This is the documentation for Wazuh 3.2. Check out the docs for the latest version of Wazuh!
Wazuh Docs
    Wazuh Docs
    • Product
    • Blog
    • Cloud
    • Services
    • Community
    • Contact us
      • Getting started
        • Components
        • Architecture
        • Use cases
      • Installation guide
        • Installing Wazuh server
          • Install Wazuh server with RPM packages
          • Install Wazuh server with DEB packages
          • Install Wazuh server from sources
        • Installing Elastic Stack
          • Install Elastic Stack with RPM packages
            • Connect the Wazuh App with the API
          • Install Elastic Stack with Debian packages
            • Connect the Wazuh App with the API
        • Installing Splunk
          • Splunk installation
          • Splunk app for Wazuh
          • Splunk Forwarder configuration
        • Installing Wazuh agent
          • Install Wazuh agent with RPM packages
          • Install Wazuh agent with DEB packages
          • Install Wazuh agent on Windows
          • Install Wazuh agent on Mac OS X
          • Install Wazuh agent on Solaris
          • Install Wazuh agent on HP-UX
          • Install Wazuh agent on AIX
          • Install Wazuh agent from sources
        • Optional configurations
          • Setting up SSL for Filebeat and Logstash
          • Setting up SSL and authentication for Kibana
          • Securing the Wazuh API
          • Elasticsearch tuning
        • Upgrading Wazuh
          • Upgrading from a legacy version
            • Upgrading Wazuh server
            • Upgrading Elastic Stack server
            • Upgrading Wazuh agents
          • Upgrade from the same minor version
          • Upgrade from the same major version
          • Upgrade from different major version
          • Upgrade to the latest version of Wazuh 3.x
          • Restore Wazuh alerts from Wazuh 2.x
        • Virtual Machine
        • Packages List
        • Compatibility matrix
      • User manual
        • Overview
        • Wazuh server administration
          • Remote service
          • Defining an alert level threshold
          • Integration with external APIs
          • Configuring syslog output
          • Generating automatic reports
          • Configuring email alerts
            • SMTP server with authentication
          • Configuring a cluster
        • Registering agents
          • The registration process
          • Using the registration service
        • Agent management
          • Agent life cycle
          • Using the command line
            • Register Agent
            • Listing Agents
            • Remove Agents
          • Using the RESTful API
            • Register Agents
            • Listing Agents
            • Remove Agents
          • Using Wazuh App
          • Checking connection with Manager
          • Grouping agents
          • Remote upgrading
            • Upgrading agent
            • Adding a custom repository
            • Creating custom WPK packages
            • Installing a custom WPK package
            • WPK List
        • Capabilities
          • Log data collection
            • How it works
            • Configuration
            • FAQ
          • File integrity monitoring
            • How it works
            • Configuration
            • FAQ
          • Anomaly and malware detection
            • How it works
            • Configuration
            • FAQ
          • Monitoring security policies
            • Rootcheck
              • How it works
              • Configuration
              • FAQ
            • OpenSCAP
              • How it works
              • Configuration
              • FAQ
            • CIS-CAT integration
          • Monitoring system calls
            • How it works
            • Configuration
          • Command monitoring
            • How it works
            • Configuration
            • FAQ
          • Active response
            • How it works
            • Configuration
            • FAQ
          • Agentless monitoring
            • How it works
            • Configuration
            • FAQ
          • Anti-flooding mechanism
          • Agent labels
          • Vulnerability detection
          • VirusTotal integration
            • What is VirusTotal
            • ToS: Public API vs Private API
            • Integration
          • Vuls integration (Deprecated)
        • Ruleset
          • Getting started
          • Update ruleset
          • JSON decoder
          • Custom rules and decoders
          • Dynamic fields
          • Ruleset XML syntax
            • Decoders Syntax
            • Rules Syntax
            • Regular Expression Syntax
          • Testing decoders and rules
          • Using CDB lists
          • Contribute to the ruleset
        • RESTful API
          • Getting started
          • Configuration
          • Reference
          • Examples
        • Reference
          • Local configuration
            • active-response
            • agentless
            • alerts
            • auth
            • client
            • client_buffer
            • cluster
            • command
            • database_output
            • email_alerts
            • global
            • integration
            • labels
            • localfile
            • logging
            • remote
            • reports
            • rootcheck
            • ruleset
            • syscheck
            • syslog_output
            • wodle name=”open-scap”
            • wodle name=”command”
            • wodle name=”cis-cat”
            • wodle name=”aws-cloudtrail”
            • wodle name=”syscollector”
            • wodle name=”vulnerability-detector”
            • Verifying configuration
          • Centralized configuration
          • Internal configuration
          • Daemons
            • ossec-agentd
            • ossec-agentlessd
            • ossec-analysisd
            • ossec-authd
            • ossec-csyslogd
            • ossec-dbd
            • ossec-execd
            • ossec-logcollector
            • ossec-maild
            • ossec-monitord
            • ossec-remoted
            • ossec-reportd
            • ossec-syscheckd
            • wazuh-clusterd
            • wazuh-clusterd-internal
            • wazuh-modulesd
          • Tools
            • agent-auth
            • agent_control
            • manage_agents
            • ossec-control
            • ossec-logtest
            • ossec-makelists
            • rootcheck_control
            • syscheck_control
            • syscheck_update
            • clear_stats
            • ossec-regex
            • update_ruleset
            • util.sh
            • verify-agent-conf
            • agent_groups
            • agent_upgrade
            • cluster_control
          • Unattended Installation
      • Development
        • Client keys file
        • Standard OSSEC message format
      • Docker
        • Docker installation
        • Wazuh container
        • FAQ
      • Deploying with Puppet
        • Set up Puppet
          • Installing Puppet master
          • Installing Puppet agent
          • Setting up Puppet certificates
        • Wazuh Puppet module
          • Scan paths configuration
          • Wazuh agent class
          • Wazuh server class
      • Deploying with Ansible
        • Considerations
        • Install Ansible
        • Remote Hosts
        • Roles
          • Wazuh Manager
          • Filebeat
          • Elasticsearch
          • Kibana
          • Logstash
          • Wazuh Agent
        • Variables references
      • Using Wazuh for PCI DSS
        • Log analysis
        • Policy monitoring
        • Rootkit detection
        • File integrity monitoring
        • Active response
        • Elastic Stack
      • Using Wazuh for GDPR
        • GDPR II, Principles <gdpr_II>
        • GDPR III, Rights of the data subject <gdpr_III>
        • GDPR IV, Controller and processor <gdpr_IV>
      • AWS CloudTrail
        • Installation
        • Use Cases
          • IAM use cases
          • EC2 use cases
          • VPC Use cases
      • Migrating from OSSEC
        • Migrating OSSEC manager installed from packages
        • Migrating OSSEC agent installed from packages
      • Release Notes
        • 3.2.4 Release Notes
        • 3.2.3 Release Notes
        • 3.2.2 Release Notes
        • 3.2.1 Release Notes
        • 3.2.0 Release Notes
        • 3.1.0 Release Notes
        • 3.0.0 Release Notes
        • 2.1 Release Notes
      Open source community Professional services
      Edit on GitHub
      • Documentation
      • User manual
      • Ruleset
      • Ruleset XML syntax

      Ruleset XML syntax¶

      Sections

      • Decoders Syntax
      • Rules Syntax
      • Regular Expression Syntax
      Dynamic fields Decoders Syntax
      © 2021 · Wazuh Inc.