Wazuh-logtest successfully but no alert presented in Wazuh-dashboard
64 views
Skip to first unread message
David Adonis
Sep 30, 2025, 11:48:45 AM9/30/25
to Wazuh | Mailing List
Context: I want to monitor Windows/Security log with EventID:6416 and then create alert whenever this 6416 Windows Event made
1. Rule
Below is my rule:
1. Rule
Below is my rule:
2. Logs in alerts.log and alerts.json
3. Test rule with log format
Issue: Although wazuh-logstest was successful, no alerts were found on the Wazuh dashboard or in alerts.log/alerts.json
Please help me with this issue
Olamilekan Abdullateef Ajani
Sep 30, 2025, 1:12:43 PM9/30/25
to Wazuh | Mailing List
Hello,
I think I see the issue. you did not make any reference to the parent rule. Even though the rule test worked, that may not be the case when actual logs are being ingested which explains why it did not match for you. I have made a correction to the rule for you below, please use as reference.
<group name="custom_rule,">
<rule id="100005" level="7">
<if_group>windows</if_group>
<field name="win.system.eventID">^6416$</field>
<description>Device $(win.eventdata.deviceDescription) plugged in</description>
</rule>
</group>
<rule id="100005" level="7">
<if_group>windows</if_group>
<field name="win.system.eventID">^6416$</field>
<description>Device $(win.eventdata.deviceDescription) plugged in</description>
</rule>
</group>
Please refer to the attached image, while testing, the log matched rule 60227 for windows, that means you may decide to replace <if_group>windows</if_group> with <if_sid>60227</if_sid> and it would still work as the same.
That being said, you can refer to the blog here on testing windows event channel logs to better understand the process and catch any error while testing.
Please let me know if you require further clarification on this.
David Adonis
Oct 1, 2025, 12:04:14 PM10/1/25
to Olamilekan Abdullateef Ajani, Wazuh | Mailing List
Many thanks; I'm very grateful. Your help really solved my issue. I think I rushed and forgot to check whether any other rules matched my custom rule beforehand
Vào Th 4, 1 thg 10, 2025 vào lúc 00:13 'Olamilekan Abdullateef Ajani' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/g6-p72hXZUg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/7e20f1b5-a97e-4d25-9abb-f8c31e735a20n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages