rules to cover all the events and generate alert from them
1,107 views
Skip to first unread message
ranjit nepal
Dec 17, 2021, 5:01:50 AM12/17/21
to Wazuh mailing list
Hi ,
I am trying to write rules and decoder so that it can generate alert from all the events received from agent. I am not sure if i am on the right path. Can you please help me?
my local decoder and rules looks like this.
/local_rules.xml:-
<rule id="100010" level="3">
<regex>\w*</regex>
<description>Allow all logs that are not caught by built in rules</description>
</rule>
<regex>\w*</regex>
<description>Allow all logs that are not caught by built in rules</description>
</rule>
/local_decoder.xml:-
<decoder name="allow_all">
<program_name>\w*</program_name>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<regex>\w*</regex>
<order>all</order>
</decoder>
<program_name>\w*</program_name>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<regex>\w*</regex>
<order>all</order>
</decoder>
Thanks,
Ranjit
Christian Borla
Dec 17, 2021, 6:08:47 AM12/17/21
to Wazuh mailing list
Hi Ranjit!
Thanks for using Wazuh, I hope you are doing well!
You are in the right path, but I'm concerned about following points:
Time process will increase and cpu usage.
Storage alerts will increase.
And the possibility to fall all events received into your custom rule instead existing rules.
To allow any log set regex as <regex>\.</regex>, \w* will not match any log that contain an space at beginning.
<rule id="100010" level="3">
<regex>\.</regex>
<description>Allow all logs that are not caught by built in rules</description>
</rule>
Let me know how it goes.!
Regards.
Thanks for using Wazuh, I hope you are doing well!
You are in the right path, but I'm concerned about following points:
Time process will increase and cpu usage.
Storage alerts will increase.
And the possibility to fall all events received into your custom rule instead existing rules.
To allow any log set regex as <regex>\.</regex>, \w* will not match any log that contain an space at beginning.
<rule id="100010" level="3">
<description>Allow all logs that are not caught by built in rules</description>
</rule>
Regards.
Christian Borla
Dec 17, 2021, 6:19:31 AM12/17/21
to Wazuh mailing list
Hi Ranjit!
I forgot to mentioned, if you want to capture everything into decoder configuration, it should include a parenthesis into regex (\.), and a valid order field.
Available order fields are:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#order
For example, it could be:
<decoder name="allow_all">
<parent>allow_all</parent>
<regex>(\.)</regex>
<order>data</order>
</decoder>
Let me know if that works.
Regards.
I forgot to mentioned, if you want to capture everything into decoder configuration, it should include a parenthesis into regex (\.), and a valid order field.
Available order fields are:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#order
For example, it could be:
<decoder name="allow_all">
<parent>allow_all</parent>
<order>data</order>
</decoder>
Let me know if that works.
Regards.
ranjit nepal
Dec 21, 2021, 9:18:47 AM12/21/21
to Christian Borla, Wazuh mailing list
Thank you so much Christain.
I tried the above solution you gave.
I see that some alerts are being generated but all are being generated from my manager machines agent.
{"timestamp":"2021-12-21T14:02:22.507+0000","rule":{"level":3,"description":"ALlow all logs not caught by inbuilt rules","id":"100010","firedtimes":42,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"000","name":"****"},"manager":{"name":"*****"},"id":"1640095342.99408","full_log":"Dec 21 14:02:20 Logpoint-139 root[27713] : clear","predecoder":{"program_name":"root","timestamp":"Dec 21 14:02:20","hostname":"****"},"decoder":{},"location":"/var/log/syslog"}
In my windows agent , I have added the following line to get as much as events generated.
<localfile>
<location>Microsoft-Windows-TaskScheduler/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
With this I see that agents queue is full but i dont see any alerts generated from it. I am not really sure what is going on here.
{"timestamp":"2021-12-21T14:17:35.392+0000","rule":{"level":7,"description":"Agent event queue is 90% full.","id":"202","firedtimes":1,"mail":false,"groups":["wazuh","agent_flooding"],"gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"****","ip":"10.45.13.9"},"manager":{"name":"****"},"id":"1640096255.314555","full_log":"wazuh: Agent buffer: '90%'.","decoder":{"parent":"wazuh","name":"wazuh"},"data":{"level":"90%"},"location":"wazuh-agent"}
Is there any ways i can see all the events generated for which alerts are not generated?
