Cluster ruleset
Yossif Helmy
Md. Nazmur Sakib
Hi Yossif Helmy,
Hope you are doing well.
Suppose you want to exclude a specific rule or decoder. You need to exclude it by changing the configuration in the ossec.conf of the Wazuh manager. The master doesn't send its local configuration file(ossec.conf) to the workers. If the configuration is changed in the master node, it should be changed manually in the workers. So you have to exclude it in all three.
When making a decoder or rule it does get saved on the three servers but the worker nodes are not restarted. They must be restarted manually in order to apply the received configuration.
You can check this document to learn more about
Let me know if you need any further information regarding this.
Yossif Helmy
Md. Nazmur Sakib
It seems it will cause an issue as custom rules and decoder will sync with worker nodes after the restart but if the default decoder and rules are not excluded on the worker nodes they will create conflict. You need to update the configuration in every manager
<ruleset>
<!-- Default ruleset -->
<rule_exclude>your_rules.xml</rule_exclude>
<decoder_exclude>your_decoders.xml</decoder_exclude>
</ruleset>
Currently, there is no other way to change the local configuration file(ossec.conf) on the worker node manually as you can see mentioned in this document How the cluster works
I hope this information helps. Let me know if you need any further assistance.
Md. Nazmur Sakib
Let me know if you need any further assistance regarding this.