send eventlog to ossec

[zen....@gmail.com]

Hello everybody,
I try to configure OSSEC Agent on machine with Windows 2012 in order to sending some events to OSSEC server (2.8.1).
In the <ossec_config> section in the agent is:

<localfile>
     <location>Security</location>
     <log_format>eventlog</log_format>
</localfile>

I want to send events with Windows ID 4625 which is Logon Audit Failure, so I did like this:

<localfile>
     <location>Security</location>
     <log_format>eventlog</log_format>
     <query>Event/System[EventID=4625]</query>     
</localfile>

or

<localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/System[EventID=4625]</query>
</localfile>

and it doesn't work, how should be correct, what and where change?

regards,

[SoulAuctioneer]

Are there any errors in the ossec.log? How are you generating those "Login Audit Failure" messages? Can you try running the latest OSSEC beta? There were a large number of fixes done to the eventchannel code that might fix whatever problem you are having.

[zen....@gmail.com]

There aren't errors, all works fine, all events from eventlog from Windows machine are sent to OSSEC, what I want to do, I want to send only selected events, ex. like this one aformentioned in my post EventID=4625, this event is created when user input wrong password to shared resources.

I have installed agent which was along with ossec server.

In agent I tried both combinations and they don't work. I didn't change ossec.conf.

[SoulAuctioneer]

So just so I completely understand, all events are getting sent but you only want events that have the ID of 4625 and you are using version 2.8.1? This is happening even with "eventchannel"?

[zen....@gmail.com]

yes, you correctly understood, I want to send only selected events. I use the latest agent version.

I also tried to made the same entry (like in the ossec.conf agent) in the ossec.conf in the OSSEC server but it also doesn't work.

[SoulAuctioneer]

I created an issue to investigate this further:

https://github.com/ossec/ossec-hids/issues/568

From what you have showed it looks like it should work according to the examples given in the documentation. I'll have to dig deeper to understand more.

[zen....@gmail.com]

Hello,

maybe it will be a small hint how to resolve my problem, I still sitting on this problem,

I noticed that when in the agent ossec.conf is

   <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>

  </localfile>

 all events are sent to ossec server, when I change eventlog with eventchannel

   <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>

  </localfile>

nothing is sent, it looks like agent doesn't know what to do.

Besides I found small error in the entry

  <query>Event/System[EventID=4625]</query>

I changed that for

  <query>Event/Security[EventID=4625]</query>

but it also didn't help too much.

regards,

[SoulAuctioneer]

I confirmed in the code that the query is getting passed to EvtSubscribe() and an error should get generated and show in the logs if the query is malformed in anyway. There have been a large amount of changes to the eventchannel code in 2.9 which is still beta. Let me find a download link for that version and have you try it out there. If it still doesn't work we can do some deeper dive troubleshooting.

[zen....@gmail.com]

I found 2.9-beta03, https://github.com/ossec/ossec-hids/releases, I tried to install but it was unsuccessful, I attach two files.

[SoulAuctioneer]

The server isn't what you need, which is what you are building in these screenshots. You'd need the updated version of the Windows agent which isn't on the releases page for 2.9-beta03. I'm working on getting that rectified and will post a download link once I have it.

[zen....@gmail.com]

Hello,

long time passed and what is going on?