Thanks,
Ranjit
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/89d2affa-c5aa-4935-a9f9-26c83adad42fn%40googlegroups.com.
--
Thanks and Regards,
Ranjit
ranjit nepal
Dec 21, 2021, 9:24:28 AM12/21/21
to Christian Borla, Wazuh mailing list
This is what I see in archive.json file.
{"timestamp":"2021-12-21T14:23:23.904+0000","agent":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"id":"1640096603.336656","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"2486746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}},"location":"EventChannel"}
ranjit nepal
Dec 22, 2021, 12:35:15 AM12/22/21
to Christian Borla, Wazuh mailing list
Also, when i try with wazuh-logtest, I can see that rules are matched.
Christian Borla
Dec 22, 2021, 6:30:39 AM12/22/21
to Wazuh mailing list
Hi Ranjit.
I hope you are doing fine!
Sorry for the delay.
Regarding your question, Is there any ways i can see all the events generated for which alerts are not generated?
The answer is no, we don't have a mechanisium to detect which events doesn't trigger an alert automatically, yo can do it manually, looking for those events into /var/ossec/logs/archive/archives.json file.
It make sense agent queue is full, because you are collecting everything, so it will capture all log to send it to the manager.
If you want collecting windows eventchannel events, I recommend set agent with following configuration,
<localfile>
<location>Microsoft-Windows-PrintService/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html?highlight=eventchannel#monitor-the-windows-event-channel-with-wazuh
After get an event into /var/ossec/logs/archive/archive.json, if custom rule match with the sample log should be an alert into /var/ossec/logs/alert/alert.json, do you find it there?
let me know if this information is useful to you!.
Regards.
ranjit nepal
Dec 23, 2021, 12:14:01 AM12/23/21
to Christian Borla, Wazuh mailing list
Hi Christian. Thanks for such quick reply.
The issue I am facing is that when i run wazuh-logtest, i see that the rules match the full_log section coming from the event as mentioned in previous email. However, the same event is does not create an alert even though it is present in archive.json file.
As per my understanding, if any event in archive.json matches any rules, an alert should be generated for it. However, in my case it is not being generated. wazuh-logtest shows that my custom rule matches the event in archive.json file.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c70b8e96-3d97-4f1f-b5d0-f2173008b4ebn%40googlegroups.com.
Christian Borla
Dec 24, 2021, 6:53:26 AM12/24/21
to Wazuh mailing list
Hi Ranjit.
I hope you are doing fine!
Sorry for the delay.
I understand, Could you share how wazuh- logtest process it?I hope you are doing fine!
Sorry for the delay.
The structure should be similar than:
**Phase 2: Completed decoding.
**Phase 3: Completed filtering (rules).
**Alert to be generated.
It's important last message **Alert to be generated.
When I run the sample test, I have this:
**Phase 2: Completed decoding.
name: 'json'
agent.id: '003'
agent.ip: '*****'
agent.name: 'Plugins-ADFS'
data.win.eventdata.instanceId: '{00000000-0000-0000-0000-000000000000}'
data.win.eventdata.taskName: '\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational'
data.win.system.channel: 'Microsoft-Windows-TaskScheduler/Operational'
data.win.system.computer: 'Plugins-ADFS.logpoint.local'
data.win.system.eventID: '108'
data.win.system.eventRecordID: '2486746518'
data.win.system.keywords: '0x8000000000000000'
data.win.system.level: '4'
data.win.system.message: '"Task Scheduler launched "{00000000-0000-0000-0000-000000000000}" instance of task "\Event Viewer Tasks\Microsoft-Windows-TaskScheduler_Operational" according to an event trigger."'
data.win.system.opcode: '0'
data.win.system.processID: '808'
data.win.system.providerGuid: '{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}'
data.win.system.providerName: 'Microsoft-Windows-TaskScheduler'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2021-12-21T14:23:20.012913000Z'
data.win.system.task: '108'
data.win.system.threadID: '4724'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}'
id: '1640096603.336656'
location: 'EventChannel'
manager.name: '*****'
timestamp: '2021-12-21T14:23:23.904+0000'
Because I don't have the custome rule to process all events.
