overwrite rule "if_group"
38 views
Skip to first unread message
Facu Basgall
Oct 13, 2025, 12:24:02 PM10/13/25
to Wazuh | Mailing List
Hi, I have a question... I overwrote rule 40101 to bring it down to level 10.
I did a test and I get the warning you see in the screenshot.
Is this a bug that I need to fix? Are the events being generated normally or is the rule being skipped?
In the last 30 days I have no events for that rule.
juan.c...@wazuh.com
Oct 13, 2025, 2:57:17 PM10/13/25
to Wazuh | Mailing List
Hi,
The warning you see in the screenshot is only notifying you that, since you're overriding a base rule, you won't be able to change its `if_group` attribute. It has no effect on whether the rule gets activated or not. You can safely ignore it.
You can generate an event that would trigger your rule and check inside `/var/ossec/logs/archives/archives.json` to see if the event is getting received by the manager, and then inside `/var/ossec/alerts/alerts.json` to see if the event is producing the alert. Feel free to share the relevant lines that you might find inside those logs.
The warning you see in the screenshot is only notifying you that, since you're overriding a base rule, you won't be able to change its `if_group` attribute. It has no effect on whether the rule gets activated or not. You can safely ignore it.
You can generate an event that would trigger your rule and check inside `/var/ossec/logs/archives/archives.json` to see if the event is getting received by the manager, and then inside `/var/ossec/alerts/alerts.json` to see if the event is producing the alert. Feel free to share the relevant lines that you might find inside those logs.
Reply all
Reply to author
Forward
0 new messages