I want to capture Windows Event ID's 5137, 5139 and 5141
2,567 views
Skip to first unread message
guga...@gmail.com
Jun 15, 2016, 6:20:34 PM6/15/16
to Wazuh mailing list
Hi Guys I want to capture Windows Event ID's 5137, 5139 and 5141
In the ossec-client (debug mode) logs, I can see the record, ex:
2016/06/15 18:35:36 ossec-agent: DEBUG: Sending message to server: '2016 Jun 15 18:35:34 WinEvtLog: Security: AUDIT_SUCCESS(5141): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.company.homolog: A directory service object was deleted. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: COMPANYhomolog Logon ID: 0x2bb918aa Directory Service: Name: company.homolog Type: %%14676 Object: DN: OU=Test10,OU=Test,DC=company,DC=homolog GUID: {E3127E33-9FB5-40C2-8BCA-D9BF7AED94DD} Class: organizationalUnit Operation: Tree Delete: %%14679 Correlation ID: {B49A2613-3E7F-49A3-B4A2-5CF7076FE71C} Application Correlation ID: -'
Others events like 4726 are received normaly by server
But in ossec-server I cant see the record in /var/ossec/logs/alerts/alerts.json to events 5137, 5139 and 5141
My ossec-client config doesn´t have event filter.
I enabled the logall option in ossec.conf server but nothing happened
Does anyone know what could be happening?
Thanks
Gus
Jesus Linares
Jun 16, 2016, 4:19:09 AM6/16/16
to Wazuh mailing list
Hi Gus,
could you share your manager and agent configuration?. If the agent is sending the event, at least you should see it in /var/ossec/logs/archives/archives.log.
Regards.
Pedro Sanchez
Jun 16, 2016, 10:10:13 AM6/16/16
to Jesus Linares, Wazuh mailing list
Hi Gugalou,
Maybe you need to enable events 5137, 5139 and 5141 on Windows audit configuration, I am not sure if they are enabled by default.
Are you able to receive in alerts.json other Windows events ? Or you can't see ANY windows event? Like Jesús said, try to enable <logall>yes</logall> archives option in your ossec.conf file in Manager side, then review the file archives/archives.json to inspect if the events are coming in.
Last way to do it will be configure OSSEC Agent to perform a query in Windows Event Log.
Best regards, please keep asking if you need it.
Pedro S.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/58483e44-fc9a-4ec0-8ff3-ddab56fc2cb9%40googlegroups.com.
Gus Lou
Jun 16, 2016, 10:22:14 AM6/16/16
to Wazuh mailing list, je...@wazuh.com
Hi Pedro
I received others Windows events in ossec manager. But not the spefic events (5137, 5139 and 5141). In event viewer and ossec-client logs (in debug mode) I can see the events 5137-5139.
In ossec manager I tried to enable logall option but nothing happened
Em quinta-feira, 16 de junho de 2016 11:10:13 UTC-3, Pedro S escreveu:
Hi Gugalou,Are you able to receive in alerts.json other Windows events ? Or you can't see ANY windows event? Like Jesús said, try to enable <logall>yes</logall> archives option in your ossec.conf file in Manager side, then review the file archives/archives.json to inspect if the events are coming in.Maybe you need to enable events 5137, 5139 and 5141 on Windows audit configuration, I am not sure if they are enabled by default.Last way to do it will be configure OSSEC Agent to perform a query in Windows Event Log.Best regards, please keep asking if you need it.Pedro S.
On Thu, Jun 16, 2016 at 1:19 AM, Jesus Linares <je...@wazuh.com> wrote:
Hi Gus,could you share your manager and agent configuration?. If the agent is sending the event, at least you should see it in /var/ossec/logs/archives/archives.log.Regards.