Could you include how it's looking now the custome rule?
let me know if this information is useful to you!.
Regards.
ranjit nepal
Dec 26, 2021, 11:24:22 PM12/26/21
to Christian Borla, Wazuh mailing list
Hi Christain. Hope you had a good weekend.
With custom rule, my output is as below.
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2021-12-21T14:23:23.904+0000","agent":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"id":"1640096603.336656","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"2486746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}},"location":"EventChannel"}'
full event: '{"timestamp":"2021-12-21T14:23:23.904+0000","agent":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"id":"1640096603.336656","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"2486746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}},"location":"EventChannel"}'
**Phase 3: Completed filtering (rules).
id: '100010'
level: '9'
description: 'ALlow all logs not caught by inbuilt rules'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
level: '9'
description: 'ALlow all logs not caught by inbuilt rules'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
But alerts are not generated for some reason.
THanks,
Ranjit
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/4m0WR7FVwfA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0e403a07-6f8c-40ce-81f5-3e3cd11e46f0n%40googlegroups.com.
Christian Borla
Dec 27, 2021, 6:17:16 PM12/27/21
to Wazuh mailing list
Hi
Ranjit
I hope you are doing fine!
Sorry for the delay.
Could you check alert field into ossec.conf file?
Maybe it's bigger than 3, and the alert it's not generated because that.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#alerts
<alerts> <log_alert_level>3</log_alert_level> <email_alert_level>12</email_alert_level> </alerts>
Try with 2 or 1, your custom rule is set with level 3.
Let me know if that work.
Regards.
I hope you are doing fine!
Sorry for the delay.
Maybe it's bigger than 3, and the alert it's not generated because that.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#alerts
<alerts> <log_alert_level>3</log_alert_level> <email_alert_level>12</email_alert_level> </alerts>
Try with 2 or 1, your custom rule is set with level 3.
Let me know if that work.
Regards.
ranjit nepal
Dec 27, 2021, 11:31:07 PM12/27/21
to Christian Borla, Wazuh mailing list
Hi Christain. Thanks for the suggestion.
However, Its still not working. I changed the level to 1 and restarted manager. Also to avoid this, I had changed my custom rule level to 9 as you can see in my previous email.
I still see that archive.json is getting all the events but alerts are still not generated.
I am pasting all my settings here.
local_decoder:-
<decoder name="allow_all">
<program_name>\.</program_name>
<program_name>\.</program_name>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<regex>(\.)</regex>
<order>data</order>
</decoder>
<order>data</order>
</decoder>
local_rules:-
<rule id="100010" level="9">
<regex>(\.)</regex>
<description>ALlow all logs not caught by inbuilt rules</description>
</rule>
<regex>(\.)</regex>
<description>ALlow all logs not caught by inbuilt rules</description>
</rule>
ossec.conf:-
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<zeromq_output>yes</zeromq_output>
<zeromq_uri>tcp://10.45.13.30:5502</zeromq_uri>
<logall>no</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<zeromq_output>yes</zeromq_output>
<zeromq_uri>tcp://10.45.13.30:5502</zeromq_uri>
<logall>no</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.1</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.1</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<ssl_agent_ca>/var/ossec/etc/rootCA.pem</ssl_agent_ca>
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<ssl_agent_ca>/var/ossec/etc/rootCA.pem</ssl_agent_ca>
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
Thanks,
Ranjit 275,1 69%
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fecec291-d5e0-40ea-9b74-510961087f0bn%40googlegroups.com.
Christian Borla
Dec 28, 2021, 2:34:20 PM12/28/21
to Wazuh mailing list
Hi
Ranjit
I hope you are doing fine!
I have been looking for some related issues, and I found these:I hope you are doing fine!
https://github.com/wazuh/wazuh/issues/7563
https://github.com/wazuh/wazuh-documentation/issues/3231
Looks like it´s mandatory add to decoder some of following fileds to trigger an alert.
