Wazuh 4.14 Rules and Decoders - Event Analysis

Wazuh 4.14 Documentation - SIEM/XDR Platform Guide

This section describes the Wazuh 4.14 event analysis engine: threat detection rules and decoders that extract structured data from raw logs. Understanding how these components work is essential for tailoring the platform to a specific infrastructure and building custom detection logic.

How Event Analysis Works

Wazuh processes each incoming event in three stages:

Pre-decoding - extraction of standard syslog fields: timestamp, hostname, program name
Decoding - extraction of message-specific fields from the log body: IP addresses, usernames, actions, URLs
Rule matching - comparison of the decoded event against the ruleset to generate alerts

Decoders and rules work in tandem: the decoder prepares structured data, and the rule determines whether the event is security-relevant.

Section Contents

Detection Rules

Complete coverage of Wazuh rule syntax: XML elements (id, level, description, group, match, regex, if_sid, frequency, timeframe), rule ordering and overwriting, default ruleset overview, MITRE ATT&CK mapping, rule levels 0-15, composite rules, CDB lists, and testing with wazuh-logtest.

Decoders

Wazuh decoder syntax: XML elements (name, parent, regex, order, prematch, program_name, type), parent-child decoder hierarchy, the pre-decoding phase, default decoders overview, JSON decoder, writing custom decoders, and testing with wazuh-logtest.

Default Ruleset

Wazuh ships with over 4000 rules and 1500 decoders out of the box. The default ruleset covers:

Operating systems (Linux, Windows, macOS)
Network devices (Cisco, Fortinet, pfSense)
Web servers (Apache, Nginx, IIS)
Databases (MySQL, PostgreSQL, MongoDB)
Cloud platforms (AWS, Azure, GCP)
Security applications (Suricata, OSSEC, ClamAV)
Authentication systems (PAM, LDAP, Active Directory)

Default rules are stored in /var/ossec/ruleset/rules/, decoders in /var/ossec/ruleset/decoders/. These files are updated during Wazuh upgrades and should not be edited directly.

Custom Rules and Decoders

Custom rules and decoders are placed in separate files that are preserved during upgrades:

Rules: /var/ossec/etc/rules/local_rules.xml
Decoders: /var/ossec/etc/decoders/local_decoder.xml

Detailed instructions for creating custom rules and decoders are provided in the respective subsections.

Testing

Wazuh provides the wazuh-logtest utility for interactively testing decoders and rules without affecting the production system:

/var/ossec/bin/wazuh-logtest

For more on testing, see the rules and decoders sections.

Related Sections

Log Analysis - log collection and processing
File Integrity Monitoring - FIM with YARA support
Active Response - actions triggered by rules

Last updated on 8, April 2026