Editor and validation
The Editor is RuleForge's lab. It's where you write content, run validations, and test with real events — all in a single screen, no tool switching.
What you do here
- Edit the project's decoders and rules.
- Choose the log format and provide a test event.
- Run structural and semantic validation.
- Execute log test to see full processing.
- Save the current state as a workspace to resume later.
Edit and validate
- Open the Editor inside the project.
- Write or edit decoders and rules.
- Paste a sample event into the test area.
- Choose the log format.
- Click Validate.
The result shows:
- errors — what must be fixed before publishing;
- warnings — situations that work but may cause problems;
- suggestions — best practices RuleForge recognizes;
- quality score — a number that summarizes content health.
Log test — what to expect
Log test simulates how Wazuh would handle the event. It shows:
- the final decoder applied;
- the rule that fired;
- extracted fields;
- the full decision chain.
Use it when you want to understand why a rule fired (or didn't fire) for a specific event.
Save workspace
Clicking Save workspace preserves everything in the editor — content, test event, log format. You can come back exactly as you were, or use the workspace as the basis for opening a review.
Next steps
- Turn the most important events into test cases so RuleForge runs them automatically on every change.
- When the content is ready for approval, open a review.
- Ready to publish? Create a version.
Common issues
"Validation fails before showing a result"
There's a structural error in the XML. Review overall formatting (closed tags, correct attributes).
"Log test doesn't find the right rule"
Confirm:
- the log format is correct;
- the decoder covers the event;
- the order and logic of rules;
- the test event is really what you expected.
"The workspace won't save"
Check that you have permission to edit the project. See Roles and permissions.