OSSEC Windows Agent support for Event Trace Logs ( .etl ) format

631 views
Skip to first unread message

chintan shah

unread,
Sep 1, 2015, 5:42:20 AM9/1/15
to ossec-list

Hi Support  team ,

 

We’ve been using OSSEC Hids on a commercial basis since quite some time . Amidst this , I wanted to bring to your notice , the issue in reading the event trace log (.etl ) log format in Windows OS . As of OSSEC windows agent version 2.8 , the agent is not able to support the Windows event trace logs ( .etl ) format generated by some of the services under “Applications and Services” in Windows Event Viewer .

 

 

To expand the specific problem that we’ve been facing at the moment , we are using OSSEC windows agent to monitor the WMI-Activity on Windows Vista and above . These OS version ( precisely Vista and above ) generates the trace logs for WMI activity  and these logs are in the .etl format which is currently not supported by OSSEC windows agent v2.8 .

 

Following is the elaborated picture of the steps we have performed to come to this conclusion and the errors that we’ve seen :

 

1 . Modify the agent’s ossec.conf file on windows to monitor specific WMI  event channel:

               <localfile>

               <location>Microsoft-Windows-WMI-Activity/Trace</location>

<log_format>eventchannel</log_format>

</localfile>

 

2 . Restarting the OSSEC Windows service gives following error in the ossec.log file:

              

2015/09/01 10:12:09 ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-WMI-Activity/Trace'.

2015/09/01 10:12:09 ossec-agent: Could not create bookmark from save (15008)

2015/09/01 10:12:09 ossec-agent: Subscription error: 50

2015/09/01 10:12:09 ossec-agent: INFO: Started (pid: 212).

 

3 . Modify the ossec.conf file again to include the “only-future-events” for the above event channel

15/09/01 10:18:08 ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-WMI-Activity/Trace'.

2015/09/01 10:18:08 ossec-agent: Subscription error: 50

2015/09/01 10:18:08 ossec-agent: INFO: Started (pid: 172)

 

4 . We have tried to use the “eventlog” instead of “eventchannel’ in this case but since the log format is not in the evt / evtx format , OSSEC Agent Version 2.8 is not able to pick up the logged events and send the messages to the OSSEC server.

 

Above series of debug logs  leads us to the conclusion that  .etl format of logs is not being supported by windows agent . I would like to seek the assistance of the support team / Volunteers in resolving this issue .

 

Please revert back in case of additional information .

 

Regards

Chintan

 

lostinthetubez

unread,
Sep 1, 2015, 2:12:28 PM9/1/15
to ossec...@googlegroups.com

The latest code off of github has the eventchannel issue fixed. See: https://github.com/ossec/ossec-hids/pull/457

 

 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

chintan shah

unread,
Sep 2, 2015, 7:53:29 AM9/2/15
to ossec-list
Thanks for the response ..Looks like there are some eventchannel fixes in this code .I am assuming these are the fixes for the windows ossec clients Do we have the compiled binary with these fixes that I can use directly or Do I need to recompile the code as per the instructions in the documentation ? 

Would be good if I can get the compiled agent binary that I can install straightaway..

SoulAuctioneer

unread,
Sep 2, 2015, 9:16:09 AM9/2/15
to ossec-list
The following pre-release has an already built binary that I beleive has those changes that you can try:


I'd test it out first. No promises that it works. Alternatives are to build the binary yourself from master or to wait until we release 2.9 if that ever happens.

chintan shah

unread,
Sep 2, 2015, 11:48:29 AM9/2/15
to ossec-list
Tried using that binary as well ..

With the following option in the config file : 

<localfile>
    <location>Microsoft-Windows-WMI-Activity/Trace</location>
    <log_format>eventchannel</log_format>
  </localfile>


debug logs has the following error : 

2015/09/02 16:43:17 ossec-agent(1951): INFO: Analyzing event log: 'System'.

2015/09/02 16:43:17 ossec-agent: WARN: eventchannel not available on this version of OSSEC

2015/09/02 16:43:17 ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-AppLocker/EXE and DLL'.


Not sure if this is the correct binary ..

DefensiveDepth

unread,
Sep 3, 2015, 11:24:19 AM9/3/15
to ossec-list
Yes, that pre-release binary does not appear to be working correctly with eventchannel - I have a binary from early January in which eventchannel is working correctly:


However, if this is going to be used outside of a lab environment, you should definitely compile from the latest beta (https://github.com/ossec/ossec-hids/releases/tag/2.9.0-beta04 ) and test from there.

-Josh


chintan shah

unread,
Sep 4, 2015, 2:10:59 AM9/4/15
to ossec-list
Hi Josh , 

The binary you've uploaded here is the same one that comes with OSSEC 2.8 . I am using the same binary at the moment in our environment and the subscription / bookmarks error remains the same as posted earlier in this thread ..

Precisely the problem is on Agent 2.8 ,  eventchannel does not work with the trace logs ( .etl ) ..To reproduce this , we need to enable  "Analysis and debug logs" in the event viewer and use eventchannel with WMI-Activity/Trace  under "Applications and Services" 

In the ossec.log , I see subscription error : 50 and bookmarks error..I am not sure if there is the problem with the .etl log format or eventchannel itself ..

If anybody out here has tried using eventchannel with .etl logs and has worked correctly , Let me know ..However , eventchannel for .evt / evtx log formats works correctly on Agen 2.8 ..

DefensiveDepth

unread,
Sep 5, 2015, 7:43:31 AM9/5/15
to ossec-list
You're right, I uploaded the wrong build. See that same link now, it is the correct build - I just tested it and it is sending eventlogs just fine.

-Josh

chintan shah

unread,
Sep 7, 2015, 9:10:31 AM9/7/15
to ossec-list

Could you pls let me know how did you test it ? I am still facing issue even with the newer binary ..Installed the newer agent with eventchannel fixes and I am getting the same error with the error statement modified : 

2015/09/07 12:55:44 ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-WMI-Activity/Trace'.
2015/09/07 12:55:44 ossec-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-WMI-Activity/Trace) which returned (50)
2015/09/07 12:55:44 ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-Eventlog/Analytic'.
2015/09/07 12:55:44 ossec-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-Eventlog/Analytic) which returned (50)

I tested this on couple of machines to make sure that this isn't the local issue ..This happens only with the logs that is saved in the .etl format and not with the ones in evt/evtx format .That works fine..I am not sure what's the issue here ..

DefensiveDepth

unread,
Sep 7, 2015, 3:09:06 PM9/7/15
to ossec-list
This may be a legit issue, as I have only used with evt/evtx format. 

-Josh

dan (ddp)

unread,
Sep 8, 2015, 8:24:06 AM9/8/15
to ossec...@googlegroups.com
On Mon, Sep 7, 2015 at 8:59 AM, chintan shah <shahch...@gmail.com> wrote:
>
> Could you pls let me know how did you test it ? I am still facing issue even
> with the newer binary ..Installed the newer agent with eventchannel fixes
> and I am getting the same error with the error statement modified :
>
> 2015/09/07 12:55:44 ossec-agent(1951): INFO: Analyzing event log:
> 'Microsoft-Windows-WMI-Activity/Trace'.
> 2015/09/07 12:55:44 ossec-agent: ERROR: Could not EvtSubscribe() for
> (Microsoft-Windows-WMI-Activity/Trace) which returned (50)
> 2015/09/07 12:55:44 ossec-agent(1951): INFO: Analyzing event log:
> 'Microsoft-Windows-Eventlog/Analytic'.
> 2015/09/07 12:55:44 ossec-agent: ERROR: Could not EvtSubscribe() for
> (Microsoft-Windows-Eventlog/Analytic) which returned (50)
>
> I tested this on couple of machines to make sure that this isn't the local
> issue ..This happens only with the logs that is saved in the .etl format and
> not with the ones in evt/evtx format .That works fine..I am not sure what's
> the issue here ..
>

It's entirely possible that OSSEC does not support this format. If
you're interested in adding support, you can submit a pull request on
the OSSEC github: https://github.com/ossec/ossec-hids
Opening an issue on the github is also a good idea in case someone
else is interested in doing the work, but doesn't yet realize it.

SoulAuctioneer

unread,
Sep 8, 2015, 8:05:13 PM9/8/15
to ossec-list
Just researched this a bit more. Probably isn't supported at this time. Pull requests welcome.

chintan shah

unread,
Sep 14, 2015, 5:06:48 AM9/14/15
to ossec-list
I've opened the issue on this , perhaps if somebody wants to take it up : 


Reply all
Reply to author
Forward
0 new messages