Unclear error of Wazuh-Control
24 views
Skip to first unread message
john
May 27, 2026, 8:51:34 AM (11 days ago) May 27
to Wazuh | Mailing List
Dear Support,
Hope you find this message well
I would like to know what causes this error on my Wazuh server, if there some content inside those files
root@wazuh:/etc/rsyslog.d# /var/ossec/bin/wazuh-control start
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malware-hashes' could not be loaded. Rule '99901' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99902' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99903' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99904' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99905' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7617): Signature ID '99905' was not found and will be ignored in the 'if_sid' option of rule '99906'.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7619): Empty 'if_sid' value. Rule '99906' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99907' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99908' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99909' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99910' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99911' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99912' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99913' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99914' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99915' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99916' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-domains' could not be loaded. Rule '99917' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-domains' could not be loaded. Rule '99918' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99919' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99920' will be ignored.
Hope you find this message well
I would like to know what causes this error on my Wazuh server, if there some content inside those files
root@wazuh:/etc/rsyslog.d# /var/ossec/bin/wazuh-control start
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malware-hashes' could not be loaded. Rule '99901' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99902' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99903' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99904' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99905' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7617): Signature ID '99905' was not found and will be ignored in the 'if_sid' option of rule '99906'.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7619): Empty 'if_sid' value. Rule '99906' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99907' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99908' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99909' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99910' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99911' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99912' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99913' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99914' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99915' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99916' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-domains' could not be loaded. Rule '99917' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-domains' could not be loaded. Rule '99918' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99919' will be ignored.
2026/05/14 19:52:28 wazuh-analysisd: WARNING: (7616): List 'etc/lists/malicious-ioc/malicious-ip' could not be loaded. Rule '99920' will be ignored.
Pedro Nicolás Gomez
May 27, 2026, 9:24:06 AM (11 days ago) May 27
to Wazuh | Mailing List
Hi,
Thanks for sharing the log. The warnings you're seeing come from wazuh-analysisd and correspond to warning code 7616:
(7616): List '<name>' could not be loaded. Rule 'NNNNN' will be ignored.
What does this warning mean?
This warning is raised when a rule references a CDB list that wazuh-analysisd cannot find among the lists declared and loaded at startup. As a result, those rules (99901 … 99920) are dropped and won't be evaluated. The 7619 warning on rule 99906 is a cascading effect: its if_sid points to 99905, which was already ignored for the same reason.
Most likely causes
1. The lists are not declared in ossec.conf. For analysisd to load them, in addition to having the file on disk, the corresponding <list> entry must exist inside the <ruleset> block. For example:
<ossec_config>
<ruleset>
...
<list>etc/lists/malicious-ioc/malware-hashes</list>
<list>etc/lists/malicious-ioc/malicious-ip</list>
<list>etc/lists/malicious-ioc/malicious-domains</list>
</ruleset>
</ossec_config>
2. The path in the rule does not match the one declared in ossec.conf (typo, case mismatch, absolute vs relative path).
3. The list source files don't exist under /var/ossec/etc/lists/malicious-ioc/. The plain-text source file (no extension) is required; the .cdb is generated by analysisd at startup, or manually via /var/ossec/bin/wazuh-makelists.
4. Incorrect permissions on the files or directory. Both the directory and the files must be readable by the wazuh user.
Verification steps to run
1. List the directory contents and permissions:
ls -la /var/ossec/etc/lists/malicious-ioc/
2. Check that the <list> entries are declared in /var/ossec/etc/ossec.conf:
3. Restart and verify:
/var/ossec/bin/wazuh-control restart
tail -f /var/ossec/logs/ossec.log
Official documentation on CDB lists (declaration, format, usage from rules):
https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
Thanks for sharing the log. The warnings you're seeing come from wazuh-analysisd and correspond to warning code 7616:
(7616): List '<name>' could not be loaded. Rule 'NNNNN' will be ignored.
What does this warning mean?
This warning is raised when a rule references a CDB list that wazuh-analysisd cannot find among the lists declared and loaded at startup. As a result, those rules (99901 … 99920) are dropped and won't be evaluated. The 7619 warning on rule 99906 is a cascading effect: its if_sid points to 99905, which was already ignored for the same reason.
Most likely causes
1. The lists are not declared in ossec.conf. For analysisd to load them, in addition to having the file on disk, the corresponding <list> entry must exist inside the <ruleset> block. For example:
<ossec_config>
<ruleset>
...
<list>etc/lists/malicious-ioc/malware-hashes</list>
<list>etc/lists/malicious-ioc/malicious-ip</list>
<list>etc/lists/malicious-ioc/malicious-domains</list>
</ruleset>
</ossec_config>
2. The path in the rule does not match the one declared in ossec.conf (typo, case mismatch, absolute vs relative path).
3. The list source files don't exist under /var/ossec/etc/lists/malicious-ioc/. The plain-text source file (no extension) is required; the .cdb is generated by analysisd at startup, or manually via /var/ossec/bin/wazuh-makelists.
4. Incorrect permissions on the files or directory. Both the directory and the files must be readable by the wazuh user.
Verification steps to run
1. List the directory contents and permissions:
ls -la /var/ossec/etc/lists/malicious-ioc/
2. Check that the <list> entries are declared in /var/ossec/etc/ossec.conf:
3. Restart and verify:
/var/ossec/bin/wazuh-control restart
tail -f /var/ossec/logs/ossec.log
Official documentation on CDB lists (declaration, format, usage from rules):
https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html
john
Jun 1, 2026, 2:08:28 AM (6 days ago) Jun 1
to Wazuh | Mailing List
It worked thank you so much!
BR,
John
BR,
John
Reply all
Reply to author
Forward
0 new messages