system reboot and restart
372 views
Skip to first unread message
Danish Ibrar
Mar 21, 2023, 3:24:14 AM3/21/23
to Wazuh mailing list
how can I monitor system reboot and restart...
As I can see an event (eventID 1074) generated whenever system is shutdown or restarted by a user or application. I can see the log in archive.log but cant see an alert generated for it...
how can I generate an alert for that?
As I can see an event (eventID 1074) generated whenever system is shutdown or restarted by a user or application. I can see the log in archive.log but cant see an alert generated for it...
how can I generate an alert for that?
Henadence Anyam
Mar 21, 2023, 4:37:56 AM3/21/23
to Wazuh mailing list
Dear Danish.
System reboot events trigger the rule with ID
61100.
Rule ID 61100 matches the field win.system.severityValue with value INFORMATION.
You can create a rule that inherits from rule ID 61100 and match the field win.system.eventID
with value 1074.
To achieve this, add the following rule to /var/ossec/etc/rules/local_rules.xml:
To achieve this, add the following rule to /var/ossec/etc/rules/local_rules.xml:
<rule id="111001" level="7">
<if_sid>61100</if_sid>
<field name="win.system.eventID">^1074$</field>
<description>Windows system rebooted.</description>
</rule>
<if_sid>61100</if_sid>
<field name="win.system.eventID">^1074$</field>
<description>Windows system rebooted.</description>
</rule>
This will trigger an alert with ID 111001
when your system reboots.
Hope you find this information helpful
Best regards,
Henadence
Danish Ibrar
Mar 21, 2023, 6:19:15 AM3/21/23
to Henadence Anyam, Wazuh mailing list
okay and what about eventID 6008
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c373ec8a-432a-47c1-8144-864eb9502dd9n%40googlegroups.com.
Henadence Anyam
Mar 21, 2023, 8:01:15 AM3/21/23
to Wazuh mailing list
Hello Danish,
Windows shutdown and restart event logs have the following IDs 41, 1074, 6006, and 6008 as stated here: https://www.tenforums.com/tutorials/78335-read-shutdown-logs-event-viewer-windows.html
By default, there is rule ID 61105 which triggers alert for event ID 41.
For event IDs 6006 and 6008, you can inherit from rule ID 63102 which considers the win.system.severityValue of ERROR.
Example:
<rule id="111002" level="7">
<if_sid>63102</if_sid>
You can check the base rules here:
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0590-win-system_rules.xml
Windows shutdown and restart event logs have the following IDs 41, 1074, 6006, and 6008 as stated here: https://www.tenforums.com/tutorials/78335-read-shutdown-logs-event-viewer-windows.html
By default, there is rule ID 61105 which triggers alert for event ID 41.
For event IDs 6006 and 6008, you can inherit from rule ID 63102 which considers the win.system.severityValue of ERROR.
Example:
<rule id="111002" level="7">
<if_sid>63102</if_sid>
<field name="win.system.eventID">^6006$|^6008$</field>
<description>Windows system rebooted.</description>
</rule>
</rule>
You can check the base rules here:
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0590-win-system_rules.xml
Reply all
Reply to author
Forward
0 new messages