how to Monitoring windows eventlog?

[sant...@gmail.com]

Hello.

I installed ossec-wazzuh with kibana on linux server

i want to monitoring windows eventlog from 2 active directory servers.

I have configured agent  in linux for this servers and install ossec agent in windows server

The configuration agent from windows is

<ossec_config>

   <client>

      <server-ip>192.168.12.14</server-ip>

   </client>

 </ossec_config>

<localfile>

    <location>Application</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventlog</log_format>

  </localfile>

I recibe this log in kibana:

{\"rule\":{\"level\":3,\"comment\":\"Windows User Logoff.\",\"sidid\":18149,\"firedtimes\":1,\"groups\":[\"windows\"],\"PCI_DSS\":[\"10.2.5\"]},\"dstuser\":\"Administrador\",\"full_log\":\"2016 Jun 07 10:33:48 WinEvtLog: Security: AUDIT_SUCCESS(551): Security: Administrador: PC-XP: PC-XP: Cierre de sesi\xF3n iniciada por el usuario:     Nombre usuario: Administrador     Dominio:  DOM.local     Id. de inicio de sesi\xF3n:  (0x0,0xb73d9)    \",\"id\":\"551\",\"status\":\"AUDIT_SUCCESS\",\"data\":\"Security\",\"systemname\":\"PC-XP\",\"decoder\":{\"name\":\"windows\"},\"hostname\":\"agent01\",\"agentip\":\"any\",\"timestamp\":\"2016 Jun 07 10:33:51\",\"location\":\"WinEvtLog\"}

Please, how can i do for add daskboard in kibana graphic interface 

for the eventolog monitoring?

[Pedro Sanchez]

Hi,

I am not sure I understood what you need, do have Wazuh already installed and working? did you complete all the documentation steps so you can have all the out of the box dashboards?

I can see you are receiving Windows events, do you need to create a special and dedicated dashboard for Windows Events ?

You will need to use some filters in Kibana, for example:

Get all the windows events: rule.groups: windows

Get windows auth fail: rule.groups: win_authentication_failed

Playing a little bit with that you can made this up in ten minutes (click here to open it in other window):

Maybe you can get some info in the official Kibana dashboards docs.

If you need some help creating the dashboard just tell us or maybe we can talk through another channel (these are OSSEC lists :D)

Best regards,

Pedro S:

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5db47b09-d592-4841-9aa5-70ffc3d65286%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[santyuste]

Hello Pedro.

I have configured kiabana and working kibana

I want to create a dedicated daskboarh, buat i dont know how can i do

you can help me, please?

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Pedro Sanchez]

Hi,

What do you need to show on the "dedicated Dashboard?", what kind of alerts or data?

Please try to read and understand this tutorial from Elastic.co, they teach how to create a dashboard: https://www.elastic.co/guide/en/kibana/current/dashboard.html

Try to do a quick search en Google searching for "Create Kibana dashboard":

https://www.digitalocean.com/community/tutorials/how-to-use-kibana-dashboards-and-visualizations
http://www.pipebug.com/elasticsearch-logstash-kibana-4-mapping-5.html

Did you like they dashboard I created on the previous post? I can send you the .json file so you can import it.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5db47b09-d592-4841-9aa5-70ffc3d65286%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9652b29e-3e8c-4711-909e-efd6dd4371c8%40googlegroups.com.

[santyuste]

Hello

I want to visualize a Windows eventlog from 2 domains controlers.

On my cofiguration on Kibana in the option on discover i have “ossec-*”. Is right that?

For installing i follow this http://documentation.wazuh.com/en/latest/ossec_elk.html

Do you can send me   .json file?

I very difficult !

[Pedro Sanchez]

Yeah, that is right.

Find attached the Dashboard, import it by clicking on Settings -> Objects -> Import.

Please refer to the last link I posted here so you can learn how to create Visualizations, maybe you find useful this Kibana 4 tutorial video (spanish): https://www.youtube.com/watch?v=jf-PgnAnhVs or this set of tutorial series (english): https://www.youtube.com/watch?v=96og3aIgyrc&list=PLhLSfisesZIvA8ad1J2DSdLWnTPtzWSfI

Best regards,

Pedro S.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/92b3c874-e367-40b9-80d4-42bdf2ef2d5f%40googlegroups.com.

