Filter Windows Event at client
1,545 views
Skip to first unread message
Swati
Aug 6, 2015, 6:22:13 AM8/6/15
to ossec-list
Hi,
I have installed the new version of OSSEC v2.8.2. I have a windows ossec client. I would like to filter Windows event logs (Applications/Security/System/Application and Services Log) based on the event ids at ossec client (in order to reduce the logs forwarded to OSSEC manager).
I have amended the client ossec.conf with the example from the OSSEC documentation.
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=7001]</query>
</localfile> This WORKS
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/Security[EventID=4624]</query>
</localfile> THIS DOESN'T WORK. If I remove the query field it does work but then it forwards all the logs coming out from Windows Security event log. I am getting similar issue when I try to filter based on "Applications and Services Logs".
If I try to give the whole path name in the location. The ossec client does not start and I get an error "Could not create bookmark".
Am I doing something wrong here. Please advice.
Kind Regards
Swati
I have installed the new version of OSSEC v2.8.2. I have a windows ossec client. I would like to filter Windows event logs (Applications/Security/System/Application and Services Log) based on the event ids at ossec client (in order to reduce the logs forwarded to OSSEC manager).
I have amended the client ossec.conf with the example from the OSSEC documentation.
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=7001]</query>
</localfile> This WORKS
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/Security[EventID=4624]</query>
</localfile> THIS DOESN'T WORK. If I remove the query field it does work but then it forwards all the logs coming out from Windows Security event log. I am getting similar issue when I try to filter based on "Applications and Services Logs".
If I try to give the whole path name in the location. The ossec client does not start and I get an error "Could not create bookmark".
Am I doing something wrong here. Please advice.
Kind Regards
Swati
Santiago Bassett
Aug 8, 2015, 1:32:44 PM8/8/15
to ossec...@googlegroups.com
Hi,
try using this configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
</localfile>
Best regards
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Swati
Aug 10, 2015, 5:12:21 AM8/10/15
to ossec-list
Thank you Santiago! It is working now.
Kind Regards
Swati
Ralph Durkee
Aug 18, 2015, 10:41:23 AM8/18/15
to ossec...@googlegroups.com
I'm trying to filter Windows events
based on strings such as the login type and workstation name, but
as a starting point I tried the configuration below to filter on
EventID 4624. The /var/ossec/etc/shared/agent.conf file contains:
<agent_config>
<!-- Generic Agent configurations. -->
<agent_config>
<!-- Generic Agent configurations. -->
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
</agent_config>
However I continue receiving all security events including Security EventID 4624 and others.
I restarted the windows system agent via agent_control -R and also restarted the OSSEC manager.
I don't have any errors in ossec.log with regard to the shared/agent.conf file.
Any suggestions on getting this working?
Thanks,
However I continue receiving all security events including Security EventID 4624 and others.
I restarted the windows system agent via agent_control -R and also restarted the OSSEC manager.
I don't have any errors in ossec.log with regard to the shared/agent.conf file.
Any suggestions on getting this working?
Thanks,
-- Ralph Durkee
Santiago Bassett
Aug 18, 2015, 11:46:38 AM8/18/15
to ossec...@googlegroups.com
Try restarting it manually and see if that works.
Ralph Durkee
Aug 18, 2015, 1:15:00 PM8/18/15
to ossec...@googlegroups.com
I've restarted ossec on the server
several times. Are you refering to the Windows agent?
-- Ralph Durkee
Ralph Durkee
Aug 18, 2015, 1:18:07 PM8/18/15
to ossec...@googlegroups.com
Tried stopping and starting the agent
service on the windows system. Still getting other security events
from that system such as 4672 and 4634 in addition to the 4624.
Any other suggestions?
-- Ralph Durkee
Santiago Bassett
Aug 18, 2015, 1:24:38 PM8/18/15
to ossec...@googlegroups.com
Could you share your ossec.conf settings (from the agent) and also the shared/agent.conf ones. Those are probably located in C:\Program Files/ossec-agent
I am guessing, but I think you probably are reading all Security events in some other place of the configuration (look for the different locations).
