wazuh sysmon logs forwarding
687 views
Skip to first unread message
Houssam Eddine KOURCHI
Jul 14, 2024, 2:17:40 PM7/14/24
to Wazuh | Mailing List
Hello,
I downloaded and installed the wazuh OVA on VirtualBox and configured my Host as the wazuh agent.
then I installed sysmon on my host to capture logs and forward them to the wazuh server.
I am having a use case where i need to log sysmon dns query (event 22) to the wazuh UI, but the events won't be shown in the UI.
I made sure that the sysmon configuration file log dns queries and logs are seen in the event viewer, also i configured the wazuh agent to forward sysmon logs in the agent ossec.conf file using the attribute :
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
also i configured the local_rules.xml file on the manager to catch the dns logs on the server you can see the attached image.
but still the sysmon event 22 won't be shown in the wazuh UI. I am clueless.
When I filter events (on my host threat hunting tab) with the rule id I previously specified in the local_rules.xml file, no entry in the selection for that id is in the selection, and the same when i try to filter with event id 22.(see attached image)
I downloaded and installed the wazuh OVA on VirtualBox and configured my Host as the wazuh agent.
then I installed sysmon on my host to capture logs and forward them to the wazuh server.
I am having a use case where i need to log sysmon dns query (event 22) to the wazuh UI, but the events won't be shown in the UI.
I made sure that the sysmon configuration file log dns queries and logs are seen in the event viewer, also i configured the wazuh agent to forward sysmon logs in the agent ossec.conf file using the attribute :
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
also i configured the local_rules.xml file on the manager to catch the dns logs on the server you can see the attached image.
but still the sysmon event 22 won't be shown in the wazuh UI. I am clueless.
When I filter events (on my host threat hunting tab) with the rule id I previously specified in the local_rules.xml file, no entry in the selection for that id is in the selection, and the same when i try to filter with event id 22.(see attached image)
Emeka Michael Nzeopara
Jul 14, 2024, 9:44:55 PM7/14/24
to Wazuh | Mailing List
Hi Houssam,
Don't feel clueless that your event is not being displayed in the UI. Have you confirmed if the rule you created is able to detect the log event by using the
wazuh logtest binary located in /var/ossec/bin/wazuh-logtest.
After running the binary, pass a sample event log to confirm if the rule created was able to detect the event.
Since you want to monitor a sysmon event channel, in a case of your log not being triggered you should consider reworking
the rules taking cues from this directory path /var/ossec/ruleset/rules/ and a look into the Sysmon rule ID range i.e. 0595-win-sysmon_rules.xml
May we also ask that you share the sample log entry of the event you want to monitor alongside the sample rule you have created for this process.
Our documentation on log collection is a good source of reference.
Let us know if this was of help to you.
Thank you
Don't feel clueless that your event is not being displayed in the UI. Have you confirmed if the rule you created is able to detect the log event by using the
wazuh logtest binary located in /var/ossec/bin/wazuh-logtest.
After running the binary, pass a sample event log to confirm if the rule created was able to detect the event.
Since you want to monitor a sysmon event channel, in a case of your log not being triggered you should consider reworking
the rules taking cues from this directory path /var/ossec/ruleset/rules/ and a look into the Sysmon rule ID range i.e. 0595-win-sysmon_rules.xml
May we also ask that you share the sample log entry of the event you want to monitor alongside the sample rule you have created for this process.
Our documentation on log collection is a good source of reference.
Let us know if this was of help to you.
Thank you
Houssam Eddine KOURCHI
Jul 15, 2024, 8:56:26 AM7/15/24
to Wazuh | Mailing List
Hello Emeka,
Thank you for you help, Yes i have tested with a sample log of event 22 I obtained from the file /var/ossec/logs/archives/archives.log, using the command :
[wazuh-user @ wazuh-server ~]$ sudo tail -f /var/ossec/logs/archives/archives.log | grep "eventID\":\"22"
At first with the previously sent local_rules.xml file no rule matched, but after a modification in the local_rules.xml i was able to get the rule
You can see both the new local_rules.xml the sample log for sysmon event 22 and the logtest result in the files attached.
still the sysmon events 22 not displayed on the wazuh UI.
Thank you for you help, Yes i have tested with a sample log of event 22 I obtained from the file /var/ossec/logs/archives/archives.log, using the command :
[wazuh-user @ wazuh-server ~]$ sudo tail -f /var/ossec/logs/archives/archives.log | grep "eventID\":\"22"
At first with the previously sent local_rules.xml file no rule matched, but after a modification in the local_rules.xml i was able to get the rule
You can see both the new local_rules.xml the sample log for sysmon event 22 and the logtest result in the files attached.
still the sysmon events 22 not displayed on the wazuh UI.
Houssam Eddine KOURCHI
Jul 15, 2024, 9:27:16 AM7/15/24
to Wazuh | Mailing List
Thank you so much Emeka,
now the sysmon dns events are showing up in the wazuh UI, I solved the problem just by modifiying the rule level from 0 to 4 in /var/ossec/ruleset/rules/0595-win-sysmon_rules.xml
<rule id="61650" level="4">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNS Query event</description>
<options>no_full_log</options>
<group>sysmon_event_22,</group>
</rule>
It seems that the local_rules.xml file do not affect the sysmon dns events and was only able to configure them in the default 0595-win-sysmon_rules.xm ?
now the sysmon dns events are showing up in the wazuh UI, I solved the problem just by modifiying the rule level from 0 to 4 in /var/ossec/ruleset/rules/0595-win-sysmon_rules.xml
<rule id="61650" level="4">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNS Query event</description>
<options>no_full_log</options>
<group>sysmon_event_22,</group>
</rule>
It seems that the local_rules.xml file do not affect the sysmon dns events and was only able to configure them in the default 0595-win-sysmon_rules.xm ?
Emeka Michael Nzeopara
Jul 15, 2024, 9:40:43 AM7/15/24
to Houssam Eddine KOURCHI, Wazuh | Mailing List
Hello Houssam,
Thank you for your feedback. You are welcome
Thank you for your feedback. You are welcome
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/03519b6e-c54e-4df8-a4a0-d6f40f358b54n%40googlegroups.com.
Yann Cloatre
Jul 9, 2025, 11:57:15 PM7/9/25
to Wazuh | Mailing List
Houssam, your rule will work in local_rules.xml if you use overwrite (you should not need to modify 0595-win-sysmon_rules.xml) :
<group name="windows,sysmon,">
<rule id="61650" level="4" overwrite="yes">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNS Query event</description>
<options>no_full_log</options>
<group>sysmon_event_22,</group>
</rule>
</group>
<group name="windows,sysmon,">
<rule id="61650" level="4" overwrite="yes">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNS Query event</description>
<options>no_full_log</options>
<group>sysmon_event_22,</group>
</rule>
Reply all
Reply to author
Forward
0 new messages