Issue: Host-based anomaly detection event (rootcheck).
36 views
Skip to first unread message
ACH. MUQODDAM
Feb 9, 2026, 11:43:01 PM (2 days ago) Feb 9
to Wazuh | Mailing List
Hi everyone,
I am seeing daily recurring alerts in my Wazuh dashboard for 'Possible hidden file' under /dev/.lxc/proc/ on my servers. These are flagged as rule level 7 (Host-based anomaly detection). Since these servers run LXC containers, is this a known false positive, and what is the best practice to tune the Rootcheck configuration to handle these LXC-related paths?
Every day my Wazuh logs are flooded with level 7 rootcheck alerts all server regarding files like /dev/.lxc/proc/version_signature and others. I understand these are part of the LXC environment. How do I verify if these are indeed false positives and how should I update my ossec.conf to ignore these specific LXC artifacts?
Md. Nazmur Sakib
Feb 9, 2026, 11:52:36 PM (2 days ago) Feb 9
to Wazuh | Mailing List
Hello!
You can write a custom rule with level 0 to stop this alert from triggering. You need to use a regex pattern matching specifically the logs that are false positives.
Add the following rule to /var/ossec/etc/rules/local_rules.xml file
<group name="rootcheck,tune_rule,">
<rule id="100100" level="0">
<if_group>rootcheck</if_group>
<match>/dev/.lxc/proc/</match>
<description>Ignore false positive for /dev/.lxc/proc</description>
</rule>
</group>
Restart the Wazuh manager to apply the changes:
systemctl restart wazuh-manager
Ref: Ignoring false positives
Let me know if this resolves your issue.
ACH. MUQODDAM
Feb 10, 2026, 3:59:30 AM (2 days ago) Feb 10
to Wazuh | Mailing List
Hi Md. Nazmur Sakib,
<if_group>rootcheck</if_group>
<match>/dev/.lxc/proc/</match>
<description>Ignore false positive for /dev/.lxc/proc</description>
</rule>
</group>
I have restarted the Wazuh Manager, and I am currently monitoring the incoming alerts to confirm if this stops the daily reports. I will wait for the next scheduled scan to see if it works as expected.
In the meantime, could you please clarify if this Manager-side configuration is enough? Or should I also perform any specific configuration on the Wazuh Agent side (like adding an ignore path in ossec.conf) to prevent the agent from flagging these files in the first place?
I want to make sure I’m following the best practices for this. Thanks again for your help!
Thank you for the guidance. I have implemented the custom rule in my /var/ossec/etc/rules/local_rules.xml on the Wazuh Manager as you suggested. I used the following configuration:
root@wazuhprod:/home/w414p# cat /var/ossec/etc/rules/local_rules.xml
<!-- Local rules -->
W<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Numbering Scheme: -->
<!-- SSH Related: 100000 - 100099 -->
<!-- FTP Related: 100200 - 100299 -->
<!-- Web Related: 100100 - 100199 -->
<!-- Docker/Container: 100300 - 100399 -->
<!-- Rootcheck/System: 100500 - 100599 -->
<!-- Custom Dedup: 100600 - 100699 -->
<group name="local,syslog,sshd,web,attack,linux,docker,network,custom_dedup,rootcheck,tune_rule,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100101" level="1">
<if_sid>31101</if_sid>
<srcip>10.200.0.1</srcip>
<description>Ignore web 404 from internal gateway</description>
</rule>
<!-- Mute promiscuous mode for Docker veth interfaces -->
<rule id="100301" level="0">
<if_sid>5104</if_sid>
<hostname>mailserver</hostname>
<match>device vethc4ea9f2 entered promiscuous mode</match>
<description>
Interface entered in promiscuous(sniffing) mode.
</description>
</rule>
<!-- Ignore LXC boot-id file in /dev -->
<rule id="100501" level="0">
<!-- Local rules -->
W<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Numbering Scheme: -->
<!-- SSH Related: 100000 - 100099 -->
<!-- FTP Related: 100200 - 100299 -->
<!-- Web Related: 100100 - 100199 -->
<!-- Docker/Container: 100300 - 100399 -->
<!-- Rootcheck/System: 100500 - 100599 -->
<!-- Custom Dedup: 100600 - 100699 -->
<group name="local,syslog,sshd,web,attack,linux,docker,network,custom_dedup,rootcheck,tune_rule,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100101" level="1">
<if_sid>31101</if_sid>
<srcip>10.200.0.1</srcip>
<description>Ignore web 404 from internal gateway</description>
</rule>
<!-- Mute promiscuous mode for Docker veth interfaces -->
<rule id="100301" level="0">
<if_sid>5104</if_sid>
<hostname>mailserver</hostname>
<match>device vethc4ea9f2 entered promiscuous mode</match>
<description>
Interface entered in promiscuous(sniffing) mode.
</description>
</rule>
<!-- Ignore LXC boot-id file in /dev -->
<rule id="100501" level="0">
<if_group>rootcheck</if_group>
<match>/dev/.lxc/proc/</match>
<description>Ignore false positive for /dev/.lxc/proc</description>
</rule>
</group>
In the meantime, could you please clarify if this Manager-side configuration is enough? Or should I also perform any specific configuration on the Wazuh Agent side (like adding an ignore path in ossec.conf) to prevent the agent from flagging these files in the first place?
I want to make sure I’m following the best practices for this. Thanks again for your help!
ACH. MUQODDAM
Feb 11, 2026, 6:57:49 AM (20 hours ago) Feb 11
to Wazuh | Mailing List
Hello,
Following up on my previous message, I am still receiving alerts for the "promiscuous mode" issue even though I have added a custom rule to suppress it.
I applied the following configuration in my local_rules.xml on February 9th and restarted the Wazuh Manager, but the alerts reappeared on February 10th:
<!-- Mute promiscuous mode for Docker veth interfaces -->
<rule id="100301" level="0">
<if_sid>5104</if_sid>
<hostname>mailserver</hostname>
<match>device vethc4ea9f2 entered promiscuous mode</match>
<description>
Interface entered in promiscuous(sniffing) mode.
</description>
</rule>
<!-- Ignore LXC file in /dev/.lxc/proc --><rule id="100301" level="0">
<if_sid>5104</if_sid>
<hostname>mailserver</hostname>
<match>device vethc4ea9f2 entered promiscuous mode</match>
<description>
Interface entered in promiscuous(sniffing) mode.
</description>
</rule>
<rule id="100501" level="0">
<if_group>rootcheck</if_group>
<match>/dev/.lxc/proc/</match>
<description>Ignore false positive for /dev/.lxc/proc</description>
</rule>
<rule id="100501" level="0">
<if_group>rootcheck</if_group>
<description>Ignore false positive for /dev/.lxc-boot-id</description>
</rule>
Reply all
Reply to author
Forward
0 new messages