wazuh-logtest
wazuh-logtest tool allows the testing and verification of rules against provided log examples inside a sandbox in wazuh-analysisd. Helpful when writing and debugging custom rules and decoders, troubleshooting false positives and negatives.
-d |
Run as a Print debug output to the terminal. |
-h |
Display the help message. |
-U <rule-id:alert-level:decoder-name> |
This option will cause wazuh-logtest to return a zero exit status if the test results for the provided log line match the criteria in the arguments. Only one log line should be supplied for this to be useful. |
-l <location> |
Set custom location. |
-V |
Display the version and license information for ThreatLockDown and wazuh-logtest. |
-q |
Quiet execution. |
-v |
Display the verbose results. |
Note
-v is the key option to troubleshoot a rule or decoder problem.