Wazuh Alert Issue - Logtest Works but No Real-time Alerts

163 views
Skip to first unread message

Tùng Đức

unread,
Feb 10, 2025, 1:58:19 AM2/10/25
to Wazuh | Mailing List

Dear Wazuh Team,

I am experiencing an issue with Wazuh where alerts are generated successfully when using ossec-logtest, but no alerts appear in real-time when the system is running normally.

I have verified that:

  • The rules are correctly written and match logs when tested with ossec-logtest.
  • Wazuh is actively receiving logs from the monitored system.
  • No errors are present in /var/ossec/logs/ossec.log.
  • I used version 4.8, error is happening with both windows (windows_eventchannel) and linux (Json decoder)

Attached is a screenshot illustrating the issue:

  • Rule test windows (Create schedule task 2), linux (test - find "tungmatma") 1
  • logtest linux 3
  • log windows 5 and log linux 41. rule Linux.png2. rule schedule task.png3.linux logtest.png4.linux log.png

5.windows log.pngCould you please advise on potential causes and how to resolve this?

Thank you for your support!

Best regards,
Tùng

Stuti Gupta

unread,
Feb 10, 2025, 5:07:13 AM2/10/25
to Wazuh | Mailing List
Hi  Tùng Đức

Firstly the rule id should use ID numbers between 100000 and 120000 for custom rules. Additionally, you can write a custom rule like this

<group name="custom_rule,">
  <rule id="112000" level="6">
    <if_group>windows</if_group>
    <field name="win.system.eventID">^140$</field>
      <description>Task Scheduler registered</description>
  </rule>
</group>

You can also to create the rule based on the default rule that is being triggered. For example, if the default rule in your case is triggering 60001, you should create a custom rule using <if_sid> like this:

<rule id="220001" level="7">
 <if_sid>61600</if_sid>
 <field name="win.system.eventID">149</field>
 <description>added/description>
 </rule>

To know which default rule is triggering you need to test the log first in wazuh-logtest or ruleTest.  To test the eventchannel logs note that the Windows event channel logs are decoded as EventChannel log, for Windows EventChannel events, we need to change one rule so we can use wazuh-log test or ruleset correctly.
In /var/ossec/ruleset/rules/0575-win-base_rules.xml we must modify rule 60000 by deleting or commenting out <category> and changing <decoded_as> to json:
<rule id="60000" level="2">
    <!-- category>ossec</category -->
    <!-- decoded_as>windows_eventchannel</decoded_as -->
    <decoded_as>json</decoded_as>
    <field name="win.system.providerName">\.+</field>
    <options>no_full_log</options>
    <description>Group of windows rules.</description>
</rule>
Note that this is only temporary, once you have finished testing Windows events in wazuh-logtest or ruletest, you must change the rule back to its previous state.
After modifying the default rule, run the log through wazuh-logtest or ruletest.

We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log,
When testing this kind of log, you need to remove the backslashes (\) from the log.  

To help you with this rule can you please share the archives.json related to the rule you have created, located at archives.json. You can use the following command to from some sample logs
cat /var/ossec/logs/archives/archives.json | grep  <path of the log>

Refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Looking forward to your response 

Tùng Đức

unread,
Feb 11, 2025, 12:35:52 AM2/11/25
to Wazuh | Mailing List
Hi Gupta,
Thank you for response!
I tried again with Json decoder. Together with 2 rules, 11200 logtest trigger an Alert, but with 220001 used with if_sid, no Alert is generated. (id = 60000 is rulebase)

 <rule id="60019" level="3">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-TaskScheduler/Operational$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the TaskScheduler channel</description>
  </rule>


  <rule id="112000" level="6">
    <field name="win.system.eventID">^140$</field>
    <options>no_full_log</options>
    <description>Detect updated Task Scheduler</description>
    <mitre>
      <id>T1053.005</id>
    </mitre>
  </rule>

  <rule id="220001" level="6">
    <if_sid>60019</if_sid>
    <field name="win.system.eventID">^106$</field>
    <options>no_full_log</options>
    <description>Detect created Task Scheduler</description>
    <mitre>
      <id>T1053.005</id>
    </mitre>
  </rule>
- Result logtest:
1. Logtest Json.png2. Logtest no Alert.png
I look forward to hearing from you soon

Best regards,
Tùng
Vào lúc 17:07:13 UTC+7 ngày Thứ Hai, 10 tháng 2, 2025, Stuti Gupta đã viết:

Stuti Gupta

unread,
Feb 14, 2025, 6:00:22 AM2/14/25
to Wazuh | Mailing List

In your second log test, no alert was triggered. In this case, you need to create a rule like this:

<rule id="220001" level="3">
    <decoded_as>windows_eventchannel</decoded_as>

    <field name="win.system.eventID">^106$</field>
    <options>no_full_log</options>
    <description>Detect created Task Scheduler</description>
    <mitre>
        <id>T1053.005</id>
    </mitre>
</rule>

This rule will trigger if the log is decoded as windows_eventchannel and the win.system.eventID is 106.

For testing purposes, make sure to change the decoded field to JSON because, during testing, the decoder processes the log as JSON, but in reality, it will be decoded as windows_eventchannel.

Once you have finished testing Windows events in wazuh-logtest or ruletest, remember to revert rule 60000 to its previous state.

Let me know if you need any further assistance 

Reply all
Reply to author
Forward
0 new messages