Update README.md

2025-10-23 00:02:11 +00:00 · 2023-01-03 06:53:50 -06:00
parent 9862f23d5f
commit 47e4b66215
1 changed files with 27 additions and 0 deletions
--- a/Auditd/README.md
+++ b/Auditd/README.md
@@ -11,6 +11,33 @@
 ## [Auditd Rules](https://github.com/socfortress/Wazuh-Rules/blob/main/Auditd/auditd.conf)
 Use the provided auditd rules to get started.

+Use custom decoders rather than the ones provided by Wazuh. I was seeing issues during testing with their provided decoders.
+
+Remember to exclude Wazuh's default auditd decoder and rules within the `ossec.conf` of the manager:
+
+```
+<ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <decoder_exclude>ruleset/decoders/0040-auditd_decoders.xml</decoder_exclude>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <rule_exclude>0365-auditd_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+    <list>etc/lists/software-vendors</list>
+    <list>etc/lists/common-ports</list>
+    <list>etc/lists/rfc-1918</list>
+    <list>etc/lists/cve</list>
+    <list>etc/lists/malicious-powershell</list>
+    <list>etc/lists/bash_profile</list>
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+  ```
+

 <!-- CONTACT -->
 ## Need Help?