Wazuh | Mailing List

As expected, the issue is because the agent is processing a very large number of files when an entire

I was using Wazuh and Adding agent tester, then i removed it. When I put new agent it's continued

Hi everyone, I need to search through 5 months of archived Wazuh alerts (gzipped JSON files), but I

I created a custom rule to deduplicate web server 400 errors (Rule 31151). My goal is to receive only

After checking this behavior, I found out that the lines below are intended to extract the userID

Hi никита, Right now, you only count how many IPs a user used (cardinality agg), but you don't

Hi, Thank you for sharing the details, as per the sample rule and the sample full log provided, the

Thanks Dhoni On Tue, 27 Jan 2026 at 8:12 PM, Dhoni <[email protected]> wrote: check

Hi Satiswaran, If that's the case, you'll need to create a custom script to authenticate with

Hi CRIZ, Wazuh doesn't have a fixed maximum limit on how many values (or entries) you can put in

Hello @richmond, are you still available for help please ? am still struggling with the issue and

Hi Brenno, By default, the module's only_future_events setting is set to yes, which means it

Hi ACH. MUQODDAM, Based on the shared log and the custom rule, I noticed a couple of issues. First,

After I applied deduplication settings in the Wazuh Dashboard Alerting menu and modified my local

Hi Roksi. From what we see, the manager is able to send the WPK, but the agent fails when it tries to

Hey all, I have been trying to configure Wazuh to use Keycloak as an IdP via OIDC (OpenID Connect). I

Hi, Thanks for you reply I can't find any directory like /var/lib/wazuh/wazuh-indexer-data/

Hi Facu, Based on the archives.log files that you shared, I couldn't trigger any events for rule

Thank you Himanshu for your reply. Currently there are no errors regarding this issue. Anyway I will

I suggest you change the number of shards to 1 for each index. The default number is 3 shards for the

Hello, I just followed the instructions above and I was able to generate alerts on the Events tab of

Got it! I suspect the issue is that the password has special characters and I did not surround it

Hi Paul. The folder /var/ossec/etc and any subfolder included there should not be mounted as RW,

From what I can understand, your logs are being decoded with the JSON decoder. Please share some

So I went back to this project and the weird thing is: This log message gets decoded: 2026-01-23T03:

Thank you Carlos, for you support, but unfortunately the rule you provided doesn't seem to work.

From a deployment perspective, running Wazuh on Kubernetes is feasible and allows you to benefit from

Hi Chandra, I re-tested the entire flow end-to-end, making a few adjustments to the decoder, and

Hi, If your goal is to trigger alerts when a PHP-like file is created or modified under: /<path

Hello, The official Wazuh documentation provides information on the syntax of decoders and rules, as