CDB lists not added
644 views
Skip to first unread message
Mika Otzen
Jun 18, 2024, 4:12:15 AM6/18/24
to Wazuh | Mailing List
Hi all,
I was testing custom rules with cdb lists but noticed that the lists aren't loaded by the manager. I've checked for correct ownership and so on but they still can't be loaded.
Logtest:
I was testing custom rules with cdb lists but noticed that the lists aren't loaded by the manager. I've checked for correct ownership and so on but they still can't be loaded.
Logtest:
** Wazuh-Logtest: WARNING: (7616): List 'etc/lists/malicious-powershell' could not be loaded. Rule '100543' will be ignored.
** Wazuh-Logtest: WARNING: (7616): List 'etc/lists/common-ports' could not be loaded. Rule '102503' will be ignored.
** Wazuh-Logtest: WARNING: (7616): List 'etc/lists/bash_profile' could not be loaded. Rule '200120' will be ignored.
** Wazuh-Logtest:
WARNING: (7616): List '/etc/lists/ht_users' could not be loaded. Rule '100096'
will be ignored.
ls -l output:
rw-rw----
1 wazuh wazuh 23 Jun 17 12:17 ht_users
i can access the list as wazuh user:
sudo
-u wazuh cat /var/ossec/etc/lists/ht_users
usr1
usr2
....
How can I make the cdb lists accessible?
Regards
Jeremias Ignacio Posse
Jun 24, 2024, 12:56:34 AM6/24/24
to Wazuh | Mailing List
Hello Mika hope you're well!
If you’ve added or modified lists, simply restart the manager to apply changes.
<list field="user">etc/lists/list-user</list>
The <list> setting uses a relative path to the Wazuh installation folder (/var/ossec/).
Restart Wazuh to apply the changes.
Positive key match:
<list field="user">etc/lists/list-user</list>
Negative key match:
<list field="user" lookup="match_key">etc/lists/list-user</list>
Remember to adjust the paths and permissions as needed. If you encounter further issues, feel free to ask for additional assistance!
Using CDB lists - Ruleset · Wazuh documentation
I'll try to help you wiht this issue a few tip i have for you about this will be :
1. Ownership and Permissions:
You’ve already checked the ownership, which is good. Ensure that the lists have the correct permissions (e.g., readable by the Wazuh user).
Confirm that the ht_users list has the same permissions as other working lists.
2.List Location:Wazuh expects CDB lists to be stored in /var/ossec/etc/lists.
Make sure your lists are in the correct directory.3. Automatic Loading (Wazuh v3.11.0+):
Starting from Wazuh v3.11.0, CDB lists are automatically built and loaded when the analysis engine starts.If you’ve added or modified lists, simply restart the manager to apply changes.
4. Define Lists in ossec.conf:
In your ossec.conf file, define each list using the following syntax:<list field="user">etc/lists/list-user</list>
The <list> setting uses a relative path to the Wazuh installation folder (/var/ossec/).
Restart Wazuh to apply the changes.
5. Using Lists in Rules:
In rules, you can look up keys within CDB lists using the following syntax:Positive key match:
<list field="user">etc/lists/list-user</list>
Negative key match:
<list field="user" lookup="match_key">etc/lists/list-user</list>
Remember to adjust the paths and permissions as needed. If you encounter further issues, feel free to ask for additional assistance!
Using CDB lists - Ruleset · Wazuh documentation
Greetings jeremias
Reply all
Reply to author
Forward
0 new messages