Ingesting Windows Log Channel "Directory Service"
248 views
Skip to first unread message
Dirk Westenhaus
Aug 9, 2023, 7:38:42 AM8/9/23
to Wazuh mailing list
Hello,
according to the documentation in https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#available-channels-and-providers , it currently is impossible to include logs from the "Directory Service" (see screenshot), right? Or is there a way?
Thank you and best regards, Dirk.
Stuti Gupta
Aug 10, 2023, 12:09:43 AM8/10/23
to Wazuh mailing list
Hi Drik
Hope you are doing well and thank you for using wazuh.
Wazuh is an open-source security monitoring platform that can be used to monitor and analyze security events in real-time. It can help you detect and respond to various types of security threats and incidents in your environment, including Windows Directory Service (Active Directory) logs. In the Available channels and providers you can see the sources security, application, and services providers are any, and the dir Directory Service event logs come under application and services logs so it can be monitored. To know more about hoe to collect logs please refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
Hope this will be helpful. Please feel free to contact us for any information/ issues.
Regards,
Stuti Gupta
Hope you are doing well and thank you for using wazuh.
Wazuh is an open-source security monitoring platform that can be used to monitor and analyze security events in real-time. It can help you detect and respond to various types of security threats and incidents in your environment, including Windows Directory Service (Active Directory) logs. In the Available channels and providers you can see the sources security, application, and services providers are any, and the dir Directory Service event logs come under application and services logs so it can be monitored. To know more about hoe to collect logs please refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
Hope this will be helpful. Please feel free to contact us for any information/ issues.
Regards,
Stuti Gupta
Dirk Westenhaus
Aug 11, 2023, 3:03:57 AM8/11/23
to Wazuh mailing list
Hi Stuti,
thank you for replying. I am afraid the documentation is not very clear, because it says "Eventlog is supported on every Windows version and can monitor any logs
except for particular Applications and Services Logs, this means that
the information that can be retrieved is reduced to System, Application,
and Security channels".
But encouraged by your message, I configured a Log Collector like this:
<agent_config>
<localfile>
<location>Directory Service</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Directory Service</location>
<log_format>eventchannel</log_format>
</localfile>
<agent_config>
I copied&pasted this from the Windows machine, so I know that assignment via Wazuh group was successful. A run of /var/ossec/bin/verify-agent-conf verified its syntax as OK.
But, I am receiving no logs from this channel.
Now I am asking myself (and this group): is "Directory Service" one of those "particular Applications and Services Logs", or do I have to configure decoders and rules for those logs?
How could I find out whether the system is receiving logs from that channel?
Thank you for any help.
Thank you for any help.
Best regards, Dirk.
Stuti Gupta
Aug 11, 2023, 4:07:02 AM8/11/23
to Dirk Westenhaus, Wazuh mailing list
Hi Dirk,
The section in the documentation you refer to is Windows Eventlog vs Windows Eventchannel. To summarize,eventlog has limitations on monitoring specific logs, while Eventchannel offers greater flexibility in monitoring various log sources, including the ability to use queries for filtering and can monitor the Application and Services logs along with the basic Windows logs.
As for the custom rules and decoders, let me explain to you how it works. First, the logs are generated by servers or devices and sent to the manager server. Then the logs are decoded by the default decoders that are present at the manager side /var/ossec/ruleset/decoders. If you get the logs but they didn't match the default decoder, in that case, you have to make custom decoders. Once the log is decoded it will match to default rules that are present at the manager server /var/ossec/ruleset/rules/. If it doesn't match any of the rules or the rule level is less than 3 you won't get any alerts, in that case, you have to make rules on the bases of decoders and log at /var/ossec/etc/rule/local_rules.xml .
To check if you are receiving a log or not for eventchannel log_format or if the wazuh is monitoring directory service you can look into /var/ossec/logs/ossec.log and /var/ossec/logs/archives/archives.json. Before checking the archives.json folder please change the value of these two fields to yes <logall>yes</logall> <logall_json>yes</logall_json>.
It id present at /var/ossec/etc/ossec.conf
So, if logs reach the manager but you don't get alters in that situation to need to create custom rules and decoders. If you have a log and you want to test it you can run the log at /var/ossec/bin/wazuh-logtest and there you can see the decoders and rules for that particular log.
to get more information on how to collect logs you can refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
For custom rules and decoders, you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
The section in the documentation you refer to is Windows Eventlog vs Windows Eventchannel. To summarize,eventlog has limitations on monitoring specific logs, while Eventchannel offers greater flexibility in monitoring various log sources, including the ability to use queries for filtering and can monitor the Application and Services logs along with the basic Windows logs.
As for the custom rules and decoders, let me explain to you how it works. First, the logs are generated by servers or devices and sent to the manager server. Then the logs are decoded by the default decoders that are present at the manager side /var/ossec/ruleset/decoders. If you get the logs but they didn't match the default decoder, in that case, you have to make custom decoders. Once the log is decoded it will match to default rules that are present at the manager server /var/ossec/ruleset/rules/. If it doesn't match any of the rules or the rule level is less than 3 you won't get any alerts, in that case, you have to make rules on the bases of decoders and log at /var/ossec/etc/rule/local_rules.xml .
To check if you are receiving a log or not for eventchannel log_format or if the wazuh is monitoring directory service you can look into /var/ossec/logs/ossec.log and /var/ossec/logs/archives/archives.json. Before checking the archives.json folder please change the value of these two fields to yes <logall>yes</logall> <logall_json>yes</logall_json>.
It id present at /var/ossec/etc/ossec.conf
So, if logs reach the manager but you don't get alters in that situation to need to create custom rules and decoders. If you have a log and you want to test it you can run the log at /var/ossec/bin/wazuh-logtest and there you can see the decoders and rules for that particular log.
to get more information on how to collect logs you can refer to https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
For custom rules and decoders, you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this will be helpful.
Regards,
Stuti Gupta
Stuti Gupta
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/5rLlrpyPCVA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6ebbd68a-4473-4437-80dd-ae498b54f15an%40googlegroups.com.
Dirk Westenhaus
Aug 11, 2023, 6:54:53 AM8/11/23
to Wazuh mailing list
Thank you. This is indeed all very helpful. Also thank you for the patient explanation about the thing with full_archives and so on. I really hope for your sanity that you are working with canned text preparations. ;-)
Seats are booked in a Wazuh training, I hope that I can answer many questions myself after that.
As it turns out, there are indeed messages from the Directory Service channel flowing into the system. When fed to the logtester tool, the result is only a level-2 "Unknown problem" (see below), so that I think I have to educate myself about custom decoders and rulesets.
After activating the Log Collector, one of the agents complains about a full message queue. Could you advise how to work with that?
Thank you and all the best, Dirk.
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
Stuti Gupta
Aug 13, 2023, 11:30:38 PM8/13/23
to Wazuh mailing list
Hi,
Each event collected by the Wazuh agent is transmitted to the Wazuh Manager. The Manager will assign the event a severity level depending on which rules it matches from the ruleset. By default, it will only log alerts with a severity level of 3 or higher. You need to create a rule to handle this log message. For that please refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this will be helpful
Each event collected by the Wazuh agent is transmitted to the Wazuh Manager. The Manager will assign the event a severity level depending on which rules it matches from the ruleset. By default, it will only log alerts with a severity level of 3 or higher. You need to create a rule to handle this log message. For that please refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this will be helpful
Reply all
Reply to author
Forward
0 new messages