Disable only one rule in the ruleset

2,611 views
Skip to first unread message

Marsan

unread,
Jun 11, 2021, 6:05:56 AM6/11/21
to Wazuh mailing list
Hello team,

I want to disable only one rule and not a complete .xml file of the ruleset, is it possible ?

Juan Cabrera

unread,
Jun 11, 2021, 6:49:04 AM6/11/21
to Wazuh mailing list

Hello,

To disable only one rule, you will have to overwrite it and set the alert level to 0. For this, you will have to create a custom rule in /var/ossec/etc/rules/local_rules.xml and:

  • Copy the block of the rule you want to disable.
  • Modify the level value to 0.
  • Add overwrite="yes" to indicate that this rule is overwriting an already defined rule.

Format:

<rule id="ID_TO_OVERRIDE" level="0" overwrite="yes">
. . . 
</rule>

You can read the documentation on custom rules, where you have an example of how to do this overwrite:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule

Regards,
Juan Cabrera

Marsan

unread,
Jun 16, 2021, 5:47:57 AM6/16/21
to Wazuh mailing list
Thank you very much !

I understand that with this level=0, I can make my custom rules that do not generate alert and then create a child rule of this one that does alert. Is this correct ? I don't know if there is any problem because the child rule has a higher level than the parent.

Juan Cabrera

unread,
Jun 16, 2021, 11:33:12 AM6/16/21
to Wazuh mailing list

Hello,

There is no problem with having child rules whose parent rule has alert level 0. In fact, this behavior exists in the Wazuh ruleset.

The alert will still match that parent, but it will not be displayed. This is due to the log_alert_level tag in the ossec.conf file:

<alerts>    
    <log_alert_level>8</log_alert_level>
    <email_alert_level>12</email_alert_level>
</alerts>

Which indicates the minimum level for a rule to trigger the alert.

Regards,
Juan Cabrera

Marsan

unread,
Jul 2, 2021, 6:33:39 AM7/2/21
to Wazuh mailing list
Hi Juan.

We continue with the alerts.. I am trying to monitor a log file of a program that I have created, my configuration.
<localfile>
      <log_format>syslog</log_format>
  <location>/home/logs/custom/</location>
 </localfile>

I have checked that logs are being written to that file. I have also created decoders and custom rules according to them, but I am not receiving any alerts. I don't know if I have to write something else in the ossec.conf.

Juan Cabrera

unread,
Jul 2, 2021, 7:58:17 AM7/2/21
to Wazuh mailing list

Hello,

First of all, if you are monitoring a single file, you must use the full path to the file, in this case: 

<localfile>
    <log_format>syslog</log_format>
    <location>/home/logs/custom/FILE.log</location>
</localfile>

On the other hand, you can check if those logs are arriving to the manager. To do this, you have to change the following option in the ossec.conf file: 

<ossec_config>
    <global>
    ....
       <logall>yes</logall>
    ...
    </global>

Restart the manager to apply the changes.

Then look into the /var/ossec/logs/archives/archives.log file, it contains all the events, no matter whether they triggered a rule or not. Doing so, we can see if those events are reaching the manager.

If you see the logs in the archives.log, you may have a problem with your decoders or rules. Remember that you can check that your rules generate alerts with wazh-logtest (/var/ossec/bin/wazuh-logtest). More information is available at the following link:
https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html

I’d recommend you opening a new thread for every new unrelated questions you may have, instead of using always the same thread. This will help other users in the community to search and find similar questions quicker

Regards,
Juan Cabrera

Marsan

unread,
Jul 8, 2021, 5:27:30 AM7/8/21
to Wazuh mailing list
Hello again.

I have enabled option X in the ossec.conf, rebooted and checked the archives.log. I see in the manager the messages that are generated in the log file, but no alert is triggered.

In the configuration, I have set "<log_format>syslog</log_format>", but these logs that I generate are not in syslog format. Should I remove that line from the configuration?

Juan Cabrera

unread,
Jul 8, 2021, 6:27:47 AM7/8/21
to Wazuh mailing list
Hello Marcelo,

What is the format of the logs? In Wazuh, the accepted formats for processing logs are the following: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format

If your program does not have one of these formats, it cannot be processed.

Regards,
Juan Cabrera

Marsan

unread,
Jul 15, 2021, 6:02:31 AM7/15/21
to Wazuh mailing list
I see. My format is none of the ones specified in the documentation, but they are single line like syslog. Couldn't I use the syslog format to collect them?

Juan Cabrera

unread,
Jul 15, 2021, 6:19:51 AM7/15/21
to Wazuh mailing list
Hello,

Indeed, syslog collects the logs line by line, but it is the internal predecoder that is in charge of checking that the log is processed with the correct format.

If you are using your own log format and it is line by line, I recommend you to set it to syslog. If you are using an existing format and you think it is important to add it to Wazuh, please feel free to open an issue in our repository on GitHub to request this feature.
https://github.com/wazuh/wazuh/issues/new?assignees=&labels=&template=default.md&title=

Regards,
Juan Cabrera

Marsan

unread,
Jul 15, 2021, 6:33:31 AM7/15/21
to Wazuh mailing list
Ok Juan, I will try to change my format to syslog.
Thank you very much for all the help you have given me these days!
Reply all
Reply to author
Forward
0 new messages