Unable to get File Auditing Logs from Windows Server 2019

[Prathamesh Bakliwal]

Hello to everyone.

I want to get the logs from Windows Server 2019 into the Wazuh.

I am using the Windows Server 2019 as a File Server. And I have enabled logging on it also. I am able to see the relevant logs in Event Viewer.

I have already installed the Wazuh agent and it is collecting all other logs. But I haven't found a way to get the logs with specific event id i.e. EventID= 4656,4663,4658,4660.

Any help is appreciated.

Regards,

Prathamesh Bakliwal.

[Andres Micalizzi]

Hello Prathamesh,

Have you checked the agent's log file to verify if the events are not being generated? How are the folders that are being served being monitored? For these events to be detected they need to be in whodata mode.

Have you been able to check that the agent is connected correctly and shows as active in the manager? Do you see any other types of events?

It might be possible that some error is happening in the agent that is preventing wazuh to function properly. Would you please check the windows system logs to verify if there's any error present?

You can check the events in the Event Viewer:

1. Right click on the Start button and select Control Panel > System & Security and double-click Administrative tools
2. Double-click Event Viewer
3. Select the type of logs that you wish to review (ex: Application, System)

I expect this helps you better understand and fix your issue. In case of further questions do not hesitate to ask.

[Prathamesh Bakliwal]

Hello Andres. Hope you are doing great.

1. I tried opening the agents log file, but the file format is not supported.

2. Regarding the folders, I have created role based access in Windows Server. For that role based access I have enabled Auditing.

3. I am not sure what is whodata mode. Can you please elaborate or share a link where I can find more data.

4. Yes, the agent is connected to the Wazuh correctly.

5. Yes, I can see other events in the Wazuh Dashboard.

6. No, there's no error for Wazuh in Event Viewer.

However i also have few questions

1. Do I need to add specific eventid in agent conf file to tell the agent to forward that specific logs also?

2. Or Do I need to make any changes in Wazuh manager system to view those specific eventid logs?

Regards

Prathamesh Bakliwal

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5249af11-e10c-4472-a828-0b63bd2521d0n%40googlegroups.com.