On Thursday, June 16, 2016 at 12:20:34 AM UTC+2, guga...@gmail.com wrote:Hi Guys I want to capture Windows Event ID's 5137, 5139 and 5141In the ossec-client (debug mode) logs, I can see the record, ex:2016/06/15 18:35:36 ossec-agent: DEBUG: Sending message to server: '2016 Jun 15 18:35:34 WinEvtLog: Security: AUDIT_SUCCESS(5141): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.company.homolog: A directory service object was deleted. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: COMPANYhomolog Logon ID: 0x2bb918aa Directory Service: Name: company.homolog Type: %%14676 Object: DN: OU=Test10,OU=Test,DC=company,DC=homolog GUID: {E3127E33-9FB5-40C2-8BCA-D9BF7AED94DD} Class: organizationalUnit Operation: Tree Delete: %%14679 Correlation ID: {B49A2613-3E7F-49A3-B4A2-5CF7076FE71C} Application Correlation ID: -'Others events like 4726 are received normaly by serverBut in ossec-server I cant see the record in /var/ossec/logs/alerts/alerts.json to events 5137, 5139 and 5141My ossec-client config doesn´t have event filter.I enabled the logall option in ossec.conf server but nothing happenedDoes anyone know what could be happening?ThanksGus
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Gus Lou
Jun 16, 2016, 1:01:40 PM6/16/16
to Wazuh mailing list, je...@wazuh.com
Guys
I enabled de logall option again and exectued the test, in archive.log I can see the windows event 5137, but nothing in alerts.log
Could be something in decoder config?
Em quinta-feira, 16 de junho de 2016 11:10:13 UTC-3, Pedro S escreveu:
Hi Gugalou,Are you able to receive in alerts.json other Windows events ? Or you can't see ANY windows event? Like Jesús said, try to enable <logall>yes</logall> archives option in your ossec.conf file in Manager side, then review the file archives/archives.json to inspect if the events are coming in.Maybe you need to enable events 5137, 5139 and 5141 on Windows audit configuration, I am not sure if they are enabled by default.Last way to do it will be configure OSSEC Agent to perform a query in Windows Event Log.Best regards, please keep asking if you need it.Pedro S.
On Thu, Jun 16, 2016 at 1:19 AM, Jesus Linares <je...@wazuh.com> wrote:
Hi Gus,could you share your manager and agent configuration?. If the agent is sending the event, at least you should see it in /var/ossec/logs/archives/archives.log.Regards.
On Thursday, June 16, 2016 at 12:20:34 AM UTC+2, guga...@gmail.com wrote:Hi Guys I want to capture Windows Event ID's 5137, 5139 and 5141In the ossec-client (debug mode) logs, I can see the record, ex:2016/06/15 18:35:36 ossec-agent: DEBUG: Sending message to server: '2016 Jun 15 18:35:34 WinEvtLog: Security: AUDIT_SUCCESS(5141): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.company.homolog: A directory service object was deleted. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: COMPANYhomolog Logon ID: 0x2bb918aa Directory Service: Name: company.homolog Type: %%14676 Object: DN: OU=Test10,OU=Test,DC=company,DC=homolog GUID: {E3127E33-9FB5-40C2-8BCA-D9BF7AED94DD} Class: organizationalUnit Operation: Tree Delete: %%14679 Correlation ID: {B49A2613-3E7F-49A3-B4A2-5CF7076FE71C} Application Correlation ID: -'Others events like 4726 are received normaly by serverBut in ossec-server I cant see the record in /var/ossec/logs/alerts/alerts.json to events 5137, 5139 and 5141My ossec-client config doesn´t have event filter.I enabled the logall option in ossec.conf server but nothing happenedDoes anyone know what could be happening?ThanksGus
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Pedro Sanchez
Jun 16, 2016, 1:05:14 PM6/16/16
to Gus Lou, Wazuh mailing list, je...@wazuh.com
Hi,
Sure, I think we need to create new decoders, could you paste here the archives.log event?
Let us take a look on it so we can create the decoder.
