Issue using CDB lists in Wazuh 4.14.1 (Docker) – lists not loading
19 views
Skip to first unread message
gustavo rodriguez
Dec 23, 2025, 8:55:31 AM (2 days ago) Dec 23
to Wazuh | Mailing List
Hi everyone,
I’m having an issue when trying to use CDB lists in Wazuh 4.14.1 running on Docker (single-node deployment).
ContextI’m creating custom rules that reference CDB lists (for example AWS event names, malicious IOCs, trusted processes, etc.).
When I validate the rules using:
docker exec -it single-node-wazuh.manager-1 /var/ossec/bin/wazuh-analysisd -tI get multiple warnings like the following:
WARNING: (7616): List 'etc/lists/amazon/aws-eventnames' could not be loaded. Rule '80202' will be ignored.
WARNING: (7617): Signature ID '80202' was not found and will be ignored in the 'if_sid' option of rule '80203'.
WARNING: (7619): Empty 'if_sid' value. Rule '80203' will be ignored.
...
WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99902' will be ignored.
...
WARNING: (7616): List 'etc/lists/procesos-confiables' could not be loaded. Rule '100500' will be ignored.
Because the lists are not loaded, all dependent rules are ignored and cascade failures appear (if_sid, if_matched_sid).
Environment
-
Wazuh version: 4.14.1
-
Deployment: Docker (single-node)
Rules are referencing lists like:
<group name="sysmon,sysmon_eid11_detections,">
<rule id="100500" level="0">
<if_sid>92213</if_sid>
<list field="win.eventdata.image" lookup="match_key">etc/lists/procesos-confiables</list>
<description>Falso Positivo: Proceso de confianza de Farmesa silenciado por CDB List</description>
<options>no_full_log</options>
</rule>
</group>
Questions
<group name="sysmon,sysmon_eid11_detections,">
<rule id="100500" level="0">
<if_sid>92213</if_sid>
<list field="win.eventdata.image" lookup="match_key">etc/lists/procesos-confiables</list>
<description>Falso Positivo: Proceso de confianza de Farmesa silenciado por CDB List</description>
<options>no_full_log</options>
</rule>
</group>
Questions
-
Is there any known limitation or extra step for CDB lists when using Docker?
-
Do CDB lists need to be declared or mounted in a specific way in docker-compose.yml?
-
Is the expected path different in containerized deployments?
-
Does Wazuh 4.14.x require rebuilding CDB lists manually inside the container?
Any guidance or examples working with CDB lists + Docker would be really appreciated.
Thanks in advance!
lucas....@wazuh.com
Dec 23, 2025, 10:20:12 AM (2 days ago) Dec 23
to Wazuh | Mailing List
Hi! Those warnings usually mean the manager cant find or read the list files from inside the container, so any rules that depend on them get skipped.
A few things to check in Docker:
1) File location and path: In Wazuh rules, list paths are relative to the manager install path (typically /var/ossec/). So etc/lists/... should exist as /var/ossec/etc/lists/... inside the container.
You could run:
"docker exec -it single-node-wazuh.manager-1 ls -l /var/ossec/etc/lists/amazon/" and see if that shows results.
2) Mounting the lists: If you’re keeping lists on the host, you need to mount them into the manager container (e.g. map your host folder to /var/ossec/etc/lists). Otherwise these wont be there at runtime.
3) Permissions/ownership: Make sure the files are readable by the Wazuh user inside the container (root:ossec is common).
You could run:
"docker exec -it ... cat /var/ossec/etc/lists/amazon/aws-eventnames" and see if it shows the file contents or gives a permission error.
4) CDB file: Is it plain text or is it a .cdb list?
The difference with Docker is that you must make sure the list files (and the generated .cdb files) are actually present inside the manager container, usually via a volume mount to /var/ossec/etc/lists.
If the files aren’t there (or aren’t readable), the manager will fail to load them and you’ll see exactly these warnings.
Although we dont have specific documentation for CDB-lists on docker containers, you could check this one: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
Let me know if this helps.
Kind regards,
Lucas.
A few things to check in Docker:
1) File location and path: In Wazuh rules, list paths are relative to the manager install path (typically /var/ossec/). So etc/lists/... should exist as /var/ossec/etc/lists/... inside the container.
You could run:
"docker exec -it single-node-wazuh.manager-1 ls -l /var/ossec/etc/lists/amazon/" and see if that shows results.
2) Mounting the lists: If you’re keeping lists on the host, you need to mount them into the manager container (e.g. map your host folder to /var/ossec/etc/lists). Otherwise these wont be there at runtime.
3) Permissions/ownership: Make sure the files are readable by the Wazuh user inside the container (root:ossec is common).
You could run:
"docker exec -it ... cat /var/ossec/etc/lists/amazon/aws-eventnames" and see if it shows the file contents or gives a permission error.
4) CDB file: Is it plain text or is it a .cdb list?
The difference with Docker is that you must make sure the list files (and the generated .cdb files) are actually present inside the manager container, usually via a volume mount to /var/ossec/etc/lists.
If the files aren’t there (or aren’t readable), the manager will fail to load them and you’ll see exactly these warnings.
Although we dont have specific documentation for CDB-lists on docker containers, you could check this one: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
Let me know if this helps.
Kind regards,
Lucas.
Reply all
Reply to author
Forward
0 new messages