Wazuh | Mailing List

Why can't I use "field name="syscheck.path"" to match and extract the value

Thank you for your response. I followed your guidance for the cluster setup and was able to see the

Hi Dennis, This seems odd. One of the agents running in a Mac Studio has sent a large number of logs

Thank you, Parash, for your continued help. My responses can be found inline below. On Fri, Oct 17,

Thanks for the logs! A couple of checks that could get us closer to identifying the issue: Try the

Hi Álvaro, Great! Now that logs are being collected, you need to create custom rules to generate

Hi Paul, I have talked with my colleagues to know if we have it in the roadmap, they have confirmed

Hi, For Windows Event Channel logs, Wazuh uses a built-in decoder, which you won't see in the

Hi, I understand your point. Based on the shared log and decoder, I have replicated the scenario on

Hello Alex, We are consulting the CTI team to provide you the information. Sorry the delay Thanks! On

Hi Riccardo As the article you referred to shows, the 'chatgpt_response' field visible in the

Hello Bony Thank you for your response. I will check Wazuh API documentation and work in a

Hello, The reason why the agent did not capture any log is because of the way you have defined the

Has anyone connected Wazuh to Sophos Firewall so that the IP it detects is added to a Sophos IP host

Hi! Yes, that approach works. By adding the hostname to the log and creating a custom decoder to

Hello German, Yes, that is correct. Rule 300002 will trigger upon successful login after failed ones.

Hi In this previous message, we can see that an exception was thrown, but we don't have much

Hi, I was able to solve the issue by prompting with Claude. I realized the main issue was I had not

After upgrading the Docker cluster from version 4.10.1 to 4.13.1, I was able to complete the process

Hello, To give an update, using lookup="match_key_value" works. Here is the working rule:

Hi Bob When a role mapping is marked as reserved: true, it cannot be modified by users and sometimes

Hi Gokul, The same principle applies to other data sources as well. Even if a particular data source

Hello, This is the current opensearch_dashboards.yml file from my Server1 - which has the wazuh-

You can use sibling decoders. Sibling decoders refer to a decoder building strategy where multiple

Hi Alen, Sorry for the delay. The development team has reported the following: This case may be

Hello, It is important that you share more content from ossec.log as I need to see the error you are

Hello Map, I think we have been able to isolate the issue and this seem to have been an ongoing case

Luis , now issue was cookies - cleaning related to wazuh solve problem . Thank for your help ! środa,

Oh, thank you for you explanation. It's more clear now, why i don't see the CVE. Thank you

There are multiple regex errors in the decoders. This is not a correct format of regex value="([