Wazuh - operational and can add agents - now what
- 
 13202 > 9999, @IRJ said in Wazuh - operational and can add agents - now what: 2-9999 are allowed values https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html 
- 
 @Dashrender said in Wazuh - operational and can add agents - now what: 13202 > 9999, @IRJ said in Wazuh - operational and can add agents - now what: 2-9999 are allowed values https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html 13202 is the rule number not frequency or timeframe 
- 
 @DustinB3403 said in Wazuh - operational and can add agents - now what: Starting Wazuh manager... 
 env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'.
 env[11414]: ossec-analysisd: Configuration error. Exiting
 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
 systemd[1]: Failed to start Wazuh manager.Does rule 13202not exist? you should be able to find it in your rules folder under0200-smbd_rules.xmlfile
- 
 Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.
- 
 @DustinB3403 said in Wazuh - operational and can add agents - now what: Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.Oh I made a typo! Its supposed to be 13102
- 
 
- 
 @IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events. In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?  
- 
 Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful. 
- 
 @DustinB3403 said in Wazuh - operational and can add agents - now what: @IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events. In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?  So you already filtered it. Just click discover on top right 
- 
 @DustinB3403 said in Wazuh - operational and can add agents - now what: Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful. Nope, I should make a course on Udemy, though 
- 
 @IRJ said in Wazuh - operational and can add agents - now what: So you already filtered it. Just click discover on top right Doh that is so easy that I didn't even think that was it. 
- 
 @DustinB3403 said in Wazuh - operational and can add agents - now what: @IRJ said in Wazuh - operational and can add agents - now what: So you already filtered it. Just click discover on top right Doh that is so easy that I didn't even think that was it.  




