and ownership of the custom files, this is the situation:
root@wazuh:/var/ossec/etc# ls -la decoders/local_decoder.xml
-rw-rw---- 1 wazuh wazuh 815 May 12 14:54 decoders/local_decoder.xml
root@wazuh:/var/ossec/etc# ls -la rules/local_rules.xml
-rw-rw---- 1 wazuh wazuh 497 May 12 14:52 rules/local_rules.xml
I'm also sending the ossec.conf and ossec.log as attachment.
Thank you.
Vando Nascimento
May 14, 2025, 8:08:00 PM5/14/25
to Wazuh | Mailing List
I've solved this problem. At some point I had changed the user-defined ruleset area on ossec.conf, changing the folders' path from relative to full, while investigating my problems with decoders. Now I'm back on track.
Thank you.
Reply all
Reply to author
Forward
0 new messages