Custom Rule Test works but isn't triggered and don't appear in dashboard
20 views
Skip to first unread message
Alejandro Olmos Sánchez
5:43 AM (7 hours ago) 5:43 AM
to Wazuh | Mailing List
Hello,
I have an app that create a log in Application eventchannel so I created a custom rule to trigger these events.
After I obtained this event as XML and tested with wazuh log test having a successful output retrieving the custom rule created above.
The problem is that this rule isn't triggered when the event is performed automatically, it doesn't appear on Dashboard and don't appear in alerts.json
What I am missing?
Regards
Lamya Imam
8:08 AM (4 hours ago) 8:08 AM
to Wazuh | Mailing List
Hello Alejandro,
To troubleshoot the issue, I would need your help by providing me with few information about the steps and configurations that you have made.
Can you please share the custom rule created from local_rules.xml?
I would need you to ensure that you have the name of the event channel in the location field and eventlog as the log format within the localfile block in the ossec.conf file of your agent.
Exmaple:
<localfile>
<location>name_of_the_event_channel</location>
<log_format>eventlog</log_format>
</localfile>
Reference:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/configuration.html#configuring-log-collection-for-different-operating-systems
Also, could you please check if you can see the logs from Windows Event Viewer?
If the logs are visible, enable archive.json by setting <logall_json>yes</logall_json>, and share the logs related to that application by executing the following command:
cat /var/ossec/logs/archives/archives.json | grep keyword
Note: Make sure to disable the archives.json after the analysis as it consumes significant storage resources on the Wazuh server over time.
Please share the findings here, so that we can further analyze what is causing the issue.
Let me know!
To troubleshoot the issue, I would need your help by providing me with few information about the steps and configurations that you have made.
Can you please share the custom rule created from local_rules.xml?
I would need you to ensure that you have the name of the event channel in the location field and eventlog as the log format within the localfile block in the ossec.conf file of your agent.
Exmaple:
<localfile>
<location>name_of_the_event_channel</location>
<log_format>eventlog</log_format>
</localfile>
Reference:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/configuration.html#configuring-log-collection-for-different-operating-systems
Also, could you please check if you can see the logs from Windows Event Viewer?
If the logs are visible, enable archive.json by setting <logall_json>yes</logall_json>, and share the logs related to that application by executing the following command:
cat /var/ossec/logs/archives/archives.json | grep keyword
Note: Make sure to disable the archives.json after the analysis as it consumes significant storage resources on the Wazuh server over time.
Please share the findings here, so that we can further analyze what is causing the issue.
Let me know!
Reply all
Reply to author
Forward
0 new messages