- action
- srcip
- dstip
- srcport
- dstport
- protocol
The issue here how we can identify one of above fileds in a generic example log.
Another relevant detail is, running wazuh-logtest on example log, it falls into generic json decoder, not into the custom decoder.
level: '4'
description: 'Allow all logs not caught by inbuilt rules'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
I did some changes with same result.
<rule id="111111" level="4">
<regex type="pcre2">.*</regex>
<description>Allow all logs not caught by inbuilt rules</description>
</rule>
<decoder name="allow_all">
<program_name type="pcre2">.*</program_name>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<order>action,extra_data</order>
</decoder>
I will keep analizyn it.
Let me know if you find anything else.
Regards.
ranjit nepal
Dec 29, 2021, 5:49:36 AM12/29/21
to Christian Borla, Wazuh mailing list
Hi Christain. Thanks for all the help.
One thing I don't understand here is that if the decoder that capturing our event is generic-json decoder which is already built in, doesn't that mean that alert should have been generated? https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html this shows that alerts should be generated from local json decoder too.
Also, I tried something as mentioned in this documentation and changed my rules as follows so that it will at least cover the
<group name="allow_messages">
<rule id="100010" level="0">
<decoded_as>json</decoded_as>
<field name="timestamp">\.+</field>
<description>Allow all messages.</description>
</rule>
<rule id="100011" level="5">
<if_sid>100010</if_sid>
<field name="location">^EventChannel$</field>
<description>Allow all logs</description>
</rule>
</group>
<rule id="100010" level="0">
<decoded_as>json</decoded_as>
<field name="timestamp">\.+</field>
<description>Allow all messages.</description>
</rule>
<rule id="100011" level="5">
<if_sid>100010</if_sid>
<field name="location">^EventChannel$</field>
<description>Allow all logs</description>
</rule>
</group>
Still the alerts are not generated.
Thanks,
Ranjit
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bed1561f-46b4-48d3-9523-db69832691b1n%40googlegroups.com.
Christian Borla
Dec 29, 2021, 11:07:04 AM12/29/21
to Wazuh mailing list
Hi Ranjit
I hope you are doing fine!
I find a way to process your example log:I hope you are doing fine!
{"timestamp":"2021-12-21T14:23:23.904+0000","agent":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"id":"1640096603.336656","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"2486746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}},"location":"EventChannel"}
<localfile>
<location>C:\Users\test.txt</location>
<log_format>syslog</log_format>
</localfile>
Then I updated the custom rule as following:
<rule id="111111" level="4">
<decoded_as>json</decoded_as>
<description>Allow all logs</description>
<options>no_full_log</options>
</rule>
And to collect same event as you have, open test.txt file into agent. Paste the example log into and save file changes, that will make agent collect that event and send it to the manager.
As you can see manager proccess it with expected rule id.
Into /var/ossec/logs/archives/archives.json it's looks like:
{"timestamp":"2021-12-29T12:36:30.437-0300","rule":{"level":4,"description":"Allow all logs","id":"111111","firedtimes":2,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"001","name":"DESKTOP-U8OH
D3A","ip":"192.168.100.72"},"manager":{"name":"chb-VBox"},"id":"1640792190.3093486","full_log":"{\"timestamp\":\"2021-12-21T14:23:23.904+0000\",\"agent\":{\"id\":\"003\",\"name\":\"Plugins-ADFS\",\"ip\":\"*****\
"},\"manager\":{\"name\":\"*****\"},\"id\":\"1640096603.336656\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"providerGuid\\\":\\\"{DE7B24EA-73C8-
4A09-985D-5BDADCFA9017}\\\",\\\"eventID\\\":\\\"108\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"4\\\",\\\"task\\\":\\\"108\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8000000000000000\\\",\\\"systemT
ime\\\":\\\"2021-12-21T14:23:20.012913000Z\\\",\\\"eventRecordID\\\":\\\"2486746518\\\",\\\"processID\\\":\\\"808\\\",\\\"threadID\\\":\\\"4724\\\",\\\"channel\\\":\\\"Microsoft-Windows-TaskScheduler/Operational
\\\",\\\"computer\\\":\\\"Plugins-ADFS.logpoint.local\\\",\\\"severityValue\\\":\\\"INFORMATION\\\",\\\"message\\\":\\\"\\\\\\\"Task Scheduler launched \\\\\\\"{00000000-0000-0000-0000-000000000000}\\\\\\\" ins
tance of task \\\\\\\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\\\\\\\" according to an event trigger.\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"taskName\\\":\\\"\\\\\\\\\\\\\\\\Ev
</rule>
And to collect same event as you have, open test.txt file into agent. Paste the example log into and save file changes, that will make agent collect that event and send it to the manager.