Regards
Ralph Durkee
Aug 18, 2015, 3:13:48 PM8/18/15
to ossec...@googlegroups.com
The shared agent is as previously
shared, copied below for reference:
<agent_config>
<!-- Generic Agent configurations. -->
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
</agent_config>
The Windows OSSEC after the comments starts with (middle
portion removed, and has no localfile entries. )
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
. . . SNIP . . .
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-hostname>xxx-ossec-srv1</server-hostname>
</client>
</ossec_config>
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
. . . SNIP . . .
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-hostname>xxx-ossec-srv1</server-hostname>
</client>
</ossec_config>
-- Ralph Durkee
Santiago Bassett
Aug 18, 2015, 3:20:43 PM8/18/15
to ossec...@googlegroups.com
I guess you want to remove these sections from the ossec.conf file in the agent. Those are used to get all application, security and system events.
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
Ralph Durkee
Aug 25, 2015, 11:43:19 AM8/25/15
to ossec...@googlegroups.com
I've tried removing the shared agent.conf, and updated the windows
ossec.conf and restarted the agent and server. I don't think the
shared agent configuration was or is working but I wanted to focus
on just getting the filtering to work on a Windows 2008 agent by
updating the ossec.conf on the client first. I can get none of the
security events if the security location is removed on the client,
or all of the security events if it is present. The query filter
doesn't seem to make any difference. Is this working for anyone
else?
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
Thanks,
-- Ralph
-- Ralph
On 08/24/2015 06:56 PM, Ralph Durkee
wrote:
I removed the Security <localfile> from client, and now am receiving no security events, instead of all security events, so that's a small step forward. I am seeing in the ossec.log file the following error
2015/08/24 18:19:20 ossec-remoted(1405): ERROR: Message size not valid: ''.
2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating encrypted message.
2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating encrypted message.
2015/08/24 18:19:20 ossec-remoted: ERROR: Unable to send file 'merged.mg' to agent.
So I'm thinking that the server is unable to send the shared config back to the agent. Events from the agent are being received fine. Server platform is Ubuntu Server 14.04 and Windows 2008 on the agent side. I've removed the shared/agent.conf, and the message continues, so the problem isn't limited to the shared agent, but I would expect the lack of communication from the server to the agents would prevent the shared conf from working. I did a make clean and re-installed, thinking a mismatch in openssl libraries might cause the problem, but no luck. Is there a debug option or a verbose logging option to get more details on the issue?
Compile options include: -DUSE_OPENSSL -DUSEINOTIFY
Thanks for the help!
Swati
Aug 26, 2015, 5:46:17 AM8/26/15
to ossec-list, ossec...@rd1.net
I am struggling to see the log on events [event id 4624]. I can see 4648 that is Account Login with Explicit Credentials. Any idea???
The other thing I noticied because of filtering at ossec client the ossec manager recieves ossec events from client after 5-6 minutes. The events received from client is not consistent. I could see some events but I can't see rather even though it is in my conf file. Has anybody got any performance issue or noticed this behaviour.
Kind Regards
Swati
The other thing I noticied because of filtering at ossec client the ossec manager recieves ossec events from client after 5-6 minutes. The events received from client is not consistent. I could see some events but I can't see rather even though it is in my conf file. Has anybody got any performance issue or noticed this behaviour.
Kind Regards
Swati
Fredrik
Nov 2, 2016, 8:34:43 AM11/2/16
to ossec-list
Hi Santiago and others,
Interesting thread (even if dated). I did something similar today and got an OSSEC agent to forward Windows Server Events according to below to the OSSEC server. I have some experience writing decoders to syslog event (but limited as you can see in this forum :)). How would I go about writing rules on the OSSEC server to handle the forwarded events?
- Say I would like to group all Level 1 events and send them in a daily email?
