Windows agent doesn't send all security events
254 views
Skip to first unread message
Vladislav Antolik
Jul 18, 2024, 7:57:40 AM7/18/24
to Wazuh | Mailing List
Hello,
I would like to monitor all security events from EventLog, but in Wazuh manager I can only see few of them 4634 and 4624. But in Windows EventLog I can see more, i.e. 6272.
I made rules for 6272 and wazuh logtest for event 6272 works ok.
Starting wazuh-logtest v4.8.0
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-10-03T14:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-10-03T14:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationProvider: '<none>'
win.eventdata.authenticationServer: 'ithvbotp1op01'
win.eventdata.authenticationType: 'Extension'
win.eventdata.clientIPAddress: '10.201.166.21'
win.eventdata.clientName: 'Smart_1_VPN'
win.eventdata.loggingResult: 'Accounting information was written to the local log file.'
win.eventdata.nASIPv4Address: '10.201.19.44'
win.eventdata.proxyPolicyName: 'Use Windows authentication for all users'
win.eventdata.subjectMachineSID: 'S-1-0-0'
win.eventdata.subjectUserName: 'vi1cb17'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.system.channel: 'Security'
win.system.computer: 'ithvbotp1op01'
win.system.eventID: '6272'
win.system.eventRecordID: '39507771'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: 'Network Policy Server granted access to a user.'
win.system.opcode: '0'
win.system.processID: '672'
win.system.providerGuid: '{54849625-5478-4994-A5BA-3E3B0328C30D}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2019-10-03T14:23:41.073661300Z'
win.system.task: '12552'
win.system.threadID: '5748'
win.system.version: '1'
**Phase 3: Completed filtering (rules).
id: '60598'
level: '4'
description: 'OTP Used - Auth Sucessful'
groups: '['windows', 'windows_security', 'ipsec']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-10-03T14:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-10-03T14:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationProvider: '<none>'
win.eventdata.authenticationServer: 'ithvbotp1op01'
win.eventdata.authenticationType: 'Extension'
win.eventdata.clientIPAddress: '10.201.166.21'
win.eventdata.clientName: 'Smart_1_VPN'
win.eventdata.loggingResult: 'Accounting information was written to the local log file.'
win.eventdata.nASIPv4Address: '10.201.19.44'
win.eventdata.proxyPolicyName: 'Use Windows authentication for all users'
win.eventdata.subjectMachineSID: 'S-1-0-0'
win.eventdata.subjectUserName: 'vi1cb17'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.system.channel: 'Security'
win.system.computer: 'ithvbotp1op01'
win.system.eventID: '6272'
win.system.eventRecordID: '39507771'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: 'Network Policy Server granted access to a user.'
win.system.opcode: '0'
win.system.processID: '672'
win.system.providerGuid: '{54849625-5478-4994-A5BA-3E3B0328C30D}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2019-10-03T14:23:41.073661300Z'
win.system.task: '12552'
win.system.threadID: '5748'
win.system.version: '1'
**Phase 3: Completed filtering (rules).
id: '60598'
level: '4'
description: 'OTP Used - Auth Sucessful'
groups: '['windows', 'windows_security', 'ipsec']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
But I suppose, that any 6272 event doesn't arrive from agent to manager.
This shows nothing
tail -f /var/ossec/logs/alerts/alerts.log | grep eventID\"\:\"6272\"
but on the Windows server the event is generated.
In the ossec.conf on the agent I tried this:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
</localfile>
and this:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
But still I can only see on the manager events 4634 and 4624.
Could you please help me, what is the correct configuration for Windows agent to collect all or more events than two?
Thank you.
Best regards,
V.
Anthony Faruna
Jul 18, 2024, 11:50:03 AM7/18/24
to Vladislav Antolik, Wazuh | Mailing List
Hello Vladislav
To troubleshoot this issue and confirm that the logs are reaching the Wazuh manager, I need you to turn on the Wazuh archive on the Wazuh server.
When the archive log is enabled, wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. By default, Wazuh archives are disabled because they store many logs on the Wazuh server.
