How to check weather rule is working or not
14 views
Skip to first unread message
Narayana Nani
May 21, 2026, 11:49:22 AM (2 days ago) May 21
to Wazuh | Mailing List
Hi Team,
I have created rule. How can I validate the rule is working or not?
I have created rule. How can I validate the rule is working or not?
Olamilekan Abdullateef Ajani
May 21, 2026, 12:15:12 PM (2 days ago) May 21
to Wazuh | Mailing List
Hello,
The easiest way to validate a rule is by using the wazuh-logtest engine on the manager.
Run: /var/ossec/bin/wazuh-logtest
Then paste a sample log that should trigger your rule, rule ID and level
That said, you need to ensure you have created a decoder to decode the logs before a rule can be matched to trigger an alert.
So those are the things to verify before testing your rule.
For more information on writing decoders if you don't already have that, please check the documentation below:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
The easiest way to validate a rule is by using the wazuh-logtest engine on the manager.
Run: /var/ossec/bin/wazuh-logtest
Then paste a sample log that should trigger your rule, rule ID and level
That said, you need to ensure you have created a decoder to decode the logs before a rule can be matched to trigger an alert.
So those are the things to verify before testing your rule.
For more information on writing decoders if you don't already have that, please check the documentation below:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Reply all
Reply to author
Forward
0 new messages