This is the documentation for Wazuh 3.4. Check out the docs for the latest version of Wazuh!

Update ruleset

Run the script to update the Wazuh ruleset. You should not need to make any other changes to accommodate the updated rules.

Usage examples

Update Decoders, Rules and Rootchecks:

$ /var/ossec/bin/update_ruleset

All script options:

  -r, --restart       Restart OSSEC when required.
  -R, --no-restart    Do not restart OSSEC when required.

  -b, --backups       Restore last backup.

Additional Params:
  -f, --force-update  Force to update the ruleset. By default, only it is updated the new/changed decoders/rules/rootchecks.
  -o, --ossec-path    Set OSSEC path. Default: '/var/ossec'
  -s, --source        Select ruleset source path (instead of download it).
  -j, --json          JSON output. It should be used with '-s' or '-S' argument.
  -d, --debug         Debug mode.

Configure weekly updates

Run update_ruleset weekly and keep your Wazuh Ruleset installation up to date by adding a crontab job to your system.

One way to do this would be to run sudo crontab -e and, at the end of the file, add the following line

@weekly root cd /var/ossec/bin && ./update_ruleset -r