macOS FIM rules causing the cluster crash after a configuration(modifying a rule file) modification is made

[Nyengka Prosper]

Hi team,

I have Wazuh 4.13.1 and I mounted my fim-macos-rules to the cluster using my helm chart with the rules having the appropriate permissions. With these rules in my cluster, after making any change which will include the involvement of the analysisd, I either receive  timeout from the api logs or the cluster crashes and every changes made are lost.

I need your assistance on this.

Regards,

Prosper  

[Federico Gustavo Caffieri]

The timeout and cluster crashes you're experiencing with custom FIM rules in 4.13.1 could be related to several factors. To help diagnose the issue, could you provide:

Logs:
- Analysisd errors from /var/ossec/logs/ossec.log (around the time of crash) filtered for analysisd errors)
- Cluster logs: grep -i "integrity\|sync" /var/ossec/logs/cluster.log
- API timeout logs from /var/ossec/logs/api.log
- Any segfault messages: journalctl -u wazuh-manager or dmesg

Configuration info:
- How are the rules mounted in your Helm chart? (ConfigMap/Volume?)
- File permissions inside the pod: ls -la /var/ossec/etc/rules/
- Cluster setup (master/workers count)

Does this happen immediately after deployment or only after making changes?
Can you test the rules with wazuh-logtest before the crash? Test with a minimal ruleset first (1-2 simple rules) to see if the problem is volume-related