Centralized Management: Updating Sysmon Configuration file via Wazuh

441 views
Skip to first unread message

fazeen alan

unread,
Sep 9, 2024, 8:09:54 AM9/9/24
to Wazuh | Mailing List

Hi Wazuh Community,

I’ve successfully installed Sysmon on 5 Windows endpoints and integrated them with Wazuh. To centrally manage the Sysmon config.xml file, I created a new group in the Wazuh manager and mapped all 5 agents under it. I then saved the config.xml file at /var/ossec/etc/shared/sysmon_windows, which allows me to push centralized changes to all agents.

However, the issue I'm facing is that, after modifying the config.xml centrally in Wazuh, I still need to manually access each endpoint to run the following command for the configuration update to apply:
sysmon64.exe -c "C:\Program Files (x86)\ossec-agent\shared\sysmonconfig.xml".

Is there a way to automate this command execution using Wazuh’s FIM module or active response feature? If so, what steps do I need to follow to achieve this?

Wazuh version: 4.7.3

I’d appreciate any help or guidance ASAP on how to streamline this process!

Thanks,
Fazeen Alan

Rolly Davany Mougoue Kakanou

unread,
Sep 9, 2024, 8:27:26 AM9/9/24
to Wazuh | Mailing List
Hello Fazeen,

To achieve the above requirement you can make use of the remote command capability. This enables the Wazuh server to run commands on agents of a given Agent group. Note that, remote commands are disabled by default for security reasons and have to be explicitly enabled on each agent. Follow the steps provided in here to enable remote command on your Windows endpoints.

Next you will have to include a command block in the agent.conf configuration file which is the main configuration file for your agent group:
<wodle name="command">
<disabled>no</disabled>
<command>Powershell -c "sysmon64.exe -c "C:\Program Files (x86)\ossec-agent\shared\sysmonconfig.xml"</command>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>

You can adjust the above wodle at your convenience by following the command wodle documentation.

Hopes this answers your question and looking forward for your feedback.

Kind Regards,
Rolly Mougoue

fazeen alan

unread,
Sep 9, 2024, 8:39:28 AM9/9/24
to Wazuh | Mailing List

Thank you for sharing this information.

My specific requirement is to have the Sysmon command execute automatically on the endpoints only when a modification is made to the config.xml file. How can I configure this process so that the command runs on the endpoints and applies the changes without manual intervention?

Looking forward to your suggestions.

Regards,

Fazeen Alan

Rolly Davany Mougoue Kakanou

unread,
Sep 10, 2024, 9:21:55 PM9/10/24
to Wazuh | Mailing List
Hello Fazeen and sorry for the late response. To achieve the above you can do the following:

1. Configure FIM to monitor changes to the  sysmonconfig.xml   file
2. Add the following rule to /var/ossec/etc/rules/local_rules.xml on the Wazuh server to avoid false positives when other file changes occur

<group name="conf_change,">
  <rule id="100100" level="5">
    <if_sid>550</if_sid>
    <field name="syscheck.path"type="pcre2">(?i)C:\\.+sysmonconfig.xml</field>
    <description>Sysmon configuration file changed</description>
  </rule>
</group>

3. Create a batch file lets say command.bat under C:\Program Files (x86)\ossec-agent\active-response\bin. This should be done on each of your agents
4. Edit the Wazuh server /var/ossec/etc/ossec.conf to add the following:

<command>

  <name>sysmon_exec</name>

  <executable>command.bat</executable>

  <timeout_allowed>no</timeout_allowed>

</command>


<active-response>

  <command>sysmon_exec</command>

  <location>local</location>

  <rules_id>100100</rules_id>

</active-response>


5. Reset the Wazuh services

With the above steps completed, the command will be automatically run on each of your agents when changes are brought to the sysmonconfig.xml file. Hope this answers your question.

fazeen alan

unread,
Sep 11, 2024, 5:41:35 AM9/11/24
to Wazuh | Mailing List
Thanks again for the resposone.
I have one more question, can you please explain this part. 1. Configure FIM to monitor changes to the sysmonconfig.xml file.

  Looking forward to your clarification.  

fazeen alan

unread,
Sep 12, 2024, 3:15:37 AM9/12/24
to Wazuh | Mailing List

 I followed the five steps mentioned, but the active response is not triggering for me.

Could you provide any guidance on what might be going wrong or if there are additional configurations I need to check?

Rolly Davany Mougoue Kakanou

unread,
Sep 12, 2024, 9:34:19 PM9/12/24
to Wazuh | Mailing List
Hello Fazeen,

Does rule 100100 fires when you do changes to the config file ??

Please provide ossec.log to view the Wazuh logs if any error was encountered and for troubleshooting.

fazeen alan

unread,
Sep 17, 2024, 12:22:27 AM9/17/24
to Wazuh | Mailing List
The rule 100100 fires and gives alerts in wazuh but active response didn't worked. There is no errors in ossec.log

fazeen alan

unread,
Sep 17, 2024, 1:01:52 AM9/17/24
to Wazuh | Mailing List
Active response config:


 <command>
  <name>sysmon_exec</name>
  <executable>command.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>

  <!--
<active-response>
  <command>sysmon_exec</command>
  <location>defined-agent</location>
  <agent_id>004</agent_id>
  <rules_id>100200</rules_id>
</active-response>
  -->


FIM Rule:

<group name="local,syscheck,sysmon,">
  <!--
  Detecting changes in Sysmon configuration file
  -->
  <rule id="100200" level="12">
    <if_sid>550</if_sid>  <!-- Inherit from rule 550 for file integrity monitoring -->
    <match>c:\program files (x86)\ossec-agent\shared\sysmonconfig.xml</match> <!-- Path to Sysmon config file -->
    <description>Critical: Sysmon configuration file change detected on $(hostname).</description>
    <group>syscheck,sysmon,critical,</group>
  </rule>
</group>

fazeen alan

unread,
Sep 17, 2024, 1:10:26 AM9/17/24
to Wazuh | Mailing List
I have changed the file path to monitor the config file in wazuh server:


<group name="local,syscheck,sysmon,">
  <!--
  Detecting changes in Sysmon configuration file
  -->
  <rule id="100200" level="12">
    <if_sid>550</if_sid>  <!-- Inherit from rule 550 for file integrity monitoring -->
    <match>/var/ossec/etc/shared/windows/sysmonconfig.xml</match> <!-- Path to Sysmon config file -->

    <description>Critical: Sysmon configuration file change detected on $(hostname).</description>
    <group>syscheck,sysmon,critical,</group>
  </rule>
</group>

Rolly Davany Mougoue Kakanou

unread,
Sep 18, 2024, 11:02:06 AM9/18/24
to Wazuh | Mailing List
Hello Fazeen, when reviewing the steps I shared earlier I noticed I forgot an important information. The command.bat file should contain your command  sysmon64.exe -c "C:\Program Files (x86)\ossec-agent\shared\sysmonconfig.xml

fazeen alan

unread,
Sep 25, 2024, 1:29:32 AM9/25/24
to Wazuh | Mailing List
Thank you for the information.
Reply all
Reply to author
Forward
0 new messages