ruleset hot reload problem
45 views
Skip to first unread message
DK
Jan 21, 2026, 9:04:24 AM (yesterday) Jan 21
to Wazuh | Mailing List
Hello!
I have cluster with 1 master and 2 workers.
I updated wazuh to version 4.14.2 and encountered an issue when changing rules.
I updated wazuh to version 4.14.2 and encountered an issue when changing rules.
When I change them in the web interface, I click buttons "Save" and "Reload". Everything seems to work correctly, no errors. If I look at the rules file management, the changes are saved.
The logs show events "wazuh-analysisd INFO Ruleset reloaded successfully" and "wazuh-analysisd INFO Reloading ruleset".
However, the changes aren't actually applied.The system is running using the old rules file. If I perform a full restart, the changed rules are applied correctly.
What could be the problem?
Julián Morales
Jan 21, 2026, 9:59:21 AM (yesterday) Jan 21
to DK, Wazuh | Mailing List
Hi laboulle1987,
`wazuh-analysisd INFO Ruleset reloaded successfully` ->If you see this message in the ossec.log log, it means that the ruleset was reloaded correctly. What we need to analyze is whether the files on the master and workers are up to date at the time of reloading.
`wazuh-analysisd INFO Ruleset reloaded successfully` ->If you see this message in the ossec.log log, it means that the ruleset was reloaded correctly. What we need to analyze is whether the files on the master and workers are up to date at the time of reloading.
Have you seen this message on the master and workers? How did you detect that it has not been updated?
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/6178da01-634c-45d0-a3d1-9c16b23f4ea9n%40googlegroups.com.
DK
12:23 AM (13 hours ago) 12:23 AM
to Wazuh | Mailing List
Hi,
Julián Morales!
I change level and description in custom rule, save and reload. With "Mange rules files" I see, that file is changed.
I change level and description in custom rule, save and reload. With "Mange rules files" I see, that file is changed.
Logs on master after reload:
Jan 22, 2026 @ 07:56:44.000 wazuh-analysisd INFO Reloading ruleset
Jan 22, 2026 @ 07:56:44.000 wazuh-analysisd INFO Ruleset reloaded successfully
Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:router INFO Loaded router module.
Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:content_manager INFO Loaded content_manager module.
Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:inventory-harvester INFO Loaded Inventory harvester module.
Logs on both workers are same:
Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:router INFO Loaded router module.
Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:content_manager INFO Loaded content_manager module.
Jan 22, 2026 @ 07:56:40.000 wazuh-modulesd:inventory-harvester INFO Loaded Inventory harvester module.
But the changes aren't applied, and the level and descriptions remain the same. Only a restart will apply the changes.
среда, 21 января 2026 г. в 17:59:21 UTC+3, Julián Morales:
Julián Morales
9:12 AM (4 hours ago) 9:12 AM
to DK, Wazuh | Mailing List
Hi laboulle1987,
I see that in the master you have the logs for `Reloading ruleset` and `INFO Ruleset reloaded successfully`, but you didn't share them in the workers.
It may take a while for the workers to synchronize, but eventually you should see those logs.
Until you see the log `INFO Ruleset reloaded successfully` on the workers, the workers will continue to process events with the old ruleset.
Can you check if you see those logs on the workers?
To view this discussion visit https://groups.google.com/d/msgid/wazuh/d4f5fbf9-8015-4832-b431-8311f99ac9aen%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages