Issue with Co-relation Rules
48 views
Skip to first unread message
Mithun Haridas
May 19, 2026, 2:07:08 AM (4 days ago) May 19
to Wazuh | Mailing List
Hi Team,
I am facing an issue while creating multiple-case (correlation) rules.
I created a rule to match multiple conditions, and it works as expected when tested using the ruleset test. However, the same logic is not working correctly in the production environment.
Custom Rule
<rule id="118606" level="5">
<if_sid>118600</if_sid>
<field name="Severity">^INFO$</field>
<field name="Event">^Expected_deletion$</field>
<description>SIEM-Logs: Zip file deleted after the retention period expiry.</description>
</rule>
<rule id="118607" level="3" frequency="2" timeframe="5400"> <!-- 1 hour 30 min -->
<if_matched_sid>118606</if_matched_sid>
<same_field>File</same_field>
<description>SIEM-Logs: Duplication of zip file deleted after the retention period expiry.</description>
</rule>
<if_sid>118600</if_sid>
<field name="Severity">^INFO$</field>
<field name="Event">^Expected_deletion$</field>
<description>SIEM-Logs: Zip file deleted after the retention period expiry.</description>
</rule>
<rule id="118607" level="3" frequency="2" timeframe="5400"> <!-- 1 hour 30 min -->
<if_matched_sid>118606</if_matched_sid>
<same_field>File</same_field>
<description>SIEM-Logs: Duplication of zip file deleted after the retention period expiry.</description>
</rule>
Sample Log:
SIEM-Integrity: 2026-05-19 05:00:01 [INFO] msg=Expected_deletion, Dir=sample, File=/var/123/logs/sample/log.gz, Age_days=10d
I created the multiple-case rule to detect duplicate logs for the same file within a defined timeframe (1 hour 30 minutes).
However, even when:
- The same log is generated multiple times
- The File field value is identical
- All conditions of the correlation rule are satisfied
The alerts are still only matching the parent rule (118606) and not triggering the correlation rule (118607) in production.
Interestingly, this works correctly during ruleset testing, but not in the actual environment.
Could you please help me identify why the correlation rule is not triggering in production and what might be missing or misconfigured?
Regards
Regards
Md. Nazmur Sakib
May 19, 2026, 2:13:11 AM (4 days ago) May 19
to Wazuh | Mailing List
Hi Mithun,
I am testing this from my end. Please allow me some time, I will get back to you with my test result.
I am testing this from my end. Please allow me some time, I will get back to you with my test result.
Md. Nazmur Sakib
May 19, 2026, 3:18:12 AM (4 days ago) May 19
to Wazuh | Mailing List
I was able to see the alerts in the dashboard without any issues with your rules.
Make sure to reload the rule engine or restart the Wazuh manager after making changes to the decoders and rules to apply them.
Are these events from the same endpoint(agent)?
If you still face any issues. Share a screenshot of your Wazuh dashboard from the
Threat Hunting > Events
Filter out with the rule ID 118606 and 118607.
And include the rule.firedtimes similar to the first screenshot.
Let me know the update on the issue.
Make sure to reload the rule engine or restart the Wazuh manager after making changes to the decoders and rules to apply them.
Are these events from the same endpoint(agent)?
If you still face any issues. Share a screenshot of your Wazuh dashboard from the
Threat Hunting > Events
Filter out with the rule ID 118606 and 118607.
And include the rule.firedtimes similar to the first screenshot.
Let me know the update on the issue.
Md. Nazmur Sakib
May 19, 2026, 3:18:29 AM (4 days ago) May 19
to Wazuh | Mailing List
I was able to see the alerts in the dashboard without any issues with your rules.
Make sure to reload the rule engine or restart the Wazuh manager after making changes to the decoders and rules to apply them.
Are these events from the same endpoint(agent)?
If you still face any issues. Share a screenshot of your Wazuh dashboard from the
Threat Hunting > Events
Filter out with the rule ID 118606 and 118607.
And include the rule.firedtimes similar to the first screenshot.
Let me know the update on the issue.
Make sure to reload the rule engine or restart the Wazuh manager after making changes to the decoders and rules to apply them.
Are these events from the same endpoint(agent)?
If you still face any issues. Share a screenshot of your Wazuh dashboard from the
Threat Hunting > Events
Filter out with the rule ID 118606 and 118607.
And include the rule.firedtimes similar to the first screenshot.
Let me know the update on the issue.
On Tuesday, May 19, 2026 at 12:13:11 PM UTC+6 Md. Nazmur Sakib wrote:
Md. Nazmur Sakib
May 20, 2026, 6:35:05 AM (3 days ago) May 20
to Wazuh | Mailing List
Can you share the JSON format alerts for the rule 118606 with me, so that I get a better understanding of the decoded fields?
cat /var/ossec/logs/alerts/alerts.json | grep "118606"
Also, share the ossec.log review if you have any errors or warnings related to rules.
cat /var/ossec/logs/ossec.log | grep -iE 'error|warn'
Looking forward to your update.
