Monitor Windows Services Shutdown
159 views
Skip to first unread message
Daniel Baker
Oct 5, 2015, 10:38:17 AM10/5/15
to ossec-list
I'm looking for a way to have OSSEC trigger on Event ID 1100 Service Shutdown in Windows.
Daniel Baker
Oct 5, 2015, 12:23:41 PM10/5/15
to ossec-list
On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
I'm looking for a way to have OSSEC trigger on Event ID 1100 Service Shutdown in Windows.
This is what I'm trying to add to the local_rules.xml file:
<rule id="1100000" level="12">
<if_sid>18104</id>
<id>^1100$</id>
<description>Windows Service Stopped</description>
</rule>
dan (ddp)
Oct 5, 2015, 12:25:48 PM10/5/15
to ossec...@googlegroups.com
Do you have a log we can test with?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Daniel Baker
Oct 5, 2015, 12:52:20 PM10/5/15
to ossec-list
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1100</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>103</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-05T13:44:32.036118000Z" />
<EventRecordID>2719810</EventRecordID>
<Correlation />
<Execution ProcessID="744" ThreadID="11616" />
<Channel>Security</Channel>
<Computer>Security-Test</Computer>
<Security />
</System>
</UserData>
</Event>
Brent Morris
Oct 5, 2015, 12:59:25 PM10/5/15
to ossec-list
It's easier for us to test if you can post it from your archives.log on ossec :)
Daniel Baker
Oct 5, 2015, 1:11:02 PM10/5/15
to ossec-list
More Information: PCI 10.2.6 Initialization, stopping, or pausing of the audit logs
My focus is on Windows Services Stop events
I do not have any logs in archives.log
Brent Morris
Oct 5, 2015, 2:14:17 PM10/5/15
to ossec-list
If you have the OSSEC manager installed and running, along with an agent on your Windows computer, then the agent should be sending all the event logs to the manager and storing them in /var/ossec/logs/archives/archives.log
This is typically where OSSEC learns about events, and triggers alerts such as the one you're describing. So if you can paste the event as OSSEC sees and stores it from archives.log - we can add your rule to our local_rules.xml and use tools, such as ossec-logtest to help you with writing your rule.
Unless I'm missing something... in which case I apologize :)
Reply all
Reply to author
Forward
0 new messages