This is the documentation for Wazuh 3.6. Check out the docs for the latest version of Wazuh!
Wazuh Docs
    Wazuh Docs
    • Product
    • Blog
    • Cloud
    • Services
    • Community
    • Contact us
      • Getting started
        • Components
        • Architecture
        • Use cases
      • Installation guide
        • Installing Wazuh server
          • Install Wazuh server with RPM packages
          • Install Wazuh server with DEB packages
          • Install Wazuh server from sources
        • Installing Elastic Stack
          • Install Elastic Stack with RPM packages
          • Install Elastic Stack with Debian packages
        • Installing Wazuh agent
          • Install Wazuh agent with RPM packages
          • Install Wazuh agent with DEB packages
          • Install Wazuh agent on Windows
          • Install Wazuh agent on Mac OS X
          • Install Wazuh agent on Solaris
          • Install Wazuh agent on HP-UX
          • Install Wazuh agent on AIX
          • Install Wazuh agent from sources
        • Optional configurations
          • Setting up SSL for Filebeat and Logstash
          • Setting up SSL and authentication for Kibana
          • Securing the Wazuh API
          • Elasticsearch tuning
        • Upgrading Wazuh
          • Upgrading from a legacy version
            • Upgrading Wazuh server
            • Upgrading Elastic Stack server
            • Upgrading Wazuh agents
          • Upgrade from the same minor version
          • Upgrade from the same major version
          • Upgrade from different major version
          • Upgrade to the latest version of Wazuh 3.x
          • Restore Wazuh alerts from Wazuh 2.x
        • Virtual Machine
        • Packages List
        • Compatibility matrix
      • User manual
        • Overview
        • Wazuh server administration
          • Remote service
          • Defining an alert level threshold
          • Integration with external APIs
          • Configuring syslog output
          • Generating automatic reports
          • Configuring email alerts
            • SMTP server with authentication
          • Configuring a cluster
        • Registering agents
          • The registration process
          • Using the registration service
        • Agent management
          • Agent life cycle
          • Using the command line
            • Register Agent
            • Listing Agents
            • Remove Agents
          • Using the RESTful API
            • Register Agents
            • Listing Agents
            • Remove Agents
          • Using the Wazuh app
          • Checking connection with Manager
          • Grouping agents
          • Remote upgrading
            • Upgrading agent
            • Adding a custom repository
            • Creating custom WPK packages
            • Installing a custom WPK package
            • WPK List
        • Capabilities
          • Log data collection
            • How it works
            • Configuration
            • FAQ
          • File integrity monitoring
            • How it works
            • Configuration
            • FAQ
          • Auditing who-data
            • Auditing who-data in Linux
            • Auditing who-data in Windows
            • Manual configuration of the Local Audit Policies in Windows
          • Anomaly and malware detection
            • How it works
            • Configuration
            • FAQ
          • Monitoring security policies
            • Rootcheck
              • How it works
              • Configuration
              • FAQ
            • OpenSCAP
              • How it works
              • Configuration
              • FAQ
            • CIS-CAT integration
          • Monitoring system calls
            • How it works
            • Configuration
          • Command monitoring
            • How it works
            • Configuration
            • FAQ
          • Active response
            • How it works
            • Configuration
            • FAQ
          • Agentless monitoring
            • How it works
            • Configuration
            • FAQ
          • Anti-flooding mechanism
          • Agent labels
          • System inventory
          • Vulnerability detection
          • VirusTotal integration
            • What is VirusTotal
            • ToS: Public API vs Private API
            • Integration
          • Osquery
        • Ruleset
          • Getting started
          • Update ruleset
          • JSON decoder
          • Custom rules and decoders
          • Dynamic fields
          • Ruleset XML syntax
            • Decoders Syntax
            • Rules Syntax
            • Regular Expression Syntax
          • Testing decoders and rules
          • Using CDB lists
          • Contribute to the ruleset
        • RESTful API
          • Getting started
          • Configuration
          • Reference