Mithun Haridas
6:14 AM (5 hours ago) 6:14 AM
to Wazuh | Mailing List
Please find the requested data below
JSON
{
"_index": "wazuh-alerts-4.x-2026.05.23",
"_id": "M2G9Op4B0w7Oln7W86DW",
"_version": 1,
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"name": "rd-wm-01",
"id": "000"
},
"manager": {
"name": "rd-wm-01"
},
"data": {
"date": "2026-05-23",
"FileAge": "9",
"Event": "Expected_deletion",
"Severity": "INFO",
"time": "09:00:02",
"File": "/var/123/logs/sample/log.gz",
"Directory": "sample"
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 5,
"description": "SIEM-Logs: Zip file deleted after the retention period expiry.",
"groups": [
"integrity_monitoring"
],
"id": "118606"
},
"location": "/home/123/test/test_logs",
"decoder": {
"name": "wazuh-integrity"
},
"id": "1779101977.69399",
"message": "{\"timestamp\":\"2026-05-18T10:59:37.775+0000\",\"rule\":{\"level\":5,\"description\":\"SIEM-Logs: Zip file deleted after the retention period expiry.\",\"id\":\"118606\",\"firedtimes\":1,\"mail\":false,\"groups\":[\"integrity_monitoring\"]},\"agent\":{\"id\":\"000\",\"name\":\"rd-wm-01\"},\"manager\":{\"name\":\"rd-wm-01\"},\"id\":\"1779101977.69399\",\"full_log\":\"SIEM-Integrity: 2026-05-18 09:00:02 [INFO] msg=Expected_deletion, Dir=sample, File=/var/123/logs/sample/log.gz, Age_days=9d\",\"decoder\":{\"name\":\"wazuh-integrity\"},\"data\":{\"date\":\"2026-05-18\",\"time\":\"09:00:02\",\"Severity\":\"INFO\",\"Event\":\"Expected_deletion\",\"Directory\":\"sample\",\"File\":\"/var/123/logs/sample/log.gz\",\"FileAge\":\"9\"},\"location\":\"/home/123/test/test_logs\"}",
"full_log": "SIEM-Integrity: 2026-05-18 09:00:02 [INFO] msg=Expected_deletion, Dir=sample, File=/var/123/logs/sample/log.gz, Age_days=9d",
"timestamp": "2026-05-23T10:59:37.775+0000"
},
"fields": {
"timestamp": [
"2026-05-23T10:59:37.775Z"
]
},
"highlight": {
"decoder.name": [
"@opensearch-dashboards-highlighted-field@wazuh-integrity@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1779101977775
]
}
Also as you guided I checked ossec.log and verified that there are no error or warning logs triggered related to rules.
{
"_index": "wazuh-alerts-4.x-2026.05.23",
"_id": "M2G9Op4B0w7Oln7W86DW",
"_version": 1,
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"name": "rd-wm-01",
"id": "000"
},
"manager": {
"name": "rd-wm-01"
},
"data": {
"date": "2026-05-23",
"FileAge": "9",
"Event": "Expected_deletion",
"Severity": "INFO",
"time": "09:00:02",
"File": "/var/123/logs/sample/log.gz",
"Directory": "sample"
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 5,
"description": "SIEM-Logs: Zip file deleted after the retention period expiry.",
"groups": [
"integrity_monitoring"
],
"id": "118606"
},
"location": "/home/123/test/test_logs",
"decoder": {
"name": "wazuh-integrity"
},
"id": "1779101977.69399",
"message": "{\"timestamp\":\"2026-05-18T10:59:37.775+0000\",\"rule\":{\"level\":5,\"description\":\"SIEM-Logs: Zip file deleted after the retention period expiry.\",\"id\":\"118606\",\"firedtimes\":1,\"mail\":false,\"groups\":[\"integrity_monitoring\"]},\"agent\":{\"id\":\"000\",\"name\":\"rd-wm-01\"},\"manager\":{\"name\":\"rd-wm-01\"},\"id\":\"1779101977.69399\",\"full_log\":\"SIEM-Integrity: 2026-05-18 09:00:02 [INFO] msg=Expected_deletion, Dir=sample, File=/var/123/logs/sample/log.gz, Age_days=9d\",\"decoder\":{\"name\":\"wazuh-integrity\"},\"data\":{\"date\":\"2026-05-18\",\"time\":\"09:00:02\",\"Severity\":\"INFO\",\"Event\":\"Expected_deletion\",\"Directory\":\"sample\",\"File\":\"/var/123/logs/sample/log.gz\",\"FileAge\":\"9\"},\"location\":\"/home/123/test/test_logs\"}",
"full_log": "SIEM-Integrity: 2026-05-18 09:00:02 [INFO] msg=Expected_deletion, Dir=sample, File=/var/123/logs/sample/log.gz, Age_days=9d",
"timestamp": "2026-05-23T10:59:37.775+0000"
},
"fields": {
"timestamp": [
"2026-05-23T10:59:37.775Z"
]
},
"highlight": {
"decoder.name": [
"@opensearch-dashboards-highlighted-field@wazuh-integrity@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1779101977775
]
}
Also as you guided I checked ossec.log and verified that there are no error or warning logs triggered related to rules.
Reply all
Reply to author
Forward
0 new messages