How to check decoders/rules and ossec.conf files?

459 views
Skip to first unread message

Sylmarch

unread,
Mar 7, 2022, 5:18:06 AM3/7/22
to Wazuh mailing list

Hello,

we are deploying Wazuh rules and decoders configuration using our own Ansible playbook.

When rules/decoders files are changed, we restart the wazuh-manager service to update the rules.

However, if an admin makes a mistake in the rules, let's say assigning an already-used ID to a new rule, the wazuh-manager service crashes when restarting.

Is it possible to check ALL rules/decoders, with a command or API?

A command like apache2ctl -t for Apache web service would be useful as we could test its exit status before restarting the wazuh-manager.

Besides, does it exist a command to check ossec.conf configuration file?

Note 1: no utility seems to be available for the above needs.

Note 2 : as far as I understand, wazuh-logtest utility is just to check, for a given log event, the decoders and rules that will be matched.

Note 3 : to check a single agent.conf file, we are already using verify-agent-conf utility with -f option.

Thanks.

Sylmarch

unread,
Mar 7, 2022, 6:17:03 AM3/7/22
to Wazuh mailing list
I find that /var/ossec/bin/wazuh-analysisd binary as an option -t  to test its configuration. It seems to work to check rules:

When all rules' IDs are unique:
root@wazuh-server:~# /var/ossec/bin/wazuh-analysisd -t
root@wazuh-server:~# echo $?
0

When reusing an ID in a rule:
root@wazuh-server:~# /var/ossec/bin/wazuh-analysisd -t
2022/03/07 11:07:14 wazuh-analysisd: ERROR: Duplicate rule ID:100000
2022/03/07 11:07:14 wazuh-analysisd: CRITICAL: (1220): Error loading the rules: 'etc/rules/web/apache_rules.xml'.
root@wazuh-server:~# echo $?
1

wazuh-analysisd documentation is here.


The question is still opened for ossec.conf. Is their a way to test it?

Sylmarch

unread,
Mar 7, 2022, 7:46:44 AM3/7/22
to Wazuh mailing list
/var/ossec/bin/wazuh-analysisd -t seems to perform some test on ossec.conf too.

When I forbid some options in an <active-response>...</active-response> node in ossec.conf file:

root@wazuh-server:~# /var/ossec/bin/wazuh-analysisd -t
2022/03/07 12:40:40 wazuh-analysisd: ERROR: (1281): Missing options in the active response configuration.
2022/03/07 12:40:40 wazuh-analysisd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.
2022/03/07 12:40:40 wazuh-analysisd: CRITICAL: (1202): Configuration error at 'etc/ossec.conf'.

I'm still guessing if /var/ossec/bin/wazuh-analysisd -t only checks some sections of the ossec.conf file or if it checks all sections?
A confirmation of a Wazuh expert will be appreciated.

Juan Nicolás Asselle

unread,
Mar 7, 2022, 9:59:33 AM3/7/22
to Wazuh mailing list

Hi Sylmarch,

Currently, there’s no daemon that could perform a test on every ossec.conf configuration, but there’s a list of each deamon and test flag coverage.

  • wazuh-analysisd: global, rules, alerts, cluster, labels, active response, rule_test
  • wazuh-agentless: agentless
  • wazuh-agentd: labels, buffer, agent_config, client
  • wazuh-logcollector: agent_config, localfile, socket
  • wazuh-syscheckd: rootcheck, syscheck
  • wazuh-modulesd: wodles, sca, vulnerability-detector, gcp-pubsub, fluent-forward, agent-upgrade, task-manager. Included in next release 4.3 : office365, github
  • wazuh-monitord: global,
  • wazuh-authd: auth

  • wazuh-csyslogd: syslog_output

  • wazuh-dbd: dbd, ruleset

  • wazuh-integratord: integration
  • wazuh-maild: email_alert, global
  • wazuh-remoted: remote

This documentation entry list some of them, but should be updated. I’m going to create an issue into wazuh-documentation repository in order to add it.

Keep in mind that each daemon is run using test flag during the startup process prior actual daemon run (see code here)

Hope it helps!

Regards,
Nico

Reply all
Reply to author
Forward
0 new messages