          • Examples
        • Kibana app
          • Setting up the app
          • Wazuh app and X-Pack
            • Defining X-Pack users
            • Configure X-Pack users
            • X-Pack troubleshooting
          • App features
            • App overview
            • Ruleset
            • Settings
            • Dev tools
            • Reporting
            • Index pattern selector
            • Download as CSV
          • Troubleshooting
          • Reference
            • Configuration file
            • Elasticsearch indices
        • Reference
          • Local configuration
            • active-response
            • agentless
            • alerts
            • auth
            • client
            • client_buffer
            • cluster
            • command
            • database_output
            • email_alerts
            • global
            • integration
            • labels
            • localfile
            • logging
            • remote
            • reports
            • rootcheck
            • ruleset
            • socket
            • syscheck
            • syslog_output
            • wodle name=”open-scap”
            • wodle name=”command”
            • wodle name=”cis-cat”
            • wodle name=”aws-s3”
            • wodle name=”syscollector”
            • wodle name=”vulnerability-detector”
            • wodle name=”osquery”
            • Verifying configuration
          • Centralized configuration
          • Internal configuration
          • Daemons
            • ossec-agentd
            • ossec-agentlessd
            • ossec-analysisd
            • ossec-authd
            • ossec-csyslogd
            • ossec-dbd
            • ossec-execd
            • ossec-logcollector
            • ossec-maild
            • ossec-monitord
            • ossec-remoted
            • ossec-reportd
            • ossec-syscheckd
            • wazuh-clusterd
            • wazuh-modulesd
          • Tools
            • agent-auth
            • agent_control
            • manage_agents
            • ossec-control
            • ossec-logtest
            • ossec-makelists
            • rootcheck_control
            • syscheck_control
            • syscheck_update
            • clear_stats
            • ossec-regex
            • update_ruleset
            • util.sh
            • verify-agent-conf
            • agent_groups
            • agent_upgrade
            • cluster_control
          • Unattended Installation
          • Statistics files
      • Development
        • Client keys file
        • Standard OSSEC message format
      • Docker
        • Docker installation
        • Wazuh container
        • FAQ
      • Deploying with Puppet
        • Set up Puppet
          • Installing Puppet master
          • Installing Puppet agent
          • Setting up Puppet certificates
        • Wazuh Puppet module
          • Scan paths configuration
          • Wazuh agent class
          • Wazuh server class
      • Deploying with Ansible
        • Considerations
        • Install Ansible
        • Remote Hosts
        • Roles
          • Wazuh Manager
          • Filebeat
          • Elasticsearch
          • Kibana
          • Logstash
          • Wazuh Agent
        • Variables references
      • Using Wazuh for PCI DSS
        • Log analysis
        • Policy monitoring
        • Rootkit detection
        • File integrity monitoring
        • Active response
        • Elastic Stack
      • Using Wazuh for GDPR
        • GDPR II, Principles <gdpr_II>
        • GDPR III, Rights of the data subject <gdpr_III>
        • GDPR IV, Controller and processor <gdpr_IV>
      • Using Wazuh to Monitor AWS
        • Installation
        • Use Cases
          • S3 use cases
          • IAM use cases
          • EC2 use cases
          • VPC Use cases
        • Troubleshooting
      • Installing Splunk
        • Splunk installation
        • Splunk app for Wazuh
        • Splunk Forwarder configuration
        • Setting up reverse proxy configuration for Splunk
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
      • Release Notes
        • 3.6.1 Release Notes
        • 3.6.0 Release Notes
        • 3.5.0 Release Notes
        • 3.4.0 Release Notes
        • 3.3.1 Release Notes
        • 3.3.0 Release Notes
        • 3.2.4 Release Notes
        • 3.2.3 Release Notes
        • 3.2.2 Release Notes
        • 3.2.1 Release Notes
        • 3.2.0 Release Notes
        • 3.1.0 Release Notes
        • 3.0.0 Release Notes
        • 2.1 Release Notes
      Open source community Professional services
      Edit on GitHub
      • Documentation
      • User manual
      • Ruleset
      • Ruleset XML syntax

      Ruleset XML syntax¶

      Sections

      • Decoders Syntax
      • Rules Syntax
      • Regular Expression Syntax
      Dynamic fields Decoders Syntax
      © 2021 · Wazuh Inc.