As you can see manager proccess it with expected rule id.
Into /var/ossec/logs/archives/archives.json it's looks like:
{"timestamp":"2021-12-29T12:36:30.437-0300","rule":{"level":4,"description":"Allow all logs","id":"111111","firedtimes":2,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"001","name":"DESKTOP-U8OH
D3A","ip":"192.168.100.72"},"manager":{"name":"chb-VBox"},"id":"1640792190.3093486","full_log":"{\"timestamp\":\"2021-12-21T14:23:23.904+0000\",\"agent\":{\"id\":\"003\",\"name\":\"Plugins-ADFS\",\"ip\":\"*****\
"},\"manager\":{\"name\":\"*****\"},\"id\":\"1640096603.336656\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"providerGuid\\\":\\\"{DE7B24EA-73C8-
4A09-985D-5BDADCFA9017}\\\",\\\"eventID\\\":\\\"108\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"4\\\",\\\"task\\\":\\\"108\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8000000000000000\\\",\\\"systemT
ime\\\":\\\"2021-12-21T14:23:20.012913000Z\\\",\\\"eventRecordID\\\":\\\"2486746518\\\",\\\"processID\\\":\\\"808\\\",\\\"threadID\\\":\\\"4724\\\",\\\"channel\\\":\\\"Microsoft-Windows-TaskScheduler/Operational
\\\",\\\"computer\\\":\\\"Plugins-ADFS.logpoint.local\\\",\\\"severityValue\\\":\\\"INFORMATION\\\",\\\"message\\\":\\\"\\\\\\\"Task Scheduler launched \\\\\\\"{00000000-0000-0000-0000-000000000000}\\\\\\\" ins
tance of task \\\\\\\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\\\\\\\" according to an event trigger.\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"taskName\\\":\\\"\\\\\\\\\\\\\\\\Ev
ent Viewer Tasks\\\\\\\\\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\\\",\\\"instanceId\\\":\\\"{00000000-0000-0000-0000-000000000000}\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"
win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode
\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"2486746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskSch
eduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"
\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Op
erational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}},\"location\":\"EventChannel\"}","decoder":{"name":"json"},"data":{"id":"1640096603.336656","timestamp":"2021-12-21T14:23:23.904+0000","age
nt":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5
nt":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5
BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"24
86746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\
"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"ev
entdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}","decoder":{"name":"windows_eventchannel"},"
data":{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x
8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.l
ogpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\
" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}},"location":"EventCha
nnel"},"location":"\\Users\\asus\\test.txt"}
Into /var/ossec/logs/alerts/alerts.json it's looks like:
{"timestamp":"2021-12-29T12:36:30.437-0300","rule":{"level":4,"description":"Allow all logs","id":"111111","firedtimes":2,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"001","name":"DESKTOP-U8OHD3A","ip":"192.168.100.72"},"manager":{"name":"chb-VBox"},"id":"1640792190.3097636","decoder":{"name":"json"},"data":{"id":"1640096603.336656","timestamp":"2021-12-21T14:23:23.904+0000","agent":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"2486746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}},"location":"EventChannel"},"location":"\\Users\\asus\\test.txt"}
Let me know if that information is useful to you.
Regards.
