ruleset
Configuration options for enabling or disabling rules and decoders.
Options
rule_include
Load a single rule file.
Default value |
n/a |
Allowed values |
Path and filename of rule to load |
rule_dir
Load a directory of rules. The files will be loaded in alphabetical order and any duplicate filenames will be skipped.
Default value |
ruleset/rules |
Allowed values |
Path to a directory of rule files. |
rule_exclude
Exclude a single rule file.
Default value |
n/a |
Allowed values |
Path and filename of rule to exclude |
decoder_include
Load a single decoder file.
Default value |
n/a |
Allowed values |
Path and filename of decoder to load |
decoder_dir
Load a directory of decoders. The files will be loaded in alphabetical order and any duplicate filenames will be skipped.
Default value |
ruleset/decoders |
Allowed values |
Path to a directory of decoder files |
decoder_exclude
Exclude a single decoder file.
Default value |
n/a |
Allowed values |
Path and filename of decoder to exclude |
list
Load a single CDB reference for use by other rules.
Default value |
n/a |
Allowed values |
Path to a list file to be loaded and compiled. |
Note
Do not include the file extension. Wazuh will read the .cdb version of the file (the version generated by ossec-makelists from the .txt version of the file.
Example of configuration
<ruleset>
<rule_include>ruleset/rules/my_rules.xml</rule_include>
<rule_dir pattern="_rules.xml$">ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<decoder_include>ruleset/decoders/my_decoder.xml</decoder_include>
<decoder_dir pattern=".xml$">ruleset/decoders</decoder_dir>
<decoder_exclude>ruleset/decoders/my_decoder.xml</decoder_exclude>
<list>etc/lists/blocked_hosts</list>
</ruleset>