Custom Wazuh rules are written in XML inside /var/ossec/etc/rules/local_rules.xml. Each rule defines a unique ID (above 100000), the severity level, the log field that must match and the description of the alert you will see in the dashboard.
How do you create custom Wazuh rules step by step?
Custom rules in Wazuh let you detect specific patterns in your logs and trigger alerts when certain conditions are met. In this article we go through practical examples using NAS logs: detecting folder access, specific users and actions such as Delete or Write.
Video: Custom Rules
15 minutes - Practical examples with NAS
See it on the Wazuh pageGet the full video with our Wazuh services
Basic structure of a rule
Wazuh rules are defined in XML files inside /var/ossec/etc/rules/. The basic structure is:
<rule id="100071" level="10">
<if_sid>100070</if_sid>
<field name="campo">valor</field>
<description>Descripción de la alerta</description>
</rule>Components:
id: Unique rule identifier (100000+ for custom rules)level: Alert severity (0-15)if_sid: Parent rule it inherits from (the decoder)field: Field extracted by the decoder to evaluatedescription: Alert text that appears in the dashboard
Example 1: Detect access to a specific folder
Input log:
NAS: Users: marialopez, Source IP: 192.168.1.100, Computer name: MariaPC, Connection type: SMB, Accessed resources: Dpto_direccion/Certificados/CertificadoDigital.pfc, Action: WriteRule:
<rule id="100071" level="10">
<if_sid>100070</if_sid>
<field name="resource">Dpto_direccion</field>
<description>Acceso a carpeta Direccion en NAS</description>
</rule>How it works:
- Inherits from rule 100070 (the generic NAS decoder)
- Filters on the
resourcefield that contains "Dpto_direccion" - Triggers a level 10 alert whenever any user accesses that folder
Example 2: User + specific action
Input log:
NAS: Users: Juan, Source IP: 192.168.1.100, Computer name: MariaPC, Connection type: SMB, Accessed resources: sdsds/Certificados/CertificadoDigital.pfc, Action: DeleteRule:
<rule id="100072" level="10">
<if_sid>100070</if_sid>
<field name="srcusernas">Juan</field>
<field name="actionNas">Delete</field>
<description>El usuario Juan ha eliminado un fichero</description>
</rule>How it works:
- Uses two fields for greater precision
- Only fires if the user is "Juan" AND the action is "Delete"
- Useful for auditing the actions of specific users
Example 3: IP + action with dynamic variables
Input log:
NAS: Users: marialopez, Source IP: 192.168.1.155, Computer name: MariaPC, Connection type: SMB, Accessed resources: sdsds/Certificados/CertificadoDigital.pfc, Action: WriteRule:
<rule id="100073" level="10">
<if_sid>100070</if_sid>
<field name="srcipNas">192.168.1.155</field>
<field name="actionNas">Write</field>
<description>El equipo con la IP $(srcipNas) ha modificado el fichero $(resource)</description>
</rule>How it works:
- Filters on a specific source IP + the Write action
- Uses dynamic variables
$(field)in the description - The alert will include the real values from the log: IP and affected resource
Syntax summary
| Element | Use |
if_sid | Inherits from a parent rule (decoder) |
field name="x" | Filters on a field extracted by the decoder |
$(field) | Dynamic variable in the description |
level | Severity: 0-3 info, 4-7 medium, 8-15 critical |
Where to add the rules
Custom rules are added in /var/ossec/etc/rules/local_rules.xml. After editing the file, restart the manager:
systemctl restart wazuh-managerNext steps
Building custom decoders to extract the fields you need is part of a full Wazuh deployment. Discover our Wazuh services.