Please follow the steps below to enable Wazuh archives on the Wazuh server:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation: Wazuh Documentation | log all and Wazuh archive
This option will allow you to see all the events the Wazuh server monitors in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint.
When the archive log is enabled, wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. By default, Wazuh archives are disabled because they store many logs on the Wazuh server.
Please follow the steps below to enable Wazuh archives on the Wazuh server:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation: Wazuh Documentation | log all and Wazuh archive
This option will allow you to see all the events the Wazuh server monitors in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint.
After setting this option, restart the manager and check the archives.log file.
Note: Remember to disable the log of all parameters once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
I will be expecting your feedback.
Best Regards
Note: Remember to disable the log of all parameters once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
I will be expecting your feedback.
Best Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a69e35d4-81ce-4273-bd3a-f9f60372ca1bn%40googlegroups.com.
Vladislav Antolik
Jul 19, 2024, 1:21:14 AM7/19/24
to Anthony Faruna, Wazuh | Mailing List
Hi Anthony,
it works exactly as you wrote. I was able to see the event.
Please, what is the next step which I should do except "logall yes"?
Thank you.
Best regards,
V.
Anthony Faruna
Jul 19, 2024, 8:14:08 AM7/19/24
to Vladislav Antolik, Wazuh | Mailing List
Hello Vladislav
I'm glad to know you can see the events in the archives.
The next step is to use Wazuh Logtest to confirm if there are decoders and rules that match the event.
Please share the log with me and ensure to remove confidential information.
Regards
The next step is to use Wazuh Logtest to confirm if there are decoders and rules that match the event.
Please share the log with me and ensure to remove confidential information.
Regards
Anthony Ugbede
Vladislav Antolik
Jul 22, 2024, 5:25:34 AM7/22/24
to Anthony Faruna, Wazuh | Mailing List
Hi Anthony,
this is output from Wazuh Logtest. From my point of view it looks correct.
:/var/ossec/ruleset/decoders# /var/ossec/bin/wazuh-logtest
Thank you.
Best regards,
V.
Anthony Faruna
Jul 23, 2024, 12:31:29 PM7/23/24
to Vladislav Antolik, Wazuh | Mailing List
Hello Vladislav
The output of the Wazuh Logtest shows that the log is already triggering an alert with rule ID 60598.
Please check this rule ID on your dashboard and let me know if you can see it.
Regards
The output of the Wazuh Logtest shows that the log is already triggering an alert with rule ID 60598.
Please check this rule ID on your dashboard and let me know if you can see it.
Regards
Vladislav Antolik
Jul 24, 2024, 12:23:43 AM7/24/24
to Anthony Faruna, Wazuh | Mailing List
Hi Anthony,
I can't confirm it.
I can't see the the rule id 60598 on the dashboard.
The output from Wazuh log test is also presenting on the dashboard?
Thank you.
Best regards,
V.
Vladislav Antolik
Jul 31, 2024, 7:15:52 AM7/31/24
to Wazuh | Mailing List
Hi Anthony,
are there any steps, which I can try?
Thank you.
Best regasrds,
V.
Anthony Faruna
Aug 6, 2024, 9:49:02 PM8/6/24
to Vladislav Antolik, Wazuh | Mailing List
Hello Vladislav,
My sincere apologies for the delayed response
Please let me know where you got the logs you shared with me.
The rule ID 60598 is not a custom rule; hence, it should be on your dashboard, except the logs are not getting to your Wazuh manager.
I will be waiting for your response.
Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e74d681b-c381-4a8c-9cfb-e91181b29990n%40googlegroups.com.
Vladislav Antolik
Aug 7, 2024, 2:14:08 AM8/7/24
to Anthony Faruna, Wazuh | Mailing List
Hi Anthony,
sorry for the unclear explanation.
