ASTRAEA SENTINEL

🛠️ Wazuh Installation

This guide walks you through the steps to install YARA rules into Wazuh.

Prerequisites

  • A running Wazuh Manager
  • Your .yar rule file generated from Astraea Sentinel

Step 1: Copy YARA rule to Wazuh

sudo cp my-rule.yar /var/ossec/etc/rules/local_rules/

Step 2: Update Wazuh configuration (if needed)

Edit your ossec.conf file to include the YARA rule path (optional).

<ruleset>
  <include>rules/local_rules/my-rule.yar</include>
</ruleset>

Step 3: Restart the Wazuh manager

sudo systemctl restart wazuh-manager

Step 4: Confirm rule loading

You can check logs:

tail -f /var/ossec/logs/ossec.log

Your Wazuh installation should now be using the custom rule!