- How would I add mulitiple eventIDs to the below query? OSSEC and operand? Could you please provide example?
ossec.conf
<ossec_config>
<!-- One entry for each file/Event log to monitor. <localfile> <location>Application</location> <log_format>eventchannel</log_format> </localfile>
-->
<localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID=4740]</query> </localfile>
<localfile> <location>System</location> <log_format>eventchannel</log_format> <query>Event/System[Level=2]</query> </localfile>The query for Level=2 generates alert below on OSSEC server when a test event was created using command below.
eventcreate /t error /id 100 /l system /d "Create event in application log" alerts.log
2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: contoso: win-testdc.contoso.com: (no message)
Best regards,
Fredrik
Jesus Linares
Nov 4, 2016, 4:37:37 AM11/4/16
to ossec-list
Hi Fredrik,
according to the documentation you can use the Microsoft event schema. If you want to add multiple event IDs:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=5140 and EventID=5144]</query>
</localfile><query>Event/System[EventID>xxxx and EventID<yyyy]</query>I've never used the "Level" query. is it not working?.
Regards.
Fredrik
Nov 9, 2016, 2:29:02 PM11/9/16
to ossec-list
Thanks Jesus!!
Operators seems to be working just fine as you suggested!
The "level" query is doing its job - I tested with the command in my post. However, do you know of a way to trigger an email where all Level 2 events within a certain timeframe (e.g. 24h) are grouped together and included in the email? I realize this might involve multiple parts and configuration, but perhaps you can give a few pointers without spending too much of your time?
Best regards,
Fredrik
Jesus Linares
Nov 10, 2016, 4:19:09 AM11/10/16
to ossec-list
Hi Fredrik,
create a rule for your "level 2 events". Then, use the rule ID and the tag rule_id of granular email options: http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.email_alerts.html
I hope it helps.
Regards.
Message has been deleted
Fredrik
Jun 27, 2019, 9:56:18 AM6/27/19
to ossec-list
Hi Jesus!
Long time - and dated converation :)
Ran into this again today as I wanted to query for multiple events on another host. First off, seems like I'm not able to use Eventchannel on this particular 2012r2 host (2019/06/27 15:30:57 ossec-logcollector: ERROR: Could not EvtSubscribe() for (Security) which returned (15001)). Switched back to Eventlog and used query below. It works, kind of ;) but also include other EventID (4798 being one example).
- Any ideas as to why I see other EventIDs from the ones listed below?
- I'm guessing I will have to write custom decoders for the eventID (below) that are sent from the agent as they seem different from for example a Snare agent?
Anyway, mostly wanted to contribute to an old post if anyone end up reading it :)
Best regards,
Fredrik
<localfile> <location>Security</location> <log_format>eventlog</log_format> <query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730 or EventID = 1102]</query> </localfile>On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote:
Cristina Garrido López
Jun 28, 2019, 4:23:22 AM6/28/19
to ossec-list
Hi Fredrik,
You are seeing every generated event because eventlog does not support XPATH querying. In order to fix this, you should use eventchannel, but it seems that your query isn't correctly formed as the error code returned is 15001.
Keeping that in mind, I have been trying to monitor these EventIDs with the same query as you pasted before. I have been able to see only these events creating a custom view with this query at the Event Viewer. Please try adding the next just in case you didn't use the right query or log format.
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730 or EventID = 1102]</query>
</localfile>Let me know if you could solve this or not and I will try to find out what could be happening.
Kind regards,
Cristina
Fredrik
Aug 22, 2019, 3:27:50 AM8/22/19
to ossec-list
Hi Christina! Sorry for the late response, got sidetracked and once deployed wanted to make sure the discussed was achieved. With your help I definitely see a different behavior, thanks also for clearing out that eventchannel is a requirement. I thought that might be the case, but got fooled by the error my config attempts resulted in ;) I thought I had tried most of the variants, but apparently that wasn't the case. Again, must appreciated! I will re-post when I see more of the filtered events forwarded!
Cheers,
Cheers,
Fred
Cristina Garrido López
Aug 23, 2019, 3:46:00 AM8/23/19
to ossec-list
Hi Fredrik,
I'm glad you could solve your problem! Happy to help, don't hesitate to ask if you have any other doubts.
Best regards,
Cristina
Reply all
Reply to author
Forward
0 new messages