Into /var/ossec/logs/alerts/alerts.json it's looks like:
{"timestamp":"2021-12-29T12:36:30.437-0300","rule":{"level":4,"description":"Allow all logs","id":"111111","firedtimes":2,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id":"001","name":"DESKTOP-U8OHD3A","ip":"192.168.100.72"},"manager":{"name":"chb-VBox"},"id":"1640792190.3097636","decoder":{"name":"json"},"data":{"id":"1640096603.336656","timestamp":"2021-12-21T14:23:23.904+0000","agent":{"id":"003","name":"Plugins-ADFS","ip":"*****"},"manager":{"name":"*****"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2021-12-21T14:23:20.012913000Z\",\"eventRecordID\":\"2486746518\",\"processID\":\"808\",\"threadID\":\"4724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-21T14:23:20.012913000Z","eventRecordID":"2486746518","processID":"808","threadID":"4724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}},"location":"EventChannel"},"location":"\\Users\\asus\\test.txt"}
Let me know if that information is useful to you.
Regards.
ranjit nepal
Dec 30, 2021, 11:15:51 PM12/30/21
to Christian Borla, Wazuh mailing list
Hi Christain.
Thank you so much. This was really helpful.
I figured that I have done one mistake when testing with my logs. I was looking at archive.json file instead of archive.log due to which event was in json format but the actual event received is not. Here is the result of my recent logtest on an actual event.
root@Logpoint-139:/var/ossec# ./bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}
**Phase 1: Completed pre-decoding.
full event: '2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}'
timestamp: '2021 Dec 31 04:09:15'
**Phase 2: Completed decoding.
name: 'allow_all'
parent: 'allow_all'
Starting wazuh-logtest v4.2.5
Type one log per line
2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}
**Phase 1: Completed pre-decoding.
full event: '2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}'
timestamp: '2021 Dec 31 04:09:15'
**Phase 2: Completed decoding.
name: 'allow_all'
parent: 'allow_all'
**Phase 3: Completed filtering (rules).
id: '101010'
level: '9'
description: 'ALlow all logs not caught by inbuilt rules'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Here, I am not using regex in decoder to avoid the other parameters you had told me about earlier.
My decoder and rules look as follows in this.
local_rules:-
<rule id="101010" level="9">
<regex type="pcre2">.*</regex>
<description>ALlow all logs not caught by inbuilt rules</description>
</rule>
</rule>
local_decoder:-
<decoder name="allow_all">
<prematch>\.</prematch>
<prematch>\.</prematch>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<prematch>(\.)</prematch>
</decoder>
</decoder>
The alerts are still not generated.
I am sorry for that json log that i was sending earlier. I think we got sidetracked because of that.
Thanks,
Ranjit
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b35a9569-184d-40cd-bb87-e9454f35e06en%40googlegroups.com.
Christian Borla
Jan 3, 2022, 2:39:41 PM1/3/22
to Wazuh mailing list
Hi Ranjit
I hope you are doing fine!
I hope you are doing fine!
The raw event:
2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}
2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}
Processed by logtest**Phase 1: Completed pre-decoding.
full event: '2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}'
timestamp: '2021 Dec 31 04:09:15'
**Phase 2: Completed decoding.
name: 'allow_all'
data: 'any->'
extra_data: ' {"win":{"system":{"providerName":"Microsoft-Windows-TaskScheduler","providerGuid":"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}","eventID":"108","version":"0","level":"4","task":"108","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-12-31T04:09:14.594642400Z","eventRecordID":"21807928348","processID":"804","threadID":"6724","channel":"Microsoft-Windows-TaskScheduler/Operational","computer":"Plugins-ADFS.logpoint.local","severityValue":"INFORMATION","message":"\"Task Scheduler launched \"{00000000-0000-0000-0000-000000000000}\" instance of task \"\\Event Viewer Tasks\\Microsoft-Windows-TaskScheduler_Operational\" according to an event trigger.\""},"eventdata":{"taskName":"\\\\Event Viewer Tasks\\\\Microsoft-Windows-TaskScheduler_Operational","instanceId":"{00000000-0000-0000-0000-000000000000}"}}}'
**Phase 3: Completed filtering (rules).
id: '101010'
level: '9'
description: 'ALlow all logs not caught by inbuilt rules'
groups: '['local', 'syslog', 'sshd']'
mail: 'False'
