srcip - any
M G
<rule id="110013" level="15">
<if_sid>60106, 92657</if_sid>
<location>xyz1|xzy2</location>
</rule>
</group>
I tried
<field name="data.srcip" >.\</field>
<field name="data.srcip" negate="yes"></field>
<srcip>.\</src>
tomas....@wazuh.com
Hi,
In Wazuh, there is no dedicated operator to explicitly check whether a field exists. However, you can achieve this by matching the field against a simple regular expression.
If srcip is being properly extracted by the decoder, you can add the following condition to your rule:
<field name="srcip">.+</field>
This expression means “match any non-empty value”, so the rule will only trigger when the srcip field is present in the event.
If the rule does not trigger, please verify that:
The event actually contains a source IP
The decoder is extracting it as srcip (you can confirm this in the Dashboard event details)
If you’d like, feel free to share a sample log and we can help confirm the decoding.
Best regards,
Tomas Turina
tomas....@wazuh.com
Hi,
I’d like to clarify a point from my previous response. Since srcip is a static (built-in) rule field in Wazuh, it should not be referenced using the generic <field name="..."> syntax, as this may cause a rule validation error.
To trigger a rule only when a source IP is present, you should instead use the dedicated <srcip> condition and match it with a regular expression:
<srcip>.+</srcip>This rule will only match when srcip is present and non-empty in the decoded event.
If the rule does not trigger, please verify that:
The original log actually contains a source IP
The decoder is correctly extracting it as srcip (you can confirm this in the event details)
If needed, feel free to share a sample event and we can help validate the decoding.
Best regards,
Tomas Turina