Wazuh Alert Whitelist
The whitelist feature allows you to suppress known false-positive Wazuh alerts directly from the UI.
How It Works
- Whitelist an alert: In the Security tab, expand an alert and click "Whitelist"
- Choose scope: Entire rule, rule + text pattern, or rule + specific agent
- Immediate effect: The alert is immediately filtered from the display
- Push to Wazuh: In the Whitelist tab, click "Push to Wazuh" for permanent suppression
Scope Options
| Scope | Description | Example |
|---|---|---|
| Entire Rule | Suppresses all alerts with this Rule ID | Suppress Rule 510 completely |
| Rule + Text Pattern | Suppresses only when a specific text appears in the log | Rule 510 only when "TacticalAgent" in log |
| Rule + Agent | Suppresses only for a specific agent/host | Rule 510 only on SRV07 |
Whitelist Tab
In the Security section of each module, there is a "Whitelist" tab showing all active whitelist rules:
- Original Rule: The suppressed Rule ID and description
- Scope: Type of suppression
- Status: Green = pushed to Wazuh, Yellow = saved locally only
- Delete: Remove individual rules
Push to Wazuh
When rules are created or deleted, a yellow banner appears:
"X rule(s) not yet pushed to Wazuh"
Click "Push to Wazuh" to:
- Update
local_rules.xmlon the Wazuh Manager - Restart the Wazuh Manager
- From then on, the alerts are no longer generated
Tip
You can create multiple rules at your own pace and then push them all at once. This way, the Wazuh Manager is only restarted once.
Technical Background
The whitelist feature uses Wazuh Custom Rules with level="0":
xml
<rule id="100100" level="0">
<if_sid>510</if_sid>
<match>TacticalAgent</match>
<description>Suppressed: Rule 510 matching 'TacticalAgent'</description>
</rule>- Rules with level 0 are not logged (log_alert_level=5)
- Rules are stored in
local_rules.xmlon the Wazuh Manager - The DATAZONE database is the single source of truth