Best regards,
Pedro S.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/58483e44-fc9a-4ec0-8ff3-ddab56fc2cb9%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e3da0b05-994a-49e7-8c80-c8d02624d75d%40googlegroups.com.
Gus Lou
Jun 16, 2016, 5:19:27 PM6/16/16
to Wazuh mailing list, guga...@gmail.com, je...@wazuh.com
Hi Pedro
Regards
Here are the archives.log events:
2016 Jun 16 18:03:04 (HMG-AD-01) XXX.XX.XX.XX->WinEvtLog 2016 Jun 16 18:03:20 WinEvtLog: Security: AUDIT_SUCCESS(5136): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was modified. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: OU=Nova,OU=Teste,DC=mycompany,DC=homolog GUID: {95AB5E4A-1B47-4AB6-AC35-6AE750664E32} Class: organizationalUnit Attribute: LDAP Display Name: name Syntax (OID): 2.5.5.12 Value: Nova Operation: Type: %%14675 Correlation ID: {8EC617F2-289F-480D-B1F7-22621494B535} Application Correlation ID: -
2016 Jun 16 18:03:04 (HMG-AD-01) XXX.XX.XX.XX->WinEvtLog 2016 Jun 16 18:03:20 WinEvtLog: Security: AUDIT_SUCCESS(5136): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was modified. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: OU=Nova,OU=Teste,DC=mycompany,DC=homolog GUID: {95AB5E4A-1B47-4AB6-AC35-6AE750664E32} Class: organizationalUnit Attribute: LDAP Display Name: name Syntax (OID): 2.5.5.12 Value: Velha Operation: Type: %%14674 Correlation ID: {8EC617F2-289F-480D-B1F7-22621494B535} Application Correlation ID: -
2016 Jun 16 17:59:23 (HMG-AD-01) XXX.XX.XX.XX->WinEvtLog 2016 Jun 16 17:59:39 WinEvtLog: Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was created. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: ou=Teste16,OU=teste,DC=mycompany,DC=homolog GUID: {5A480077-96C6-472E-8058-F4181217B409} Class: organizationalUnit Operation: Correlation ID: {706C5F19-CFEA-44FC-9F14-1B0B64E09767} Application Correlation ID: -
2016 Jun 16 18:01:32 (HMG-AD-01) XXX.XX.XX.XX->WinEvtLog 2016 Jun 16 18:01:49 WinEvtLog: Security: AUDIT_SUCCESS(5139): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was moved. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: Old DN: OU=Teste12,OU=Teste,DC=mycompany,DC=homolog New DN: OU=Teste12,OU=teste,DC=mycompany,DC=homolog GUID: {9C289F88-45B7-462D-BBFB-3CFA4CC99A1E} Class: organizationalUnit Operation: Correlation ID: {60BA7D59-1879-44EF-BCDD-F5FD43074982} Application Correlation ID: -
2016 Jun 16 18:00:43 (HMG-AD-01) XXX.XX.XX.XX->WinEvtLog 2016 Jun 16 18:00:59 WinEvtLog: Security: AUDIT_SUCCESS(5141): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was deleted. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: OU=Teste16,OU=teste,DC=mycompany,DC=homolog GUID: {5A480077-96C6-472E-8058-F4181217B409} Class: organizationalUnit Operation: Tree Delete: %%14679 Correlation ID: {1A96C3B6-E3F2-4820-93E6-F6F8F9F787BF} Application Correlation ID: -
Regards
Gus
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/58483e44-fc9a-4ec0-8ff3-ddab56fc2cb9%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Gus Lou
Jun 16, 2016, 5:36:46 PM6/16/16
to Wazuh mailing list, guga...@gmail.com, je...@wazuh.com
It's strange because when I enter the event and run the ossec-logtest, I get some results.
