How can I disable Windows user logoff logon on security on event log
182 views
Skip to first unread message
Le Sok
Jan 3, 2024, 2:00:44 AM1/3/24
to Wazuh | Mailing List
Hello team,
I wanna disable this logs from wazuh. I got alot of logs but just windows user logoff logon.
I wanna disable this logs from wazuh. I got alot of logs but just windows user logoff logon.
Best regards!
Stuti Gupta
Jan 3, 2024, 2:07:02 AM1/3/24
to Wazuh | Mailing List
Hi team!
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Regards,
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Regards,
Stuti Gupta
Jan 3, 2024, 3:44:36 AM1/3/24
to Wazuh | Mailing List
hi Le Sok,
Hope you are doing well today and thank you for using wazuh.
This log entry indicates that a user with the account on the computer "windows" logged off. The log provides additional details such as the security ID, logon ID, and logon type. The event is marked as an audit success. If you wish to not get any alert of this rule you can simple create a custom rule on the bases of that degult rule such as
<rule id="100001" level="0">
<if_sid>60137</if_sid>
<field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
<description>Windows User Logoff</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
As you can see in the image I create an custom rule for 5502 that has alert level 3 and triggered whenever i login as root user.
By adding this rule the alert level 0 will be triggered and as we know only the rule level 3 or higher then that will trigger alert in dashboard. In case you want to ignore the rule or create a rule that will generate if specfic rule triggered multipule times in a specfic time period then you can use rule syntax like frequency , timeframe and ignore for that you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule
Hope this helps,
Regards.
Hope you are doing well today and thank you for using wazuh.
This log entry indicates that a user with the account on the computer "windows" logged off. The log provides additional details such as the security ID, logon ID, and logon type. The event is marked as an audit success. If you wish to not get any alert of this rule you can simple create a custom rule on the bases of that degult rule such as
<rule id="100001" level="0">
<if_sid>60137</if_sid>
<field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
<description>Windows User Logoff</description>
<options>no_full_log</options>
<group>pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
As you can see in the image I create an custom rule for 5502 that has alert level 3 and triggered whenever i login as root user.
By adding this rule the alert level 0 will be triggered and as we know only the rule level 3 or higher then that will trigger alert in dashboard. In case you want to ignore the rule or create a rule that will generate if specfic rule triggered multipule times in a specfic time period then you can use rule syntax like frequency , timeframe and ignore for that you can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule
Hope this helps,
Regards.
Reply all
Reply to author
Forward
0 new messages