Maintenance Flag Agent

63 views
Skip to first unread message

Brenno Garcia

unread,
Mar 27, 2026, 4:34:13 PM (10 days ago) Mar 27
to Wazuh | Mailing List
Hello,

I would like to create a suppression rule for agents who are on the CDB maintenance list.

My CDB:
Screenshot_12.png
My rule:
Screenshot_13.png
But it doesn't seem to be working. I had the impression that alerts that weren't generated before (e.g., rule.id 1002 level 2) fall into the suppression alert and therefore appear on the dashboard (since it's level 4), but alerts that were already falling previously (e.g., 404 code) continue to appear normally.Screenshot_11.png

Javier Adán Méndez Méndez

unread,
Mar 27, 2026, 5:26:40 PM (10 days ago) Mar 27
to Wazuh | Mailing List
Hi Brenno

Your rule is actually creating alerts rather than silencing them because it's set to Level 4. In Wazuh, only Level 0 rules prevent alerts from appearing on the dashboard.


<rule id="100051" level="0">
<if_sid>31101, 40704, 652</if_sid>
<list field="hostname" lookup="match_key">etc/lists/maintenancemode</list>
<description>Supresión de alertas en mantenimiento.</description>
</rule>

some resource that may can help you

https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

a example  on our reddit community

https://www.reddit.com/r/Wazuh/comments/1exd4ss/wazuh_rule_suppression/

Muhammad Ali Khan

unread,
Mar 30, 2026, 4:34:55 AM (8 days ago) Mar 30
to Brenno Garcia, Wazuh | Mailing List

  • Dear Brenno Garcia      for this use case

    Prepare the CDB list
    • Make /var/ossec/etc/lists/maintenance_agents
    • We can add more agent hostnames ( agent.name) , we want to monitor.

    • Example:

      user-ali
      agent-02
      agent-03

  • Rebuild the CDB

    /var/ossec/bin/wazuh-cdb maintenance_agents maintenance_agents.cdb
  • Configure the Rule

    • Place the rule in your custom rules file:

      /var/ossec/etc/rules/local_rules.xml

<rule id="101509" level="9">
        <if_group>windows|json|syslog</if_group>
        <list field="hostname">etc/lists/maintenance_agents</list>
        <description>Maintenance in Process - Agent: $(hostname)</description>
        <options>no_full_log</options>
      </rule>

    • Reference the CDB list as shown:

      <list field="hostname">etc/lists/maintenance_agents</list>
    •  image.png

  • Restart Wazuh Manager

    systemctl restart wazuh-manager
  • Verify
    • Go to Wazuh Dashboard

    • Check Discover / Alerts in wazuh Dashboard to see triggered alerts like:

      Maintenance in Process - Agent: user-ali

image.png

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/b5b23d15-eb1a-4c82-bc93-0c6d085252fdn%40googlegroups.com.

Brenno Garcia

unread,
Mar 30, 2026, 11:21:26 AM (7 days ago) Mar 30
to Wazuh | Mailing List
Hello,
Thanks, but in this case i need to specify if groups/rules?
There is not an global supression?

Javier Adán Méndez Méndez

unread,
Mar 31, 2026, 2:27:17 AM (7 days ago) Mar 31
to Wazuh | Mailing List

Hi Brenno,

There is no global "mute" switch in Wazuh. To silence alerts, your rule must be level 0. By default, Wazuh only generates alerts for rules level 3 and above (set in your ossec.conf), so your current level 4 rule is actually creating a new alert instead of hiding it.

Also, use agent.name instead of hostname to avoid common decoding issues



<rule id="100051" level="0">

  <if_group>syslog|windows|linux|pci_dss</if_group>
  <list field="agent.name" lookup="match_key">etc/lists/maintenancemode</list>
  <description>Suppressing maintenance agents</description>
</rule>

Make sure your CDB keys match your agent names exactly and verify the fields using /var/ossec/bin/wazuh-logtest

your questions  might be related to known issues #8269 and #4067.

Muhammad Ali Khan

unread,
Mar 31, 2026, 3:37:25 AM (7 days ago) Mar 31
to Javier Adán Méndez Méndez, Wazuh | Mailing List
<global>
  <jsonout_output>no</jsonout_output>
  <alerts_log>no</alerts_log>
</global>


other option is also in ossec.conf

To view this discussion visit https://groups.google.com/d/msgid/wazuh/f3954999-fdf0-499f-a534-7de78f874ec5n%40googlegroups.com.

Brenno Garcia

unread,
Mar 31, 2026, 9:53:22 AM (6 days ago) Mar 31
to Wazuh | Mailing List
Hello
I think I expressed myself incorrectly. Yes, I understand that alerts > 3 go to the dashboard. What I mean is that, based on a CDB with the agent.name, I want to create a rule that checks if the agent is there and suppresses all alerts. Initially, I set the level to +3 to see if all alerts from that agent would trigger this maintenance rule (but I will change it to 0 later).

However, my question is whether I need to include if_group or if_sid in:

<rule id="100051" level="0">

  <list field="hostame" lookup="match_key">etc/lists/maintenancemode</list>

  <description>Suppressing maintenance agents</description>

</rule>

Because my goal is to suppress everything about that agent.

Javier Adán Méndez Méndez

unread,
Apr 1, 2026, 7:44:50 PM (5 days ago) Apr 1
to Wazuh | Mailing List
Yes, include if_group and use  agent.name instead of hostname


<rule id="100051" level="0">
  <if_group>syslog|windows|linux|pci_dss|netflow|web|ossec</if_group>

  <list field="agent.name" lookup="match_key">etc/lists/maintenancemode</list>
  <description>Suppressing maintenance agents</description>
</rule>
Reply all
Reply to author
Forward
0 new messages