Find log about all files in a specific foler

647 views
Skip to first unread message

Stefano Serano

unread,
May 8, 2019, 8:25:32 AM5/8/19
to Wazuh mailing list
Hi all
I'm monitoring a 230 GB folder using real-time, i'able to see log of specific file queryng by syscheck.path and using full path and name file, but if i want to find all files modified, deleted and added in a specific path how can i do?
I tried from Kibana filtering syscheck.path by: 

f:\share\data
f:\share\data*
*f:\share\data*

but no result appear, how can do that?



Thanks, have a nice day.

Daniel Moreno

unread,
May 8, 2019, 11:13:45 AM5/8/19
to Wazuh mailing list
Hello Stefano,

This is caused by the querying feature behavior because it needs the full path to find the alerts.

To filter Syscheck's events by using the syscheck.path and a wildcard ( * in this case ) you should use the Kibana search bar and search for:

    syscheck.path : f:\share\data*

It will return you every file or subdirectory files whose path starts with "f:\share\data".

Keep in mind the realtime feature is designed to handle a known number of files. Using it to monitor directories with a high number of files could affect the tool performance.
To monitor a big amount of files on real-time it's a better practice to use Linux/Windows Audit tool along with Wazuh features.

Hope it helps you.
Regards.

Daniel Moreno

unread,
May 8, 2019, 12:19:55 PM5/8/19
to Wazuh mailing list
Hello Stefano,

What Kibana version are you are using?

Regards.

On Wed, May 8, 2019 at 5:58 PM Stefano Serano <serano...@gmail.com> wrote:
Hi Daniel.
i've tried your method but with no luck
 
Obviously if i remove the search filter i'm able to see lot of logs about files in share subfolders.

Have a nice da

Daniel Moreno

unread,
May 9, 2019, 7:47:24 AM5/9/19
to Wazuh mailing list
Hi Stefano,

I've used the version you told me and I've not been able to reproduce the error.

If you disable the "query features" it stops working. Try to enable this option and use the configuration I suggested to you.

Captura.PNG

Regards.


Daniel Moreno

unread,
May 9, 2019, 10:49:08 AM5/9/19
to Wazuh mailing list

Hello Stefano,

 

By default, Wazuh monitor Linux/Windows Audit logs but it’s possible to create new rules in order to increase the alerts generated from these logs.

 

The wazuh-agent sends the Windows audit logs. it’s specified in the following sections inside the agent “ossec.conf” file:

 

<localfile>
    <location>Application</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]</query>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>

 

Note some events are filtered so they won’t be sent to the manager (Every event specified with EventID != NUMBER)

 

In order to monitor a directory by using Windows audit tool along with the wazuh features you have to:

  • Remove the “4663” event from the localfile in order to send it to the manager. The localfile section will look like:

      <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]</query>
  </localfile>

  • Restart the agent.

  • Keep in mind, we recommend to use a centralized configuration by creating agent groups and using the agent.conf file instead of changing each agent’s ossec.conf file. You may get further information about it here: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html?highlight=group

  • Set Local Securicy Policy -> Local Policies -> Audit object access to success. (It's possible to enable failure too)


  • Start to monitor a folder by doing right click -> Properties -> Security -> Advanced -> Auditing -> Add -> Select a principal and you have to introduce the account username you want to be monitored. After writing it press check Names and it will be autocompleted. Choose the permissions you want to be monitored and press OK.

  • Create custom rules get alerted you when specified conditions are triggered. You could use a rule like the following one to catch every event from the folder: 

    <rule id="100001" level="0">
   <if_sid>60103</if_sid>
   <field name="win.system.eventID">4663</field>
   <description>Global File Audit Alert.</description>
</rule>

The Linux Audit tool is monitored by default too, it’s specified with the following section: 


<localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
</localfile>


Adding new rules is as easy as:

Now I receive an alert every time a file is created or modified inside the specified folder:

 

Regards.



 
On Thu, May 9, 2019 at 2:10 PM Stefano Serano <serano...@gmail.com> wrote:
I've figured out, need to use "\\" instead "\" for windows path, like *//share//dati//*

Thanks Daniel. can i ask you a question about this reply you give me:

"To monitor a big amount of files on real-time it's a better practice to use Linux/Windows Audit tool along with Wazuh features"

Can you put me to the right way? cause i'm really interested about monitoring big data disks, how can i do that?  i need to configure specifi rules for audit data logs? Thank again for your time.

Stefano Serano

unread,
May 10, 2019, 8:25:22 AM5/10/19
to Daniel Moreno, Wazuh mailing list
Hi Daniel.
Tried what you said, but i'm stuck.

- Edit agent conf: Done and restarted the agent

- Enable Audit Policy: Done

- Check for 4663 log on event viewer: Done

-Check for alert inside Alert.log on Wazuh server: No logs about files audit.

If i add your rule during restart wazuh said me about SID problem  so i thouth i need to create a decoder for those logs and tried to follow this guide: https://wazuh.com/blog/file-integrity-monitoring-windows-user-groups/, but inside the /var/ossec/logs/archives/archives.log file i cant find nothing(file is empty). so what i'm done wrong?


 
Thanks for your support, have a nice day

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/38gD1PfqhEI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/93e711f0-2f9c-4863-bd97-8bdc710e1b74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Daniel Moreno

unread,
May 10, 2019, 11:40:41 AM5/10/19
to Wazuh mailing list
Hello Stefano,

It was my fault this time, I forgot to mention the rule is designed to work with the latest version of Wazuh (3.9).

To create the same rule in a manager with a version lower than 3.9 you need to use:

<rule id="100001" level="3">
 <if_sid>20004</if_sid>
 <field name="EventChannel.System.EventID">4663</field>

 <description>Global File Audit Alert.</description>
</rule>

I hope it helps you.
Regards.

Daniel Moreno

unread,
May 13, 2019, 9:24:40 AM5/13/19
to Wazuh mailing list
Hi Stefano,

Here you can find information about the data extracted by Windows Audit.

There are several fields inside every Wazuh alerts from a Windows Audit Alert where you can find relevant information. 

As an example I've used the fields: 

 - data.win.eventdata.objectName: It says to you where the access has happened.
 - data.win.eventdata.processName: It indicates the program which opened/tried to open the file.

Regards.

On Mon, May 13, 2019 at 2:28 PM Stefano Serano <serano...@gmail.com> wrote:
Hi Daniel, i've solved by myself.
Windows Audit Logs not attach to log the "Access" data, but it attach the "Access mask" field that is a unique code for each action es:

0x1000 = File Deleted
0x2 = File Added.

I can use this to filter information i need, but if there is a way to make these information more readable (i need to give access to these information to a basic user) this would be great.
In any case i get any information i needed. thank a lot for your support.
Have a nice day

Il giorno lun 13 mag 2019 alle ore 10:58 Stefano Serano <serano...@gmail.com> ha scritto:
Sometimes even Superheroes made mistakes ;)

Thanks a lot Daniel, now i can see logs on Kibana. I've just one last question about, On Discover page i can't see which action was made from user, the  message said just "Attempt to access and Object" and nothing more. Reading the log on Windows i can see that the action is under the voice: "Access", there is a way to show that detail? i need maybe to edit the decoder?


Thanks again for your help.

Have a nice day
Reply all
Reply to author
Forward
0 new messages