[santyuste]

Hello Pedro.
I just Dashboard.json import the file, but when I do a search , tells me no results.
I have to create a rule in the ossec ?
In the search results unfiltered ( I attached screen shots ) , there are fields that are empty , so I can not filter hosts by name or system event
I 've been looking at how to create rules in ossec , but I have doubts . When creating a rule there is a < if_sid > 4444 < / if_sid > that that does not mean that number

Can you help me please ?

El sábado, 18 de junio de 2016, 0:02:49 (UTC+2), santyuste escribió:

[Pedro Sanchez]

You will need to be more concrete about the rules you want to created, I am not sure if I understand what you need by using <if_sid> tag. Find here more information about rules creation in OSSEC.

Not all the Windows events have all the fields, I mean, there are some windows events that only have a few fields fill up, that's why you see empty spaces in some columns.

I can see on the screenshot you have attached that you have a "JSON parse failure", I think your Logstash configuration is not set properly, we need first to solve this JSON parse failure in order to get all the fields parsed on Elasticsearch/Kibana, could you paste here a sample output of a Windows event log ?

Best regards,

Pedro S.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/925fd934-3ce9-4da8-a5a1-12ffd6985432%40googlegroups.com.

[santyuste]

Hello 

This is the post of  a event windows log en kibana:

{\"rule\":{\"level\":3,\"comment\":\"Windows Logon Success.\",\"sidid\":18107,\"firedtimes\":2,\"groups\":[\"windows\",\"authentication_success\"],\"PCI_DSS\":[\"10.2.5\"]},\"dstuser\":\"Administrador\",\"full_log\":\"2016 Jun 19 16:07:32 WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrador: PC-XP: PC-XP: Inicio de sesi\xF3n realizado: Nombre de usuario: Administrador Dominio: PC-XP Id. de inicio de sesi\xF3n: (0x0,0x274323) Tipo de inicio de sesi\xF3n: 2 Proceso de inicio de sesi\xF3n: User32 Paquete de autenticaci\xF3n: Negotiate Nombre de estaci\xF3n de trabajo: PC-XP GUID de inicio de sesi\xF3n: - \",\"id\":\"528\",\"status\":\"AUDIT_SUCCESS\",\"data\":\"Security\",\"systemname\":\"PC-XP\",\"decoder\":{\"name\":\"windows\"},\"hostname\":\"agent01\",\"agentip\":\"any\",\"timestamp\":\"2016 Jun 19 16:07:34\",\"location\":\"WinEvtLog\"}

I believe  have bad configuration, but i dont know where

I not create any rule. 

El sábado, 18 de junio de 2016, 0:02:49 (UTC+2), santyuste escribió:

[santyuste]

Note: My windows agent is installed in windows XP. 

I cant installing in windows 10

El sábado, 18 de junio de 2016, 0:02:49 (UTC+2), santyuste escribió:

[Pedro Sanchez]

Hi,

I have tested your event and everything is working well in my labs, I tested:

- Event on ossec-logtest: OK

- Event pasted on /var/log/auth.log, processed and write in alerts.json: OK

- Event shipped by Logstash: OK

- Event coming in Elasticsearch: OK

​

I am not sure what is failing in your environment, maybe you can start from the scratch and following the guide on detail.

Try to set up Logstash in debug mode by modifying 01-ossec-singlehost.conf the output section:

output {
	stdout { codec => rubydebug }
	#elasticsearch {
	#hosts => ["127.0.0.1:9200"]
	#index => "ossec-%{+YYYY.MM.dd}"
	#document_type => "ossec"
	#template => "/etc/logstash/elastic-ossec-template.json"
	#template_name => "ossec"
	#template_overwrite => true
	#}
	}

Run Logstash manually by running: /opt/logstash/bin/logstash -f /etc/logstash/conf.d/01-ossec-singlehost.conf --verbose

Using this configuration you will have the alerts on the console to check is they are being parsed properly.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/548854f7-83d0-4190-ab1f-55f796b13d99%40googlegroups.com.

[santyuste]

Hello Pedro.

