Modifying wazuh local_rules.xml causes Wazuh API error

Hello:
I want to customize Wazuh rules, so I modified /var/lib/docker/volumes/wazuh_wazuh_etc/_data/decoders/local_decoder.xml and /var/lib/docker/volumes/wazuh_wazuh_etc/_data/rules/local_rules.xml, in When I wanted to save local_rules.xml after modifying it, the system prompted that this file can only be read-only, so I ran: wq! to force the save, and then restarted all wazuh docker.


Docker restarted successfully, but after entering the account and password correctly and re-entering the wazuh Dashboard webpage, an error “[API connection] No API available to connect” appeared, and the webpage could no longer be opened smoothly. How can I correct this problem?

Hi :
I checked /var/lib/docker/volumes/wazuh_wazuh_logs/_data/ossec.log and found that it was my custom decoder that was wrong
" wazuh-analysisd: ERROR: (1452): Syntax error on regex: ‘^(\S+) (\S+) (\S+) [(\S+ +\d+)] “(\S+) (\S+ ) HTTP/\d+.\d+” \d+ \d+ \d+ “(.?)" "(.?)”’"
When I reset it to the initial value, the Wazuh Index returned to normal.

I want to extract the “errCode=FND_APPL_LOGIN_FAILED” keyword from Apache’s access_log and customize a Level 5 rule. Can you help me define the decoder and rules?

Examples are as follows:
192.168.30.91 - - [04/Sep/2024:17:03:13 +0800] “GET /OA_HTML/AppsLocalLogin.jsp?requestUrl=APPSHOMEPAGE&cancelUrl=http%3A%2F%2Ferp-testap.twoway.com.tw%3A8003 %2FOA_HTML%2FAppsLocalLogin.jsp&errCode=FND_APPL_LOGIN_FAILED&langCode=US&username=TWYMISE1 HTTP/1.1” 302 1296 0 "http://erp-testap.twoway.com.tw:8003/OA_HTML/RF.jsp?function_id=28910&resp_id=-1&resp_app l_id=- 1&security_group_id=0&lang_code=US&params=fG5SkF2W5yAyGegzmBM43I3KGL9NsmqS3XXr98sQ.68zuXX8uMnllsrfzbBf1HKTh9nFmJmm8Xiq7KGzcSoKFhwEY3CMrJmjkgeacMPTuHNemw.WWRH-6dBcQKo “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident /7.0; .NET4.0C; . NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)”