Hi Chen,
Thanks for using Wazuh.
In order for rules located in the
/var/ossec/ruleset/rules you don't need to copy them to local_rules.xml. Your alerts should appear normally on the dashboard normally.
For example, using a clean all-in-one installation of wazuh, I try to ssh with a wrong user into the machine with:
ssh fake...@192.168.56.3, I get the following alert:
** Alert 1655812245.503904: - syslog,sshd,authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7$
2022 Jun 21 11:50:45 c3->/var/log/secure
Rule: 5710 (level 5) -> 'sshd: Attempt to login using a non-existent user'
Src IP: 192.168.56.1
Src Port: 55702
Jun 21 11:50:43 c3 sshd[7136]: Invalid user fake-user from 192.168.56.1 port 55702
With de alert appearing on the dashboard on security events, as you can see in the attached image.
If you have a different result, on the dashboard. have you checked that the alert is generated in the alerts.log file?
Cheers.