Run Logstash manually by running: /opt/logstash/bin/logstash -f /etc/logstash/conf.d/01-ossec-singlehost.conf --verbose and logon failure en PCXP:

Received an event that has a different character encoding than you configured. {:text=>"{\\\"rule\\\":{\\\"level\\\":3,\\\"comment\\\":\\\"Windows Logon Success.\\\",\\\"sidid\\\":18107,\\\"firedtimes\\\":7,\\\"groups\\\":[\\\"windows\\\",\\\"authentication_success\\\"],\\\"PCI_DSS\\\":[\\\"10.2.5\\\"]},\\\"dstuser\\\":\\\"Servicio de red\\\",\\\"full_log\\\":\\\"2016 Jun 20 10:27:02 WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Servicio de red: NT AUTHORITY: PC-XP: Inicio de sesi\\xF3n realizado:     Nombre de usuario:  Servicio de red     Dominio:  NT AUTHORITY     Id. de inicio de sesi\\xF3n:  (0x0,0x3E4)     Tipo de inicio de sesi\\xF3n: 5     Proceso de inicio de sesi\\xF3n: Advapi       Paquete de autenticaci\\xF3n: Negotiate     Nombre de estaci\\xF3n de trabajo:      GUID de inicio de sesi\\xF3n: -  \\\",\\\"id\\\":\\\"528\\\",\\\"status\\\":\\\"AUDIT_SUCCESS\\\",\\\"data\\\":\\\"Security\\\",\\\"systemname\\\":\\\"PC-XP\\\",\\\"decoder\\\":{\\\"name\\\":\\\"windows\\\"},\\\"hostname\\\":\\\"agent01\\\",\\\"agentip\\\":\\\"any\\\",\\\"timestamp\\\":\\\"2016 Jun 20 10:27:06\\\",\\\"location\\\":\\\"WinEvtLog\\\"}", :expected_charset=>"UTF-8", :level=>:warn}

JSON parse failure. Falling back to plain-text {:error=>#<LogStash::Json::ParserError: Unexpected character ('\' (code 92)): was expecting double-quote to start field name

 at [Source: [B@6b6ba4; line: 1, column: 3]>, :data=>"{\\\"rule\\\":{\\\"level\\\":3,\\\"comment\\\":\\\"Windows Logon Success.\\\",\\\"sidid\\\":18107,\\\"firedtimes\\\":7,\\\"groups\\\":[\\\"windows\\\",\\\"authentication_success\\\"],\\\"PCI_DSS\\\":[\\\"10.2.5\\\"]},\\\"dstuser\\\":\\\"Servicio de red\\\",\\\"full_log\\\":\\\"2016 Jun 20 10:27:02 WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Servicio de red: NT AUTHORITY: PC-XP: Inicio de sesi\\xF3n realizado:     Nombre de usuario:  Servicio de red     Dominio:  NT AUTHORITY     Id. de inicio de sesi\\xF3n:  (0x0,0x3E4)     Tipo de inicio de sesi\\xF3n: 5     Proceso de inicio de sesi\\xF3n: Advapi       Paquete de autenticaci\\xF3n: Negotiate     Nombre de estaci\\xF3n de trabajo:      GUID de inicio de sesi\\xF3n: -  \\\",\\\"id\\\":\\\"528\\\",\\\"status\\\":\\\"AUDIT_SUCCESS\\\",\\\"data\\\":\\\"Security\\\",\\\"systemname\\\":\\\"PC-XP\\\",\\\"decoder\\\":{\\\"name\\\":\\\"windows\\\"},\\\"hostname\\\":\\\"agent01\\\",\\\"agentip\\\":\\\"any\\\",\\\"timestamp\\\":\\\"2016 Jun 20 10:27:06\\\",\\\"location\\\":\\\"WinEvtLog\\\"}", :level=>:info}

El sábado, 18 de junio de 2016, 0:02:49 (UTC+2), santyuste escribió:

[Pedro Sanchez]

If you could activate archives option in OSSEC Manager (<logall>yes<logall>) , generate the event and paste the archives output here, I will test your log output on my labs.

The thing is, because some reason JSON parser is failing in your environment, at the beginning I thought it was failing because the Spanish language mapping but I have some Windows SO in Spanish language and they are working properly (including accents and special characters).

I will reach you by email so we can keep the conversation there, once we get to a solution we can update this thread.

