Windows EventChannel (sysmon): Not getting full line in archives.log
197 views
Skip to first unread message
Kevin Geil
Aug 3, 2017, 2:55:35 PM8/3/17
to ossec-list
Hi, I'm trying to get OSSEC to alert on sysmon logs. After installing sysmon, and setting <logall> to yes, I do get sysmon events in archives.log, but I don't get anything useful. The lines stop after the event description: For example:
2017 Aug 03 00:00:35 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:38 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(3): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Network connection detected:
2017 Aug 03 00:00:53 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:56 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated:
2017 Aug 03 00:00:55 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:58 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated:
The events do show srcIP, dstIP, port info, etc in windows.
Is it possible that I'm missing something in my agent.conf? When I search Google for ossec and Sysmon, I do see that others get full log lines.
As always, any help will be greatly appreciated.
Thank you.
Kevin
2017 Aug 03 00:00:35 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:38 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(3): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Network connection detected:
2017 Aug 03 00:00:53 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:56 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated:
2017 Aug 03 00:00:55 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:58 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated:
The events do show srcIP, dstIP, port info, etc in windows.
Is it possible that I'm missing something in my agent.conf? When I search Google for ossec and Sysmon, I do see that others get full log lines.
As always, any help will be greatly appreciated.
Thank you.
Kevin
Kevin Geil
Aug 3, 2017, 5:03:26 PM8/3/17
to ossec-list
So, I did find my problem, sort-of. The log is coming through in multiline format, so when I grepped for "sysmon", I only got the first line and missed all of the good info. I am using ossec in Alienvault, so that may complicate things a bit. I know that what I need to do is to force ossec to use a single line for output, but can't quite figure it out. From what research I've done, I need to make a global settings change, but I can't quite figure out where. Hopefully someone can help.
My current global config is as follows:
<global>
<email_notification>no</email_notification>
<custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>
</global>
Thanks,
Kevin
My current global config is as follows:
<global>
<email_notification>no</email_notification>
<custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>
</global>
Thanks,
Kevin
alberto....@wazuh.com
Aug 7, 2017, 3:15:02 PM8/7/17
to ossec-list
Hello Kevin
Hope it helps,
Following this document http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/ you'll be able to read the multiple lines of sysmon events.
Allowed: <log_format>multi-line: NUMBER</log_format>
Best regards,
Alberto R.
Kevin Geil
Aug 8, 2017, 10:05:15 AM8/8/17
to ossec...@googlegroups.com
Thanks Alberto, I did try using eventchannel, multi-line (with location of microsoft-windows-sysmon/operational, and the path to the evtx file), and eventlog, but I still get multiple line output in alerts.log (or "ERROR: Unable to open file", depending on the configuration).
From the reading I have done, it appears as if many people (including you, in your Wazuh blog post on this topic) have successfully monitored sysmon logs with just an eventchannel log format, so I still feel as I'm doing something wrong. My ossec server version is 2.8.3, and the agent shows version 2.8. My next step is to install version 2.9.1 on a different box just to see if that makes the difference, but, of course, any advice someone has to offer will be greatly appreciated.
Thanks,From the reading I have done, it appears as if many people (including you, in your Wazuh blog post on this topic) have successfully monitored sysmon logs with just an eventchannel log format, so I still feel as I'm doing something wrong. My ossec server version is 2.8.3, and the agent shows version 2.8. My next step is to install version 2.9.1 on a different box just to see if that makes the difference, but, of course, any advice someone has to offer will be greatly appreciated.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kevin Geil
Aug 8, 2017, 3:04:36 PM8/8/17
to ossec...@googlegroups.com
Well, the version makes all the difference. I set up a test system with server version 2.91, and agent version 2.90, and everything works nicely. Now to convince Alienvault to update their product...
alberto....@wazuh.com
Aug 9, 2017, 3:16:28 AM8/9/17
to ossec-list
Good to know. Thanks for sharing the issue, we will take into account in the future.
Best regards,
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages