Jesús Linares

Hi @mpucholblasco, sorry for the late response. We are working on this script too. We will consider your recommendations. Thanks very much for your contribution.

Hi, It is the expected behavior: the agent will be registered only the first time that Ansible runs. We should research how to re-register an agent explicitly.

Hi @ervet , We already added the PR https://github.com/wazuh/wazuh-ruleset/pull/125. So, your change would be: from: > ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0 to: > ID:\s+%{S-1-1-0}|**\s***ID:\s+S-1-1-0 The \s* is not really needed because both regexes...

Hi @ervet, OK, I see your point, the goal is to capture _Security ID:_ and _Sicherheits-ID:_. I will check it. Thanks!. Jesus.

That is great!. Let us check it. Thanks.

Hi, Since v3.3 we can decode "incomplete" JSON events. Check out: https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html#json-decoder-example-3-3. Thanks!

Hi @nshenry03 , I didn't have the chance to implement and test it, but it should not be complicated. Usually, we install the Wazuh agent in the Docker host, so...

But I can't install the plugin due to that error. How can I install it?. Thanks.

Do you have any recommendations?. Thanks.

Hi, I think it is working well with this change: > cd ~ > wget http://xbib.org/repository/org/xbib/elasticsearch/plugin/elasticsearch-knapsack/2.3.4.0/elasticsearch-knapsack-2.3.4.0-plugin.zip -O knapsack_o.zip > unzip knapsack_o.zip -d ./knapsack > cd knapsack > sed -i 's/elasticsearch.version=2.3.4/elasticsearch.version=2.3.5/'...