Command to list all rule IDs
258 views
Skip to first unread message
Andrehens Chicfici
Mar 26, 2025, 8:34:28 AM3/26/25
to Wazuh | Mailing List
Hey,
I am documenting my build and I'm looking for a way to scrape all used RuleIDs. Or to generate a list of all RuleIDs.
Is there a quick and easy way to do this?
When I do it via the csv-export function of the dashboard I just get the name of the .xml and the "ID-block" like this:
0030-postfix_rules.xml,"ruleset/rules","enabled"
0030-postfix_rules.xml,"etc/rules","enabled"
0035-spamd_rules.xml,"ruleset/rules","enabled"
0035-spamd_rules.xml,"etc/rules","enabled"
0040-imapd_rules.xml,"ruleset/rules","enabled"
cheers
chic
Message has been deleted
Nahuel Figueroa
Mar 26, 2025, 10:32:55 AM3/26/25
to Wazuh | Mailing List
Do you just want the list of active rules? Do you want them all? There's an endpoint available in the Wazuh API that returns a list of rules. https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Rules
We can run the query and then filter to get the required data: curl -k -X GET "https://<WAZUH_MANAGER>:55000/rules?pretty=true" -H "Authorization: Bearer <TOKEN>" | jq '.data.affected_items[] | {filename, id}'
Andrehens Chicfici
Mar 27, 2025, 5:14:46 AM3/27/25
to Wazuh | Mailing List
Both options would be nice. A command to get all active rules and a command to list all rules.
When I try the jq command I'm running into an error:
jq: error (at <stdin>:3): Cannot iterate over null (null)
cheers
chic
Nahuel Figueroa
Mar 27, 2025, 9:18:02 AM3/27/25
to Wazuh | Mailing List
Hi Andrehens! Surely the query failed due to authentication reasons. Run the command again like this: curl -k -X GET "https://<WAZUH_MANAGER>:55000/rules?pretty=true" -H "Authorization: Bearer <TOKEN>". Remember to replace WAZUH_MANAGER with the corresponding IP and also <TOKEN>. To generate the token check this: https://documentation.wazuh.com/current/user-manual/api/getting-started.html#logging-into-the-wazuh-server-api-via-command-line
Andrehens Chicfici
Mar 27, 2025, 10:51:16 AM3/27/25
to Wazuh | Mailing List
Yeah, I managed to get an output but it just gives out a list that is structured similar to the .csv I can get from the GUI.
{
"filename": "0060-firewall_rules.xml",
"id": 4100
}
{
"filename": "0900-firewall_rules.xml",
"id": 4101
}
{
"filename": "0060-firewall_rules.xml",
"id": 4101
}
{
"filename": "0900-firewall_rules.xml",
"id": 4151
}
{
"filename": "0060-firewall_rules.xml",
"id": 4151
}
{
"filename": "0065-pix_rules.xml",
"id": 4300
}
"filename": "0060-firewall_rules.xml",
"id": 4100
}
{
"filename": "0900-firewall_rules.xml",
"id": 4101
}
{
"filename": "0060-firewall_rules.xml",
"id": 4101
}
{
"filename": "0900-firewall_rules.xml",
"id": 4151
}
{
"filename": "0060-firewall_rules.xml",
"id": 4151
}
{
"filename": "0065-pix_rules.xml",
"id": 4300
}
cheers
chic
Nahuel Figueroa
Mar 27, 2025, 1:33:13 PM3/27/25
to Wazuh | Mailing List
Hi Andrehens! So I didn't understand you correctly. What you sent me had more information than just the rule ID and name. Now you've got what you were looking for. Let me know if I missed anything.
Reply all
Reply to author
Forward
0 new messages