Integrating windows firewall logs
514 views
Skip to first unread message
SARTHAK Javeri
Mar 21, 2023, 10:09:25 AM3/21/23
to Wazuh mailing list
Hello,
I'm new to the wazuh and I'm trying to integrate windows firewall logs to with wazuh
I have enabled the logging on firewall
I have tried adding below part in agent ossec.conf file
But after restarting the agent its getting disconnected from the wazuh server
It only connects once I remove that part & restart agent
<location>C:\Windows\system32\LogFiles\Firewall\pfirewall.log</location>
<log_format>utf-8</log_format>
</localfile>
Message has been deleted
Héctor Gómez
Mar 21, 2023, 10:54:45 AM3/21/23
to Wazuh mailing list
Regards @SARTHAK. Thank you for using wazuh.
I'll tell you, Windows Event Channel monitoring in OSSEC is the modern version of Event Log, and unlike this, Event Channel allows you to query to filter events. In this case, we will configure OSSEC to monitor events that record when Windows Firewall was started or stopped, and when a rule was created, modified, or deleted.
These events are classified with the following ID:
ID 2003: The firewall was activated for a profile.
ID 2004: A new rule was created.
ID 2005: A rule was changed.
ID 2006: A rule was removed.
To configure your agent with this configuration you can use the following guide:
https://wazuh.com/blog/report-windows-firewall-status-event-channel/
If you have any issues, please let me know.
I'll tell you, Windows Event Channel monitoring in OSSEC is the modern version of Event Log, and unlike this, Event Channel allows you to query to filter events. In this case, we will configure OSSEC to monitor events that record when Windows Firewall was started or stopped, and when a rule was created, modified, or deleted.
These events are classified with the following ID:
ID 2003: The firewall was activated for a profile.
ID 2004: A new rule was created.
ID 2005: A rule was changed.
ID 2006: A rule was removed.
To configure your agent with this configuration you can use the following guide:
https://wazuh.com/blog/report-windows-firewall-status-event-channel/
If you have any issues, please let me know.
Héctor Gómez
Mar 21, 2023, 6:34:32 PM3/21/23
to Wazuh mailing list
In the case of detection of events in the network, you require an external service or hardware that is in charge of collecting the events that occur in the network, in order to synchronize them with wazuh and obtain the statistics and alerts, example suricata.
Suricata is an intrusion detection system that can analyze network events and generate alerts when suspicious or malicious events are detected. By integrating Suricata with the Wazuh active response module, administrators can enhance the Wazuh XDR feature in their environment. Automated response actions can be applied to certain events detected by Suricata on monitored endpoints.
https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
Suricata is an intrusion detection system that can analyze network events and generate alerts when suspicious or malicious events are detected. By integrating Suricata with the Wazuh active response module, administrators can enhance the Wazuh XDR feature in their environment. Automated response actions can be applied to certain events detected by Suricata on monitored endpoints.
https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
SARTHAK Javeri
Mar 22, 2023, 12:54:22 AM3/22/23
to Wazuh mailing list
Hello Héctor,
Thanks for the suggestion I will try it.
Reply all
Reply to author
Forward
0 new messages