Wazuh provides an out-of-the-box set of rules used for threat detection and response. This ruleset is continuously updated thanks to the work of our contributors and developers. Moreover, users can easily create additional rules for ingesting and processing new log sources. For this particular e...
Run wazuh-manager Edit thelocal_decoder.xmlfile with custom valid configuration, for example <decoder name="example"> <program_name>^example</program_name> </decoder> <decoder name="example"> <parent>example</parent> <regex>User '(\w+)' logged from '(\d+.\d+.\d+.\d+)'</regex> ...
To test your rules and decoders using wazuh-logtest, it's enough to save the changes made to the decoder and rule files. However, you need to restart the Wazuh manager to generate alerts based on these changes. Restart the Wazuh manager to load the updated rules and decoders: SystemdSysV...
The decoder option serves as the root element of a decoder file in Wazuh. It encapsulates the definition of a decoder, including its name, type, and the specific attributes that dictate how it processes and extracts information from log messages. The attributes listed below define a decoder. At...
Wazuh version Install type Install method Platform 3.9.0 Manager Packages/Sources Linux ossec-logtest is a very useful tool to test decoders and rules manually. It allows to input an event and it is processed throught the analysis engine...