Logs in archives but no alerts
15 views
Skip to first unread message
Milene Hadil BEDOUHENE
8:23 AM (12 hours ago) 8:23 AM
to Wazuh | Mailing List
Dear Wazuh Support Team,
I hope you are doing well.
I am writing to report an issue with my Wazuh server. I have configured it properly and also integrated both Zeek and Suricata into my environment. I created several rules using Zeek, and they are working perfectly.
However, I am currently trying to use Sysmon to generate alerts when a port scan is performed. I can see the logs in archives.json, but no alerts are being generated in alerts.json, when I try with logtest, the alert was generated
In the dashboard, I am receiving alerts generated by the default Wazuh rules, but none of my custom alerts appear. I am also using Filebeat in my setup.
Thank you for your support.
Best regards,
Luis Enrique Chico Capistrano
8:51 AM (11 hours ago) 8:51 AM
to Wazuh | Mailing List
Hi Milene,
To help troubleshoot this, could you share the following?
1. A sample log entry from archives.json for the Sysmon event you want to trigger the alert
2. Your custom rule XML — the full <rule> block you created for port scan detection.
3. The full output of wazuh-logtest — paste the log event you used as input and the complete output, including the decoder and rule match details.
This will let us confirm whether the issue is with the rule definition, the decoder, or the event format coming from Sysmon.
To help troubleshoot this, could you share the following?
1. A sample log entry from archives.json for the Sysmon event you want to trigger the alert
2. Your custom rule XML — the full <rule> block you created for port scan detection.
3. The full output of wazuh-logtest — paste the log event you used as input and the complete output, including the decoder and rule match details.
This will let us confirm whether the issue is with the rule definition, the decoder, or the event format coming from Sysmon.
Luis Enrique Chico Capistrano
11:54 AM (8 hours ago) 11:54 AM
to Wazuh | Mailing List
Hi Milene,
Thanks for your reply — we've tracked down all the issues causing your Sysmon port scan rules to work in logtest but not fire in live mode. There were actually some separate problems stacked on top of each other.
1. Wrong input format in wazuh-logtest
When you paste an archives.json line directly into logtest, you're giving it the full wrapper (with timestamp, agent, decoder, data, etc.). Logtest then decodes that as json, which is why your rule appeared to
match — but that's not what the live pipeline sees.
The correct input is only the inner win object — the raw value of the full_log field:
{"win":{"system":{"eventID":"3","providerName":"Microsoft-Windows-Sysmon",...},"eventdata":{...}}}
Strip everything outside that {"win":{...}} block before pasting into logtest.
2. Rule 100020 used the wrong decoder condition
<decoded_as>json</decoded_as> only matches when logtest processes the full archives.json blob. In live mode, the Windows agent sends events through the windows_eventchannel decoder. Use <if_sid>61605</if_sid>
instead, which already handles the decoder chain:
<rule id="100020" level="3">
<if_sid>61605</if_sid>
<field name="win.system.eventID">^3$</field>
<description>Sysmon: Network connection detected (Event ID 3)</description>
</rule>
Reference: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid
3. The XML syntax for same_field and different_field
Instead of
<same_field name="win.eventdata.sourceIp" />
Use:
<same_field>win.eventdata.sourceIp</same_field>
<different_field>win.eventdata.destinationPort</different_field>
Thanks for your reply — we've tracked down all the issues causing your Sysmon port scan rules to work in logtest but not fire in live mode. There were actually some separate problems stacked on top of each other.
1. Wrong input format in wazuh-logtest
When you paste an archives.json line directly into logtest, you're giving it the full wrapper (with timestamp, agent, decoder, data, etc.). Logtest then decodes that as json, which is why your rule appeared to
match — but that's not what the live pipeline sees.
The correct input is only the inner win object — the raw value of the full_log field:
{"win":{"system":{"eventID":"3","providerName":"Microsoft-Windows-Sysmon",...},"eventdata":{...}}}
Strip everything outside that {"win":{...}} block before pasting into logtest.
2. Rule 100020 used the wrong decoder condition
<decoded_as>json</decoded_as> only matches when logtest processes the full archives.json blob. In live mode, the Windows agent sends events through the windows_eventchannel decoder. Use <if_sid>61605</if_sid>
instead, which already handles the decoder chain:
<rule id="100020" level="3">
<if_sid>61605</if_sid>
<field name="win.system.eventID">^3$</field>
<description>Sysmon: Network connection detected (Event ID 3)</description>
</rule>
Reference: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid
3. The XML syntax for same_field and different_field
Instead of
<same_field name="win.eventdata.sourceIp" />
Use:
<same_field>win.eventdata.sourceIp</same_field>
<different_field>win.eventdata.destinationPort</different_field>
Final working rules
<rule id="100020" level="3">
<if_sid>61605</if_sid>
<field name="win.system.eventID">^3$</field>
<description>TEST FORCE: Log Sysmon reçu</description>
</rule>
<rule id="100021" level="12" frequency="5" timeframe="30">
<if_matched_sid>100020</if_matched_sid>
<same_field>win.eventdata.sourceIp</same_field>
<different_field>win.eventdata.destinationPort</different_field>
<description>ALERTE : Scan de ports détecté</description>
</rule>
---
Testing windows_eventchannel events in wazuh-logtest
Temporarily modify /var/ossec/ruleset/rules/0575-win-base_rules.xml:
<rule id="60000" level="0">
<!--category>ossec</category-->
<!--decoded_as>windows_eventchannel</decoded_as-->
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
Restart the manager, run your logtest session with 5 events sharing the same sourceIp but different destinationPort values. The alert fires on the 5th match.
Revert this file and restart before going back to production — leaving decoded_as>json in that base rule will break live Windows event processing.
More details on this technique: https://bluewolfninja.com/2025/09/13/ninja-script-suite-for-windows-log-testing-in-wazuh/
---
<rule id="100020" level="3">
<if_sid>61605</if_sid>
<field name="win.system.eventID">^3$</field>
<description>TEST FORCE: Log Sysmon reçu</description>
</rule>
<rule id="100021" level="12" frequency="5" timeframe="30">
<if_matched_sid>100020</if_matched_sid>
<same_field>win.eventdata.sourceIp</same_field>
<different_field>win.eventdata.destinationPort</different_field>
<description>ALERTE : Scan de ports détecté</description>
</rule>
---
Testing windows_eventchannel events in wazuh-logtest
Temporarily modify /var/ossec/ruleset/rules/0575-win-base_rules.xml:
<rule id="60000" level="0">
<!--category>ossec</category-->
<!--decoded_as>windows_eventchannel</decoded_as-->
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
Restart the manager, run your logtest session with 5 events sharing the same sourceIp but different destinationPort values. The alert fires on the 5th match.
Revert this file and restart before going back to production — leaving decoded_as>json in that base rule will break live Windows event processing.
More details on this technique: https://bluewolfninja.com/2025/09/13/ninja-script-suite-for-windows-log-testing-in-wazuh/
---
Reply all
Reply to author
Forward
0 new messages