ruleset

Configuration options for enabling or disabling rules and decoders.

Options

rule_include

Load a single rule file.

Default value

n/a

Allowed values

Path and filename of rule to load

rule_dir

Load a directory of rules. The files will be loaded in alphabetical order and any duplicate filenames will be skipped.

Default value

ruleset/rules

Allowed values

Path to a directory of rule files.

rule_exclude

Exclude a single rule file.

Default value

n/a

Allowed values

Path and filename of rule to exclude

decoder_include

Load a single decoder file.

Default value

n/a

Allowed values

Path and filename of decoder to load

decoder_dir

Load a directory of decoders. The files will be loaded in alphabetical order and any duplicate filenames will be skipped.

Default value

ruleset/decoders

Allowed values

Path to a directory of decoder files

decoder_exclude

Exclude a single decoder file.

Default value

n/a

Allowed values

Path and filename of decoder to exclude

list

Load a single CDB reference for use by other rules.

Default value

n/a

Allowed values

Path to a list file to be loaded and compiled.

Note

Do not include the file extension. Wazuh will read the .cdb version of the file (the version generated by ossec-makelists from the .txt version of the file.

Example of configuration

<ruleset>
  <rule_include>ruleset/rules/my_rules.xml</rule_include>
  <rule_dir pattern="_rules.xml$">ruleset/rules</rule_dir>
  <rule_exclude>0215-policy_rules.xml</rule_exclude>
  <decoder_include>ruleset/decoders/my_decoder.xml</decoder_include>
  <decoder_dir pattern=".xml$">ruleset/decoders</decoder_dir>
  <decoder_exclude>ruleset/decoders/my_decoder.xml</decoder_exclude>
  <list>etc/lists/blocked_hosts</list>
</ruleset>