wazuh-ansible-4.9.2/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2

<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2016, Wazuh Inc. -->

<!-- Example -->
<group name="local,syslog,sshd,">

  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

</group>