Custom Wazuh Json Decoder
34 views
Skip to first unread message
Andrea Consadori
Nov 11, 2025, 8:04:17 AMNov 11
to Wazuh | Mailing List
Hi all,
i create custom decoder for a json log and currently is matched
but the rule always fail for the error you can see above
Wazuh-Logtest: WARNING: (7611): Category was not found. Invalid 'category'. Rule '100101' will be ignored
but i've a very simple rule
root@wazuhserver:/var/ossec/etc/rules# cat 00-sophosTest.xml
<group name="sophoscentral">
<rule id="100101" level="13">
<decoded_as>socos-json</decoded_as>
<field name="attackType">Suspicious Activity</field>
<description>SophosCentralEvent</description>
</rule>
</group>
<group name="sophoscentral">
<rule id="100101" level="13">
<decoded_as>socos-json</decoded_as>
<field name="attackType">Suspicious Activity</field>
<description>SophosCentralEvent</description>
</rule>
</group>
so where is the "missing" category ?
Thanks
Olamilekan Abdullateef Ajani
Nov 11, 2025, 9:22:06 AMNov 11
to Wazuh | Mailing List
Hello Andrea,
The problem is with the way you named your custom rule, this resonates with the naming convention of the out-of-the-box rules. Please see attached for reference. And because they are in a category, the rule engine is mismatching your custom file as a default file in a wrong path.
What to do: please rename the file to start with something different, maybe 11- or just the name, and it should be fine.
Please let me know if you require further assistance on this.
Andrea Consadori
Nov 13, 2025, 1:53:12 AMNov 13
to Wazuh | Mailing List
Hello, finally on Reddit a user (nazmur-sakib) help me tò fix
All logs go through this rule file. `0010-rules_config.xml` before matching other rules.
This rules in this files defines the category of the logs.
Due to the name of your custom rule file(00-sophosTest.xml) it comes before is rule file in alpha numeric order. And that is why it is saying it is missing(invalid) the catagory for this rule.
Change the rule file name to something like `0020-sophosTest.xml` that comes after 0010 and restart the manager and that should resolve the issue.
`mv /var/ossec/etc/rules/00-sophosTest.xml /var/ossec/etc/rules/0020-sophosTest.xml`
`systemctl restart wazuh-manager`
Ref: [category](https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#category)
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/e9538ec9-735c-4408-a6a7-155b576ff1acn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages