Hello:
I want to customize Wazuh rules, so I modified /var/lib/docker/volumes/wazuh_wazuh_etc/_data/decoders/local_decoder.xml and /var/lib/docker/volumes/wazuh_wazuh_etc/_data/rules/local_rules.xml, in When I wanted to save local_rules.xml after modifying it, the system prompted that this file can only be read-only, so I ran: wq! to force the save, and then restarted all wazuh docker.
Docker restarted successfully, but after entering the account and password correctly and re-entering the wazuh Dashboard webpage, an error “[API connection] No API available to connect” appeared, and the webpage could no longer be opened smoothly. How can I correct this problem?
Hi :
I checked /var/lib/docker/volumes/wazuh_wazuh_logs/_data/ossec.log and found that it was my custom decoder that was wrong
" wazuh-analysisd: ERROR: (1452): Syntax error on regex: ‘^(\S+) (\S+) (\S+) [(\S+ +\d+)] “(\S+) (\S+ ) HTTP/\d+.\d+” \d+ \d+ \d+ “(.?)" "(.?)”’"
When I reset it to the initial value, the Wazuh Index returned to normal.
I want to extract the “errCode=FND_APPL_LOGIN_FAILED” keyword from Apache’s access_log and customize a Level 5 rule. Can you help me define the decoder and rules?