Best regards, 

Pedro S.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f81f6f6e-f99a-41a0-9bc4-160124d48cdf%40googlegroups.com.

[francisco...@gmail.com]

Hola, buenas. Me ocurre algo muy parecido a lo que se comenta en este hilo. Tengo desplegado Wazuh desde hace tiempo, con agentes en linux y windows. Los equipos Windows tienen idioma Español y todo funciona bien ( Ossec, Elastic, Logstash, Kibana, etc ) excepto cuando algún evento contiene el caracter "ñ", "Ñ", o palabras acentuadas ( á, é, í, ó, ú ), en Kibana no se muestra bien.

Las alertas de Ossec se registran correctamente ( muestran la "ñ", por ejemplo ), los correos de las alertas se muestra bien y si tomo el evento y lo paso por "ossec-logtest", se parsea correctamente, indicandome el decoder empleado, la alerta generada y el nivel de alerta. El fichero json aparece correcto, sin caracteres extraños. Todo bien.

Cuando consulto dicha alerta en Kibana, ésta no se parsea bien y aparece como se muestra en la imagen.

¿ Alguna idea o sugerencia ? ( Además de dejar de usar estos caracteres,claro :-p )

Gracias!

---ENGLISH ----------------
Hello. I happen to something very similar to what is discussed in this thread. I have deployed Wazuh for some time, with agents in linux and windows. Windows computers have a Spanish language and everything works fine (Ossec, Elastic, Logstash, Kibana, etc.) except when some event contains the character "ñ", "Ñ", or accented words (á, é, í, ó, ú),  in Kibana does not show well.

Ossec alerts are registered correctly (show the "ñ", for example), the emails of the alerts is displayed well and if I take the event and pass it by "ossec-logtest", it parse correctly, indicating the decoder used, the alert generated and the alert level. The json file appears correct, with no strange characters. So far so good.

When I consult this alert in Kibana, it does not parse well and appears as shown in the image.

Any ideas or suggestions? (Besides to stop using these characters, of course :-p)

Thank you!

[Miguelangel Freitas]

Hi,

Let me try to help here. 

Maybe the issue is about the character encoding used by Logstash. Try using a different charset, edit your logstash configuration located at the /etc/logstash/conf.d/ folder and change the input section with something like the following:

input {

   file {

       type => "wazuh-alerts"

       path => "/var/ossec/logs/alerts/alerts.json"

       codec => "json" { charset => "ISO-8859-1" }

   }

}

The default charset in logstash is UTF-8, is possible that the incoming messages have characters that are not in UTF-8.

​​

Please tell us if

it

works,

​ ​

thanks.

Regards.

Miguelangel Freitas

Security Engineer

 

www.wazuh.com

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.

Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/000823a8-36f3-438b-8a27-9a16ec14364f%40googlegroups.com.

[Fco. Javier C.]

You say, I do !    :-)


Thanks a lot Miguel Angel ( and everybody in this thread ), after several tests, I can pass the ISO-8859-1  charset  to logstash and now everything appears correct.

With   codec => "json" { charset => "ISO-8859-1" }     I got the following error when starting logstash:
...
...
{:timestamp=>"2017-09-01T19:14:27.022000+0200", :message=>"fetched an invalid config", :config=>"input {\n  file {\n    type => \"ossec-alerts\"\n    path => \"/var/ossec/logs/alerts/alerts.json\"\n    codec => \"json\" { expected_charset => \"ISO-8859-1\" }\n#    codec => \"json\" \n    \n  }
...
...
 :reason=>"Couldn't find any codec plugin named '\"json\"'. Are you sure this is correct? Trying to load the \"json\" codec plugin resulted in this error: no such file to load -- logstash/codecs/\"json\"", :level=>:error}


With codec => json { charset => "ISO-8859-1" }  , logstash starts correctly and everything looks perfect.

Many, Many thanks!

PD:   Elasticsearch-2.3.5; Logstash-2,3,4-1 and Kibana 4.5.4; Debian 8.7 x64

[Miguelangel Freitas]

Hi,

You are right, the correct syntax is without the quotes like you say in the previous post:

codec => json { charset => "ISO-8859-1" }

We pleased to help, do not hesitate to contact us again. Thanks.

Regards.

Miguelangel Freitas

Security Engineer

 

www.wazuh.com