Issue with Wazuh IP Whitelisting via CDB List

Mian Muzammil

unread,

Jun 22, 2025, 1:24:11 AM6/22/25

to Wazuh | Mailing List

Hello,

I’m running Wazuh 4.8.2 on Ubuntu 20.04 and trying to drop all logs originating from specific IP addresses using a CDB list. Here’s what I’ve done so far:

Created the CDB list
File: /var/ossec/etc/lists/list-whitelist-ip
Contents:

192.168.1.119:

Declared the list in ossec.conf

<ruleset>
…

<list>etc/lists/list-whitelist-ip</list>
…
</ruleset>

Restarted the Wazuh manager.

Added local rules in /var/ossec/etc/rules/local_rules.xml

<group name="whitelist">
<rule id="100200" level="0">
<decoded_as>json</decoded_as>
<list field="sourceIp" lookup="address_match_key">etc/lists/list-whitelist-ip</list>
<description>Whitelist JSON logs by sourceIp</description>
<options>no_full_log</options>
</rule>
<rule id="100201" level="0">
<decoded_as>json</decoded_as>
<list field="win.eventdata.ipAddress" lookup="address_match_key">etc/lists/list-whitelist-ip</list>
<description>Whitelist Windows EventChannel logs by ipAddress</description>
<options>no_full_log</options>
</rule>
</group>

Restarted the manager again.

Result:

Rule 100200 correctly suppresses custom logs with sourceIp.
Rule 100201 does not suppresses logs when real RDP attempts occur, even though it matches in /var/ossec/bin/wazuh-logtest with a sample JSON event.

{
"win": {
"system": {
"eventID": 4625,
"computer": "testingwhitelisting",
"channel": "Security",
"eventRecordID": 25571,
"level": 0
},
"eventdata": {
"ipAddress": "192.168.1.119",
"logonProcessName": "NtLmSsp",
"authenticationPackageName": "NTLM",
"status": "0xc000006d",
"subStatus": "0xc0000064",
"logonType": "3"
}
}
}

Why isn’t rule 100201 suppressing real Windows Event logs by win.eventdata.ipAddress ( also tried data.win.eventdata.ipAddress), and how can I fix it so that RDP attempts from whitelisted IPs are dropped?

Thank you!

Reference:

https://documentation.wazuh.com/4.8/user-manual/ruleset/cdb-list.html

Bony V John

unread,

Jun 22, 2025, 11:58:24 PM6/22/25

to Wazuh | Mailing List

Hi,

Based on the shared details, it seems that you are facing an issue related to suppressing the Windows EventChannel alert on the dashboard from a whitelisted source IP. However, you have used the <decoded_as> tag to match the decoder log with your custom rule (rule ID 100201). That might be the reason why your rule is not suppressing the events.

For Windows EventChannel logs, default rules are available in the Wazuh manager. You need to identify the rule that is triggering the event you want to suppress from the Wazuh dashboard. After identifying the rule ID, use the <if_sid> tag in your custom rule 100201 to match the parent rule, as shown below:

<rule id="100201" level="0">

<if_sid><parent_rule_id></if_sid>

<list field="win.eventdata.ipAddress" lookup="address_match_key">etc/lists/list-whitelist-ip</list>
<description>Whitelist Windows EventChannel logs by ipAddress</description>
<options>no_full_log</options>
</rule>

In the above custom rule, you need to replace <parent_rule_id> with the rule ID that you want to suppress. After triggering the rule ID that you want to suppress, Wazuh's analysisd will check your custom child rule. If the win.eventdata.ipAddress matches a value listed in the CDB list, it will suppress the alert by assigning rule level 0.

You can refer to the Wazuh rules syntax documentation for more details.

If you need further assistance, please share the sample log of the event that you want to suppress from the Wazuh manager’s archives.json file.

For taking logs from archives.json, first you need to enable log_all_json on Wazuh manager.
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.

Mian Muzammil

unread,

Jun 24, 2025, 3:26:17 AM6/24/25

to Wazuh | Mailing List

Hello,

Thank you for your response, I followed the recommendation to include the parent rule’s ID as SID in my local rule, but it still isn’t suppressing the Windows EventChannel alerts. Below I’ve provided:

Parent rule
My tested local rule (with parent ID as SID)
A sample log from alerts.json

One additional concern:

By tying local rule with parent rule’s ID, it only applies to RDP-related events. If I later need to whitelist logs from another Windows host or event type, I’d have to write a new rule each time. Is there a way to keep the rule more generic—so that it checks win.eventdata.ipAddress against the CDB list without depending on a specific parent rule?

Parent Rule :

<rule id="100109" level="15" overwrite="yes">
<if_sid>60122</if_sid>
<description>Failed Remote Logon Detected from $(win.eventdata.workstationName)\$(win.eventdata.ipAddress)</description>
<field name="win.eventdata.ipAddress" type="pcre2">^(?!.*127\.0\.0\.1).*</field>
<mitre>
<id>T1078</id>
<id>T1531</id>
<id>T1550.002</id>
<id>T1078.002</id>
<id>T1021.001</id>
</mitre>
</rule>

Tested Local Rule:

<list field="win.eventdata.ipAddress" lookup="address_match_key"> etc/lists/list-whitelist-ip</list>

<description>Ignore all Windows EventChannel logs from whitelisted IPs</description>
<options>no_full_log</options>
</rule>

Note: I have already tried with <if_sid>60122</if_sid> and <list field=data.win.eventdata.ipAddress ... but still didn't work

Sample Json Log is attached with this response.

Thank you !

sample_log.txt

Bony V John

unread,

Jun 24, 2025, 7:03:39 AM6/24/25

to Wazuh | Mailing List

Hi,

Based on your requirement, I have updated your custom rules with the correct syntax, and they are now working fine in my testing environment.

Updated rules:

<if_sid>60122</if_sid>
<description>Failed Remote Logon Detected from $(win.eventdata.workstationName)\$(win.eventdata.ipAddress)</description>
<field name="win.eventdata.ipAddress" type="pcre2">^(?!.*127\.0\.0\.1).*</field>
<mitre>
<id>T1078</id>
<id>T1531</id>
<id>T1550.002</id>
<id>T1078.002</id>
<id>T1021.001</id>
</mitre>
</rule>

<if_sid>100109</if_sid>

<list field="win.eventdata.ipAddress" lookup="address_match_key">etc/lists/list-whitelist-ip</list>

<description>Ignore all Windows EventChannel logs from whitelisted IPs</description>
<options>no_full_log</options>
</rule>

</group>

I removed the overwrite option from both rules because it is only needed when modifying default Wazuh rules. Since rules 100109 and 100300 are custom, this option is not required.
I also removed the following condition from rule 100300:

<field name="win.system.eventID" type="pcre2">.*</field>

I understand that this was added to make rule 100300 generic (i.e., to match all Windows EventChannel logs), but this won’t work as expected.

In your current rule chain:

100109 has 60122 as its parent.
100300 has 100109 as its parent.
Rule 60122 is triggered for Windows event IDs 529 and 4625 (Failed Logons).

So, rule 100300 will only evaluate events already matched by rule 100109, which in turn depends on 60122. This ensures that the whitelist logic is only applied to relevant failed logon events.

I have also attached a screenshot of my testing for your reference.

For more information on writing custom rules, you can refer to the Wazuh rules syntax documentation.

Screenshot 2025-06-24 163243.png

Reply all

Reply to author

Forward

Message has been deleted