Unable to save valid Windows EventChannel QueryList query in agent.conf editor#8087
Merged
yenienserrano merged 5 commits into4.14.4from Feb 6, 2026
Conversation
Contributor
|
Contributor
|
Contributor
|
Ripdiegozz
approved these changes
Feb 5, 2026
Contributor
Ripdiegozz
left a comment
Ripdiegozz
left a comment
There was a problem hiding this comment.
🟢 CR
🟢 Tests
Tests
- Navigate to
Server management => Endpoints Summary => Groups- Click on
Edit group configurationfor any group- Add the following configuration to the agent.conf:
<agent_config> <localfile> <location>Security</location> <log_format>eventchannel</log_format> <query> \<QueryList\> \<Query Id="0" Path="Security"\> \<Select Path="Security"\>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157]\</Select\> \<Suppress Path="Security"\>*[System[EventID=4634]] and *[EventData[Data[@Name='TargetDomainName']='VIRTUAL USERS']] or *[System[EventID=4634]] and *[EventData[Data[@Name='TargetDomainName']='Window Manager']] or *[System[EventID=4634]] and *[EventData[Data[@Name='TargetDomainName']='Font Driver Host']]\</Suppress\> \</Query\> \</QueryList\> </query> </localfile> </agent_config>
- Verify:
- No XML validation error appears
- No error indicators in the code editor
- Save button is enabled and configuration saves successfully
- Other XML configurations (without escaped query tags) still validate correctly
pull-8087.mp4
Machi3mfl
approved these changes
Feb 6, 2026
Contributor
Machi3mfl
left a comment
Machi3mfl
left a comment
There was a problem hiding this comment.
CR: ✅
Test: ✅
Screen.Recording.2026-02-06.at.10.17.11.AM.mov
yenienserrano
deleted the
bug/8084-unable-to-save-valid-windows-eventchannel-query-in-agentconf-editor
branch
6 tasks
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixed XML validation to allow escaped XML syntax (
\<...\>) inside<query>tags for Windows EventChannel log collection configuration.When configuring Windows EventChannel monitoring using the
<QueryList>syntax, XML labels inside the<query>tag need to be escaped (for example:\<QueryList\>,\<Query Id="0"\>). The Dashboard XML validation was incorrectly rejecting this configuration, preventing users from saving files.More specifically, a false error positive was happening when escaping
>in tags, like this:\>.Following changes were made:
validateXMLfunction to handle\>escaping.Wazuh documentation - Log data collection explains how syntax should be escaped when using the
<QueryList>syntax.Issues Resolved
Evidence
Screen.Recording.2026-02-04.at.14.13.04.mov
Test
Server management => Endpoints Summary => GroupsEdit group configurationfor any groupUnit Tests
Check List
yarn test:jest