Sysmon-Enriched Log Collection and Windows Event Forwarding

581 views
Skip to first unread message

Wes

unread,
Sep 24, 2015, 9:15:56 AM9/24/15
to ossec-list
Please excuse me if this is not the proper place, but I was reading Josh's paper (https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837) in regard to the use of Sysmon, Windows Event Collector Framework, and OSSEC to forward logs from Windows workstations and servers to Security Onion, but I wanted to be sure about a thing or two before I began such a project.  

From the paper, I can see that the intention (for the Hybrid setup) is that Sysmon will be running on all workstations (onsite/offsite), and all workstations will be configured with Windows Event Forwarding to forward logs to a log collector (OSSEC). From here the log collector will forward information to Security Onion (sensor)

--The log collector should be running the OSSEC agent, correct?  Or is this to run the manager?  I guess my impression was that the agent only collected logs locally, but from what I have read gives me the impression that the agent can be forwarded logs and forward those logs as well? 

Again please excuse my ignorance--if anyone could clarify or could point me towards some more information, I would greatly appreciate it.

Thanks,

Wes


dan (ddp)

unread,
Sep 24, 2015, 9:28:04 AM9/24/15
to ossec...@googlegroups.com


On Sep 24, 2015 9:15 AM, "Wes" <wlamb...@gmail.com> wrote:
>
> Please excuse me if this is not the proper place, but I was reading Josh's paper (https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837) in regard to the use of Sysmon, Windows Event Collector Framework, and OSSEC to forward logs from Windows workstations and servers to Security Onion, but I wanted to be sure about a thing or two before I began such a project.  
>
> From the paper, I can see that the intention (for the Hybrid setup) is that Sysmon will be running on all workstations (onsite/offsite), and all workstations will be configured with Windows Event Forwarding to forward logs to a log collector (OSSEC). From here the log collector will forward information to Security Onion (sensor)
>
> --The log collector should be running the OSSEC agent, correct?  Or is this to run the manager?  I guess my impression was that the agent only collected logs locally, but from what I have read gives me the impression that the agent can be forwarded logs and forward those logs as well? 
>

I've only skimmed the hybrid section of the paper, and i don't know a lot about windows event forwarder, but I would assume the log collector is a windows system. Because of that it can only run the ossec agent software. It looks like the collector collects the logs via wef, allowing the ossec agent to pull them in, and forwars them onto the ossec server.

Josh is on the list though, and I would expect him to reply when he gets a chance. :-)

> Again please excuse my ignorance--if anyone could clarify or could point me towards some more information, I would greatly appreciate it.
>
> Thanks,
>
> Wes
>
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Wes

unread,
Sep 24, 2015, 9:37:23 AM9/24/15
to ossec-list

Thanks for your help, Dan.

Wes

DefensiveDepth

unread,
Sep 24, 2015, 10:47:06 AM9/24/15
to ossec-list
Greetings Wes,

Yes, Dan is correct - the "collector" is a windows server that has the OSSEC client installed on it and configured through <eventchannel> to forward the logs onto the SO sensor.

You don't have to use WEF for collecting the logs... You could use the OSSEC client installed locally, nxlog, or something else like that. 

-Josh

Michael Menefee

unread,
Feb 3, 2017, 4:29:43 AM2/3/17
to ossec-list
please disregard my earlier post...the second I hit send, I realized that i had the log_format configured for eventchannel instead of eventlog...sorry to waste your time

Michael Menefee

unread,
Feb 3, 2017, 4:29:43 AM2/3/17
to ossec-list
Hi, I realize this is a slightly older discussion, but it's the closest I could find to anyone with experience collecting ForwardedEvents event channel logs with Ossec when using Windows Event Collection.

I have a server configured as a Event Collector "subscriber", gathering system/application/security logs from remote workstations out in the field, using the method basically described here: https://technet.microsoft.com/en-us/library/cc749183(v=ws.11).aspx.

This creates an EventChannel source on the server called "ForwardedEvents", which I have an Ossec agent installed on and configured to grab with the following config (via shared agent.conf);

<agent_config name="collectorservername">
   <localfile>
      <log_format>eventchannel</log_format>
      <location>ForwardedEvents</location>
   </localfile>
 </agent_config>

According to Ossec agent log on the "collector" server, the event channel can be opened, but when an event comes in from a remote system, I get an error:

2017/02/01 10:25:52 ossec-agent(1951): INFO: Analyzing event log: 'ForwardedEvents'. <---when agent is started
2017/02/01 13:42:07 ossec-agent: ERROR: Could not get message for (ForwardedEvents) <---when remote log comes in

My question is that has anyone successfully used Ossec to grab these ForwardedEvents in this fashion? or does the error suggest some other (permissions) issue?

Thanks in advance!
Mike




On Thursday, September 24, 2015 at 10:47:06 AM UTC-4, DefensiveDepth wrote:
Reply all
Reply to author
Forward
0 new messages