2016 Jun 16 18:03:20 WinEvtLog: Security: AUDIT_SUCCESS(5136): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was modified. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: OU=Nova,OU=Teste,DC=mycompany,DC=homolog GUID: {95AB5E4A-1B47-4AB6-AC35-6AE750664E32} Class: organizationalUnit Attribute: LDAP Display Name: name Syntax (OID): 2.5.5.12 Value: Nova Operation: Type: %%14675 Correlation ID: {8EC617F2-289F-480D-B1F7-22621494B535} Application Correlation ID: -
**Phase 1: Completed pre-decoding.
full event: '2016 Jun 16 18:03:20 WinEvtLog: Security: AUDIT_SUCCESS(5136): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was modified. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: OU=Nova,OU=Teste,DC=mycompany,DC=homolog GUID: {95AB5E4A-1B47-4AB6-AC35-6AE750664E32} Class: organizationalUnit Attribute: LDAP Display Name: name Syntax (OID): 2.5.5.12 Value: Nova Operation: Type: %%14675 Correlation ID: {8EC617F2-289F-480D-B1F7-22621494B535} Application Correlation ID: -'
hostname: 'prd-logman'
program_name: '(null)'
log: '2016 Jun 16 18:03:20 WinEvtLog: Security: AUDIT_SUCCESS(5136): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was modified. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: OU=Nova,OU=Teste,DC=mycompany,DC=homolog GUID: {95AB5E4A-1B47-4AB6-AC35-6AE750664E32} Class: organizationalUnit Attribute: LDAP Display Name: name Syntax (OID): 2.5.5.12 Value: Nova Operation: Type: %%14675 Correlation ID: {8EC617F2-289F-480D-B1F7-22621494B535} Application Correlation ID: -'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '5136'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'hmg-ad-01.mycompany.homolog'
srcuser: 'myuser'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
Pedro S
Jun 16, 2016, 6:30:57 PM6/16/16
to Wazuh mailing list, guga...@gmail.com, je...@wazuh.com
Hi Gus,
Right, now we now for sure what is happening, like you realized, OSSEC is reading and decoding the event, rule ID 18104 is being triggered BUT alert level is 0, meaning that the alert won't be written on alerts.log/json file.
Rule 18104 triggers on AUDIT_SUCCESS Windows log, take a look at it:
<rule id="18104" level="0">
<if_sid>18100</if_sid>
<status>^AUDIT_SUCCESS|^success</status>
<description>Windows audit success event.</description>
</rule>
Two options left for us, first one is decrease <log_alert_level> in ossec.conf to log alerts from 0 level, bad choice, it is not recommendable.
Second choice is create some new rule to fetch the events, we will create them in file /var/ossec/rules/local_rules.xml because this file won't be overwritted when upgrading Wazuh.
1. Open /var/ossec/rules/local_rules.xml and add the following code at the end of the file:
<group name="windows,">
<rule id="110000" level="6">
<if_sid>18104</if_sid>
<id>^5137$|^5139$|^5141$</id>
<description>Windows desired events for Gus</description>
</rule>
</group>
2. Save and close, try if it is working by pasting on ossec-logtest the events, if it is, restart OSSEC to apply changes.
Now we have created a new level 6 rule(110000) which will trigger every time a Windows Event(18100) is AUDIT_SUCCESS(18104), with ID's 5137, 5139 or 5141.
ossec-logtest example:
full event: '2016 Jun 16 18:01:49 WinEvtLog: Security: AUDIT_SUCCESS(5139): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was moved. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: Old DN: OU=Teste12,OU=Teste,DC=mycompany,DC=homolog New DN: OU=Teste12,OU=teste,DC=mycompany,DC=homolog GUID: {9C289F88-45B7-462D-BBFB-3CFA4CC99A1E} Class: organizationalUnit Operation: Correlation ID: {60BA7D59-1879-44EF-BCDD-F5FD43074982} Application Correlation ID: -'
hostname: 'ossec-manager'
program_name: '(null)'
log: '2016 Jun 16 18:01:49 WinEvtLog: Security: AUDIT_SUCCESS(5139): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was moved. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: Old DN: OU=Teste12,OU=Teste,DC=mycompany,DC=homolog New DN: OU=Teste12,OU=teste,DC=mycompany,DC=homolog GUID: {9C289F88-45B7-462D-BBFB-3CFA4CC99A1E} Class: organizationalUnit Operation: Correlation ID: {60BA7D59-1879-44EF-BCDD-F5FD43074982} Application Correlation ID: -'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '5139'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'hmg-ad-01.mycompany.homolog'
Level: '6'
Description: 'Windows desired events for Gus'
**Alert to be generated.
I hope it helps, please don't doubt to keep asking if you need it.
Best regards,
Pedro S.
Gus Lou
Jun 17, 2016, 9:14:12 AM6/17/16
to Wazuh mailing list, guga...@gmail.com, je...@wazuh.com
Hi Pedro
I executed the new rule and it works perfectly.
Now we can detect changes in Organization Units at Active Directory
Thank you very much for you help, you was fast as click.
Gus Lou
Jun 22, 2016, 2:58:09 PM6/22/16
to Wazuh mailing list, guga...@gmail.com, je...@wazuh.com
Tip: To filter changes only in Organizational Unit object, filter log for "class: OrganizationalUnit:"
2016 Jun 16 18:03:20 WinEvtLog: Security: AUDIT_SUCCESS(5136): Microsoft-Windows-Security-Auditing: (no user): no domain: hmg-ad-01.mycompany.homolog: A directory service object was modified. Subject: Security ID: S-1-5-21-171159330-1522895542-2331767353-1107 Account Name: myuser Account Domain: mycompany.homolog Logon ID: 0x2c2a433b Directory Service: Name: mycompany.homolog Type: %%14676 Object: DN: OU=Nova,OU=Teste,DC=mycompany,DC=homolog GUID: {95AB5E4A-1B47-4AB6-AC35-6AE750664E32} Class: organizationalUnit Attribute: LDAP Display Name: name Syntax (OID): 2.5.5.12 Value: Nova Operation: Type: %%14675 Correlation ID: {8EC617F2-289F-480D-B1F7-22621494B535} Application Correlation ID: -
Pedro Sanchez
Jun 22, 2016, 7:41:09 PM6/22/16
to Gus Lou, Wazuh mailing list, Jesus Linares
Thanks for the tip Gus!
How is everything working? May I ask you how many agents are you running currently? Just being curious.
How is everything working? May I ask you how many agents are you running currently? Just being curious.
I hope everything be okay, we will be here if you need more help!
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/58483e44-fc9a-4ec0-8ff3-ddab56fc2cb9%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e3da0b05-994a-49e7-8c80-c8d02624d75d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/701a01d5-481a-4344-9ab6-62bcce57a09b%40googlegroups.com.
Lucio Emanuel Soldo
Jan 21, 2021, 4:23:58 AM1/21/21
to Wazuh mailing list
Hi everyone, how are you doing?
Well, in my case a create a custom rule as well as Pedro mentioned in previous email in order to change the level of the alert to 6, but when I try to check with ossec-logtest I receive the following error:
**Phase 2: Completed decoding.
No decoder matched.
My Wazuh version is 4.0.1
Thank you very much.
Lucio Emanuel Soldo
Jan 21, 2021, 4:33:10 AM1/21/21
to Wazuh mailing list
Hi everyone, how are you doing?
Well, in my case a create a custom rule as well as Pedro mentioned in previous email in order to change the level of the alert to 6, but when I try to check with ossec-logtest I receive the following error:
**Phase 2: Completed decoding.
No decoder matched.
My Wazuh version is 4.0.1
Thank you very much.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/58483e44-fc9a-4ec0-8ff3-ddab56fc2cb9%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages