Capturing Window Event ID's

678 views
Skip to first unread message

Brian

unread,
Oct 27, 2014, 7:51:36 AM10/27/14
to ossec...@googlegroups.com
Hello, I am hopping someone may be able to help..  
I want to capture Windows Event ID's  5142  5143  5144 5145.  I found this discussion on how to add it to your ossec.conf file.

However, the events aren't showing up in ossec.  Would this be the correct way in configuring OSSEC to capture specific  Windows Event ID's ?

I added the following to my ossec,conf file,  above 18104 as the above article suggested.  and then restarted ossec..

<rule id="19000" level="6">
    <if_sid>18100</if_sid>
    <id>^5142&|^5143$|^5144$|^5145$</id>
    <status>^AUDIT_SUCCESS|^success</status>
    <description>Windows audit success event.</description>
  </rule>

Thank you for your help.

dan (ddp)

unread,
Oct 27, 2014, 10:23:31 AM10/27/14
to ossec...@googlegroups.com
Is it working? If not, turn on the log all option on the manager and
provide a log sample.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Ivars Grīnbergs

unread,
Oct 27, 2014, 11:39:47 AM10/27/14
to ossec...@googlegroups.com
Is the ampersand correctly used at the end of 5142? For other IDs there are $ sign used.

Ivars

--

dan (ddp)

unread,
Oct 27, 2014, 11:42:37 AM10/27/14
to ossec...@googlegroups.com
On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs <i.gri...@gmail.com> wrote:
> Is the ampersand correctly used at the end of 5142? For other IDs there are
> $ sign used.
>

Nope, I'm not sure what they were attempting with that.

Santiago Bassett

unread,
Oct 27, 2014, 1:59:46 PM10/27/14
to ossec...@googlegroups.com
Hi Brian,

I see you refer to alienvault documentation. Are you using Alienvault USM or OSSIM with OSSEC? If that is the case you should be able to grab the event ID from the raw log modifying the plugin used to parse OSSEC alerts output.

As well, as Ivars mentioned it seems there is a typo in the rule. Instead of & it should be $.

Best

--

Brian

unread,
Oct 27, 2014, 2:01:33 PM10/27/14
to ossec...@googlegroups.com
Thank you for your Reply:   Looks like the & was a TypeO.   I fixed that and now looks like:  <id>^5142$|^5143$|^5144$|^5145$</id>
So, i turned on debugging on the client side,  and I get the following shown below..   When I run :  tail -f /var/ossec/logs/alerts/alerts.log
on the server side, I don't see anything coming in. The windows client is a Windows 2012 server. 


Debug:

2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to server.

2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: '2014 Oct 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: FileServer.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-18013 User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ \ 0x100080 %%1541

%%4423

- '

2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to server.

2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: '2014 Oct 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: FileServer.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-18013 User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ Program Files (x86)\ossec-agent 0x100081 %%1541

%%4416

%%4423

dan (ddp)

unread,
Oct 27, 2014, 2:05:27 PM10/27/14
to ossec...@googlegroups.com
Did you turn on the log all option on the manager? If you run the log
messages from the archives.log through ossec-logtest, what happens?

Brian

unread,
Oct 27, 2014, 3:03:19 PM10/27/14
to ossec...@googlegroups.com
I'm not sure if I am running it correctly..
I get the following,   it doesn't show anything...    in the ossec.conf file,  I placed   <logall>yes</logall>  in the global section and restarted.   I got no errors when restarting.

ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest /var/ossec/logs/archives/archives.log
2014/10/27 13:59:38 ossec-testrule: INFO: Reading local decoder file.
2014/10/27 13:59:38 ossec-testrule: INFO: Started (pid: 15224).
ossec-testrule: Type one log per line.

dan (ddp)

unread,
Oct 27, 2014, 3:09:44 PM10/27/14
to ossec...@googlegroups.com
On Mon, Oct 27, 2014 at 3:03 PM, Brian <ke...@myschatz.net> wrote:
> I'm not sure if I am running it correctly..
> I get the following, it doesn't show anything... in the ossec.conf
> file, I placed <logall>yes</logall> in the global section and restarted.
> I got no errors when restarting.
>
> ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest
> /var/ossec/logs/archives/archives.log
> 2014/10/27 13:59:38 ossec-testrule: INFO: Reading local decoder file.
> 2014/10/27 13:59:38 ossec-testrule: INFO: Started (pid: 15224).
> ossec-testrule: Type one log per line.
>

The archives.log file is just a text log file. You'll need to find the
entries you are interested in, copy them out of the file, and paste
them into the ossec-logtest program.

Windows is odd (why does it put so many spaces in odd places?), so
copying archives.log to another location, then deleting all of the
lines you are not interested in might be the best solution.


As a shortcut while testing, I frequently save the log message to a
file, then run:

cat LOGMESSAGEFILE | /var/ossec/bin/ossec-logtest

Michael Starks

unread,
Oct 27, 2014, 3:22:25 PM10/27/14
to ossec...@googlegroups.com
On 2014-10-27 14:09, dan (ddp) wrote:
> Windows is odd (why does it put so many spaces in odd places?)

This highlights the need for a documented OSSEC log format. OSSEC
constructs the message as it sees fit but this will always be confusing
unless a standard is developed from which the log format can be derived
and understood. This would also make third-party integration much, much
more enjoyable.

Brian

unread,
Oct 27, 2014, 8:34:55 PM10/27/14
to ossec...@googlegroups.com
From what I can tell, and I am doing this correctly. here is the log for event ID 5145. .  I did run  ./ossec-logtest ,  I placed "
WinEvtLog: Security: AUDIT_SUCCESS(5145)"  and it took me to Rule 18100 and not 19000.
below I have my log, rules and logtest

Log:

2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$  srvsvc 0x12019f %%1538
%%1541
%%4416
%%4417
%%4418
%%4419
%%4420
%%4423
%%4424

2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\Objects \??\C:\import\DFSRoot\Objects \ 0x100081 %%1541
%%4416
%%4423
%%1541: %%1801 D:(A;;0x1200a9;;;WD)
%%4416: %%1801 D:(A;;0x1200a9;;;WD)
%%4423: %%1801 D:(A;;0x1200a9;;;WD)



Rules:

<group name="windows,">

  <rule id="18100" level="0">
    <category>windows</category>
    <description>Group of windows rules.</description>
  </rule>

  <rule id="18101" level="0">
    <if_sid>18100</if_sid>
    <status>^INFORMATION</status>
    <description>Windows informational event.</description>
  </rule>

  <rule id="18102" level="0">
    <if_sid>18100</if_sid>
    <status>^WARNING</status>
    <description>Windows warning event.</description>
  </rule>

  <rule id="18103" level="5">
    <if_sid>18100</if_sid>
    <status>^ERROR</status>
    <description>Windows error event.</description>
    <group>system_error,</group>
  </rule>

 <rule id="19000" level="6">
    <if_sid>18100</if_sid>
    <id>^5142$|^5143$|^5144$|^5145$</id>
    <status>^AUDIT_SUCCESS|^success</status>
    <description>Windows audit success event.</description>
  </rule>

  <rule id="18104" level="0">
    <if_sid>18100</if_sid>
    <status>^AUDIT_SUCCESS|^success</status>
    <description>Windows audit success event.</description>
  </rule>



Logtest:

ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest
2014/10/27 19:15:53 ossec-testrule: INFO: Reading local decoder file.
2014/10/27 19:15:53 ossec-testrule: INFO: Started (pid: 16744).
ossec-testrule: Type one log per line.

WinEvtLog: Security: AUDIT_SUCCESS(5145)


**Phase 1: Completed pre-decoding.
       full event: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)'
       hostname: 'OSSECServer'
       program_name: '(null)'
       log: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)'

**Phase 2: Completed decoding.
       decoder: 'windows'

**Phase 3: Completed filtering (rules).
       Rule id: '18100'
       Level: '0'
       Description: 'Group of windows rules.'

Brian

unread,
Oct 28, 2014, 8:15:22 AM10/28/14
to ossec...@googlegroups.com
I did test my rule again this morning,  change the Level to 0,  and it the Rule works..

ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest
2014/10/28 07:10:10 ossec-testrule: INFO: Reading local decoder file.
2014/10/28 07:10:10 ossec-testrule: INFO: Started (pid: 18664).
ossec-testrule: Type one log per line.

WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$  srvsvc 0x12019f %%1538


**Phase 1: Completed pre-decoding.
       full event: 'WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$  srvsvc 0x12019f %%1538'
       hostname: 'Mango-OSSEC'
       program_name: '(null)'
       log: 'WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$  srvsvc 0x12019f %%1538'

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'AUDIT_SUCCESS'
       id: '5145'
       extra_data: 'Microsoft-Windows-Security-Auditing'
       dstuser: '(no user)'
       system_name: 'WinClient.Domain.Local'

**Phase 3: Completed filtering (rules).
       Rule id: '19000'
       Level: '0'
       Description: 'Windows audit success event.'

dan (ddp)

unread,
Oct 28, 2014, 9:34:59 AM10/28/14
to ossec...@googlegroups.com
On Mon, Oct 27, 2014 at 8:34 PM, Brian <ke...@myschatz.net> wrote:
> From what I can tell, and I am doing this correctly. here is the log for
> event ID 5145. . I did run ./ossec-logtest , I placed "
> WinEvtLog: Security: AUDIT_SUCCESS(5145)" and it took me to Rule 18100 and
> not 19000.
> below I have my log, rules and logtest
>
> Log:
>
> 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 14:17:07
> WinEvtLog: Security: AUDIT_SUCCESS(5145):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707
> User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538
> %%1541
> %%4416
> %%4417
> %%4418
> %%4419
> %%4420
> %%4423
> %%4424
>

I don't know enough about the Windows stuff to know why all of these
are being presented on their own lines and whatnot.
Running everything up until the first newline through ossec-logtest
gives me the following output (Removing everything between the
beginning of the line and 2014 because that should be an OSSEC header
added to the archives.log entries):

[root@localhost ddp]# cat /tmp/xxx
2014 Oct 27 14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707
User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f
%%1538
[root@localhost ddp]# cat /tmp/xxx | /var/ossec/bin/ossec-logtest
2014/10/28 09:30:41 ossec-testrule: INFO: Reading local decoder file.
2014/10/28 09:30:41 ossec-testrule: INFO: Started (pid: 6981).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
full event: '2014 Oct 27 14:17:07 WinEvtLog: Security:
AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user):
no domain: WinClient.Domain.Local:
S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a
File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538'
hostname: 'localhost'
program_name: '(null)'
log: '2014 Oct 27 14:17:07 WinEvtLog: Security:
AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user):
no domain: WinClient.Domain.Local:
S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a
File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538'

**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '5145'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'WinClient.Domain.Local'

**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'

So the id is decoded. And this rule successfully captures that log message:
<rule id="300001" level="6">
<if_sid>18104</if_sid>

Brian

unread,
Oct 28, 2014, 10:39:36 AM10/28/14
to ossec...@googlegroups.com
I think I got it working;  it may not be the correct way..  
I removed  Rule ID 19000
Added <id>^5142$|^5143$|^5144$|^5145$</id>
to Rule 18104
and gave Rule 18104 Level 2
and it seems to work now..   If continues to work correctly,  I thank you for your help.. 

Old Rules:
 <rule id="19000" level="2">
    <if_sid>18100</if_sid>
    <id>^5142$|^5143$|^5144$|^5145$</id>
    <status>^AUDIT_SUCCESS|^success</status>
    <description>Windows audit success event.</description>
  </rule>

  <rule id="18104" level="0">
    <if_sid>18100</if_sid>
    <status>^AUDIT_SUCCESS|^success</status>
    <description>Windows audit success event.</description>
  </rule>

New Rule:

<rule id="18104" level="2">

dan (ddp)

unread,
Oct 28, 2014, 10:45:15 AM10/28/14
to ossec...@googlegroups.com
On Tue, Oct 28, 2014 at 10:39 AM, Brian <ke...@myschatz.net> wrote:
> I think I got it working; it may not be the correct way..
> I removed Rule ID 19000
> Added <id>^5142$|^5143$|^5144$|^5145$</id>
> to Rule 18104
> and gave Rule 18104 Level 2
> and it seems to work now.. If continues to work correctly, I thank you
> for your help..
>
> Old Rules:
> <rule id="19000" level="2">

Be careful using these ID ranges. New rules could always be added
using those IDs, and that would cause issues.

gr...@castraconsulting.com

unread,
Oct 29, 2014, 7:04:17 AM10/29/14
to ossec...@googlegroups.com
I have been following this thread with interest and I have a question

First, there is no reason, on the surface this should not have worked using rule id = 19000, I tested in my lab on 2.7.1 and it worked. (I know I need to move up and I will this year)

In my setup I tend to start with 70000 for new rules and it just works, so I altered existing working rules to use 19000 with no errors.

However, when using rule 18104, isn't he essentially overwriting a current rule with a different match?
Further, since the override syntax is not used, is there not a conflict in the subsystem?

Thank in advance for the information.

dan (ddp)

unread,
Oct 29, 2014, 7:38:35 AM10/29/14
to ossec...@googlegroups.com
On Wed, Oct 29, 2014 at 7:04 AM, <gr...@castraconsulting.com> wrote:
> I have been following this thread with interest and I have a question
>
> First, there is no reason, on the surface this should not have worked using
> rule id = 19000, I tested in my lab on 2.7.1 and it worked. (I know I need
> to move up and I will this year)
>

Unless there was another rule at 19000?

> In my setup I tend to start with 70000 for new rules and it just works, so I
> altered existing working rules to use 19000 with no errors.
>

Any of those IDs can be used in a release, so I tend to avoid them for
local rules.
I try to stick with rule IDs of 100000+.
https://github.com/ossec/ossec-hids/blob/master/doc/rule_ids.txt
Reply all
Reply to author
Forward
0 new messages