Wazuh 2 - overwrite rule

[Régis Houssin]

Hello,

I want to do an overwrite of 2 rules in order not to receive an email alert, I have added this in local_rules.xml, but I still receive the alerts. I made a mistake or it is not possible?

Thank you

<group name="local,syslog,">

  <rule id="31122" level="5" overwrite="yes">

    <if_sid>31120</if_sid>

    <id>^500</id>

    <options>no_email_alert</options>

    <description>Web server 500 error code (Internal Error).</description>

    <group>system_error,</group>

  </rule>

  <rule id="31123" level="4" overwrite="yes">

    <if_sid>31120</if_sid>

    <id>^503</id>

    <options>no_email_alert</options>

    <description>Web server 503 error code (Service unavailable).</description>

  </rule>

</group>

[Jesus Linares]

Hi,

It looks right, did you restart OSSEC?.

Regards.

[Régis Houssin]

Yes, i restart wazuh-manager (and agent for the fun...)

the "local_rules.xml" is loading (ossec.log)

but i received again emails !

if i modify directly the file "/var/ossec/ruleset/rules/0245-web_rules.xml" it's ok, but this will be lost after the update process !

thank you

[Régis Houssin]

ok i see !!

wazuh load "/var/ossec/etc/rules/local_rules.xml"

and my file was here : "/var/ossec/rules/local_rules.xml"

it's ok now !!

Thank you for your help

[Jesus Linares]

Great!. Here the documentation for custom decoders/rules: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Regards.