Wazuh | Mailing List

Greetings, we want to use rsyslog to capture for example Sonicwall logs, but I'm a bit stuck

i created a rule that is detecting duplicate and for testing i set its level to 4 to check and it was

It seems that no events are being discarded, and the issue is caused by older agent entries still

Hi, Please allow me some time, I'm working on this and will get back to you with an update as

Hi, If the issue still persists, please check the <wodle name="syscollector">

Hi, Thanks Hasitha: I've tried modifying the ossec.conf file directly in the agent and it works,

Please share the logtest output with debug level -dd On Mon, Feb 23, 2026 at 1:03 PM Julien Bard <

Thanks for your reply. My setup is using wazuh 4.14.3 and is formed by two indexer node in a cluster

Hello, Thank you for sharing the log samples and your observations. Based on what you've provided

Hi Yazid, I suspect your data isn't being decoded correctly. Which file is displayed in the

Hello! The final destination is the indexer, so that will be the requirement for the indexer cluster,

Hi dwight c, Glad to hear that it is working as expected. Please don't hesitate to contact us if

Hi Andrehens, That's okay, let me know if you need any further help with this, and we can look

Hi Muhammad You can exclude all Windows logs. If the agent is a Windows machine, you can comment out

Hi Isaiah... I did some more testing... Please, take a look at the following link: https://medium.com

Thanks .. That worked and I am able to receive results and adjust the timings accordingly.. On Friday

Hi Julián I've solved the problem, I'm resetup Certificate for all of the wazuh components.

Hello again, So from looking at that documentation, it says, "Once you run _stop on a follower

Hi Andrehens! If you're actively making changes, seeing that warning from time to time is normal.

This is really weird: On my agent, 1085 files have the same sha256!? sqlite> select count(*) from

Hello Perps, I have created a sample decoder and matching rule for you below. Feel free to modify

Hello, I was able to trigger alerts with your log, decoder, and rule. So there can be two possible

Can you verify that wazuh-modulesd is working? You can test it by running: systemctl status wazuh-

Hi Gokul, Thank you for confirming the number of agents affected. Since this is happening to only one

You can follow this document to make a retention policy with the help of ISM. https://documentation.

Hey Jorge, I finally have an update - I was able to get to the Wazuh SSO page, however now when i log

You are very close. The remaining issue is not the brackets or quotes in the message body. Your ERROR

Hi, Wazuh's Syscollector module only stores installed packages, so to find devices without a

Hello Andrehens, You are still getting the alerts because the custom rule is silencing once the CVEs

Thanks! Quick & easy fix. I was wondering why those are not listed in there as default... cheers