This is the documentation for Wazuh 3.2. Check out the docs for the latest version of Wazuh!

ruleset

XML section name

<ruleset>
</ruleset>

Configuration options for enabling or disabling rules and decoders.

Options

rule_include

Load a single rule file.

Default value n/a
Allowed values Path and filename of rule to load

rule_dir

Load a directory of rules. The files will be loaded in alphabetical order and any duplicate filenames will be skipped.

Default value ruleset/rules
Allowed values Path to a directory of rule files.

Attributes

An optional pattern can be included in the opening tag. The pattern is a regex match string used to determine if a file should be loaded.

rule_exclude

Exclude a single rule file.

Default value n/a
Allowed values Path and filename of rule to exclude

decoder_include

Load a single decoder file.

Default value n/a
Allowed values Path and filename of decoder to load

decoder_dir

Load a directory of decoders. The files will be loaded in alphabetical order and any duplicate filenames will be skipped.

Default value ruleset/decoders
Allowed values Path to a directory of decoder files

Attributes

An optional pattern can be included in the opening tag. The pattern is a regex match string used to determine if a file should be loaded.

decoder_exclude

Exclude a single decoder file.

Default value n/a
Allowed values Path and filename of decoder to exclude

list

Load a single CDB reference for use by other rules.

Default value n/a
Allowed values Path to a list file to be loaded and compiled.

Note

Do not include the file extension. Wazuh will read the .cdb version of the file (the version generated by ossec-makelists from the .txt version of the file.

Example of configuration

<ruleset>
  <rule_include>ruleset/rules/my_rules.xml</rule_include>
  <rule_dir pattern="_rules.xml$">ruleset/rules</rule_dir>
  <rule_exclude>0215-policy_rules.xml</rule_exclude>
  <decoder_include>ruleset/decoders/my_decoder.xml</decoder_include>
  <decoder_dir pattern=".xml$">ruleset/decoders</decoder_dir>
  <decoder_exclude>ruleset/decoders/my_decoder.xml</decoder_exclude>
  <list>etc/lists/blocked_hosts</list>
</ruleset>