**Alert to be generated.
I found it into Alert json file as:
{"timestamp":"2022-01-03T16:27:52.957-0300","rule":{"level":9,"description":"ALlow all logs not caught by inbuilt rules","id":"101010","firedtimes":2,"mail":false,"groups":["local","syslog","sshd"]},"agent":{"id
":"003","name":"DESKTOP-U8OHD3A","ip":"192.168.100.72"},"manager":{"name":"chb-VBox"},"id":"1641238072.10342410","full_log":"2021 Dec 31 04:09:15 (Plugins-ADFS) any->EventChannel {\"win\":{\"system\":{\"provider
Name\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords\":\"0x800
0000000000000\",\"systemTime\":\"2021-12-31T04:09:14.594642400Z\",\"eventRecordID\":\"21807928348\",\"processID\":\"804\",\"threadID\":\"6724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"compu
ter\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer Tasks\\\\Mi
crosoft-Windows-TaskScheduler_Operational\\\" according to an event trigger.\\\"\"},\"eventdata\":{\"taskName\":\"\\\\\\\\Event Viewer Tasks\\\\\\\\Microsoft-Windows-TaskScheduler_Operational\",\"instanceId\":\
\"providerName\":\"Microsoft-Windows-TaskScheduler\",\"providerGuid\":\"{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}\",\"eventID\":\"108\",\"version\":\"0\",\"level\":\"4\",\"task\":\"108\",\"opcode\":\"0\",\"keywords
\":\"0x8000000000000000\",\"systemTime\":\"2021-12-31T04:09:14.594642400Z\",\"eventRecordID\":\"21807928348\",\"processID\":\"804\",\"threadID\":\"6724\",\"channel\":\"Microsoft-Windows-TaskScheduler/Operational
\",\"computer\":\"Plugins-ADFS.logpoint.local\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Task Scheduler launched \\\"{00000000-0000-0000-0000-000000000000}\\\" instance of task \\\"\\\\Event Viewer T
anceId\":\"{00000000-0000-0000-0000-000000000000}\"}}}"},"location":"\\Users\\asus\\test.txt"}
New decoder
<decoder name="allow_all">
<prematch>\.</prematch>
</decoder>
<decoder name="allow_all">
<parent>allow_all</parent>
<order>data,action,extra_data</order>
</decoder>
Same rule as yours
<rule id="101010" level="9">
<regex type="pcre2">.*</regex>
<description>ALlow all logs not caught by inbuilt rules</description>
</rule>
Let me know if that works for you!
Regards!
Konrad Zuse
Jan 5, 2022, 3:26:01 PM1/5/22
to Wazuh mailing list
Hi every one:
I have installed wazuh, but I want to make a real ssl encription on the URL for the browser, I have my own Certificate Authority Server inside my LAN, ans I had root-ca.key / root-ca.pem but my question is about the next, for the secure web site notification on the web browser, what information i have to provide to my CA manager, and which of the next certificates I have to chanche, JUST ONE OF THE FOLLOWIN OR ALL OF THEM?? I HAVE TO CREATE A DIFERENT ONE FOR ANY INSTANCE OR I MAY BE ABLE TO REUSE THE SAME ON ALL OF THESE CERTIFICATED INSTANCES?? Running the wazuh-cert-tool.sh does not solve this because it still generating independient selfsigned cert and I need a Root-CA signed one to achive a secure website notification.
/.../kibana/certs/
/.../elasticsearch/certs/
/.../ filebeat/certs/
ranjit nepal
Jan 6, 2022, 10:53:19 PM1/6/22
to Christian Borla, Wazuh mailing list
Thank you so much Christain. I am sorry for the delay in reply. The solution you gave me worked.
Thank you again.
Regards,
Ranjit
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/69d7b4c7-2233-41e9-b216-7eb88ece696cn%40googlegroups.com.
Christian Borla
Jan 7, 2022, 5:56:19 AM1/7/22
to Wazuh mailing list
Hello Ranjit!
You are welcome! I glad to know that works.
Regards!
You are welcome! I glad to know that works.
Regards!
Reply all
Reply to author
Forward
0 new messages