Re: error local_rules.xml

[Olamilekan Abdullateef Ajani]

Hello  Mélina,

Where did you capture this log from?

If this is from the ossec.log, could please share the log? Another possible reason could be the permission of the local_rules.xml file. Please use ls -la local_rules.xml to check the permission of the file.

Please see reference attached. The file should have read, write for user and group and the ownership should be wazuh.

chmod 660 /var/ossec/etc/rules/local_rules.xml
chown wazuh:wazuh /var/ossec/etc/ rules/local_rules.xml

follow the steps above as prescribe, then restart the wazuh manager
systemctl restart wazuh-manager.service

I hope this helps

On Friday, January 10, 2025 at 3:27:54 PM UTC+1 Mélina Derdab wrote:

Hello, I'm getting this error, how can I fix it? I've seen this problem come up a lot Could not open file ‘/var/ossec/etc/rules/local_rules.xml’ due to [(2)-(No such file or directory)].

[Olamilekan Abdullateef Ajani]

Hello Mélina,

I see you have the right permissions assigned to the local rules, Could you be explain when you encounter this error and please capture the error and share?

That would be more helpful in resolving this. Please share the /var/ossec/logs/ossec.log file too for analysis.

Thank you

On Monday, January 20, 2025 at 2:25:47 PM UTC+1 Mélina Derdab wrote:

Hello,

Thank you but As you can see on the screenshot it's not a file permissions problem this error is displayed every time I create a file in role to define my custom rules and so they don't take them into account can you help me unblock the situation

[Olamilekan Abdullateef Ajani]

Hello Mélina,

I have checked what you have shared, there is no reason why your Wazuh instance shouldnt work. Even without the local_rules.xml file in the /var/ossec/etc/rules/, you shouldnt get that error.

However, There are different ways to add custom rules to Wazuh, Please review the link here.

I hope this helps.

On Tuesday, January 21, 2025 at 12:21:22 PM UTC+1 Mélina Derdab wrote:

hello

I want to add custom rules in my local rules .xml file but it doesn't take them into account as it displays this error Could not open file '/var/ossec/etc/rules/local_rules.xml' due to [(2)-(No such file or directory)]. when I type sudo journalctl -u wazuh-manager --since today -f and the other one is the logs from the ossec.conf file

[Olamilekan Abdullateef Ajani]

Hello  Mélina,

You cannot make changes to the out-of-box rules located at /var/ossec/ruleset/rules directly, the changes would be erased if there is an upgrade to the manager which is why it is advised to write your custom rules to the /var/ossec/etc/rules directory.

As attached, you can create an xml file in the /var/ossec/etc/rules directory like /var/ossec/etc/rules/test-rule.xml and this would reflect.

Ref:

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

On Thursday, January 23, 2025 at 10:35:13 AM UTC+1 Mélina Derdab wrote:

since I can't add a custom rules file and modify local_rules.xml, can I modify the rules directly in the /var/ossec/ruleset/rules/ directory?

Le jeudi 23 janvier 2025 à 09:52:35 UTC+1, Mélina Derdab a écrit :

Hello, I'm stuck because even when I create a new file in the /var/ossec/etc/rules/ directory to write custom rules, I get the same error.