I made the custom rule under /var/ossec/etc/rules/local_rules.xml:
<rule id="100002" level="4">
<decoded_as>json</decoded_as>
<field name="win.system.eventID">^6272$</field>
<description>OTP Used - Auth Sucessful</description>
</rule>
Then, the wazuh-logtest processed ok:
Starting wazuh-logtest v4.8.1
id: '100002'
level: '4'
description: 'OTP Used - Auth Sucessful'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
After while, I saw that this event was generated on the agent(this agent works ok, I can see another events on the dashboard), but 6272 didn't come to the wazuh.
This grep was empty and at the same time, the dashboard didn't show 6272 event.
tail -f /var/ossec/logs/alerts/alerts.log | grep eventID\"\:\"6272\"
Thank you.
Best regards,
V.
Anthony Faruna
Aug 7, 2024, 9:48:08 PM8/7/24
to Vladislav Antolik, Wazuh | Mailing List
Hello Vladislav
I had to check your logs with Wazuh Logtest, and a default rule was triggered, although it's level zero.
**Messages:
INFO: (7202): Session initialized with token 'd5a05140'
**Phase 1: Completed pre-decoding.
INFO: (7202): Session initialized with token 'd5a05140'
**Phase 1: Completed pre-decoding.
id: '60103'
level: '0'
description: 'Windows audit success event.'
groups: '["windows","windows_security"]'
firedtimes: '1'
mail: 'false'
level: '0'
description: 'Windows audit success event.'
groups: '["windows","windows_security"]'
firedtimes: '1'
mail: 'false'
Please modify your rule to the following and let me know if it's working fine now
<rule id="100002" level="8">
<if_sid>60103</if_sid>
<description>OTP Used - Auth Sucessful</description>
</rule>
Best Regards
Vladislav Antolik
Aug 9, 2024, 2:46:21 AM8/9/24
to Anthony Faruna, Wazuh | Mailing List
Hi Anthony,
when I changed my local rule:
<rule id="100002" level="4">
<decoded_as>json</decoded_as>
<field name="win.system.eventID">^6272$</field>
<description>OTP Used - Auth Sucessful</description>
</rule>
to yours:
<rule id="100002" level="8">
<if_sid>60103</if_sid>
<description>OTP Used - Auth Sucessful</description>
</rule>
the wazuh-logtest stucked on phase 2 and didn't continue to the phase 3.
root@dmza-c1-lse01:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.8.1
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-08-09T08:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-08-09T08:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}'
win.system.systemTime: '2024-08-09T08:23:41.073661300Z'
win.system.task: '12552'
win.system.threadID: '5748'
win.system.version: '1'
Maybe stupid question, but from where comes the id 60103, which you write about?
When I use your rule I miss the binding to the event id 6272 which is important for me.
Thank you.
Best regards,
V.
Anthony Faruna
Aug 9, 2024, 9:28:54 PM8/9/24
to Vladislav Antolik, Wazuh | Mailing List
Hello Vladislav,
As I shared in my previous email, when you run Wazuh Logtest without the custom rule, that rule will be triggered by default.
For you to effectively test Windows events, you will need to modify the rule 60000. You will find this rule in
/var/ossec/ruleset/rules/0575-win-base_rules.xml. All eventchannel rules depend on this rule. To match it, the value of the label <decode_as> must be modified to <decode_as>json</decode_as> and <category>ossec</category> must be removed. You were able to use the Logtest all this while because your rule included <decoded_as>json</decoded_as>. Please note that this change is only to test the rules, then it must return to its original state.
The rule will look as follows:
<rule id="60000" level="0"> <decoded_as>json</decoded_as> <field name="win.system.providerName">\.+</field> <options>no_full_log</options> <description>Group of windows rules</description> </rule>
I used Wazuh Logtest with the custom rule I recommended, and I got the result below;
**Messages:
INFO: (7202): Session initialized with token '28ccad8b'
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-08-09T08:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.authenticationProvider: '<none>'
win.eventdata.authenticationServer: 'ithvbotp1op01'
win.eventdata.authenticationType: 'Extension'
win.eventdata.clientIPAddress: '10.201.166.21'
win.eventdata.clientName: 'Smart_1_VPN'
win.eventdata.loggingResult: 'Accounting information was written to the local log file.'
win.eventdata.nASIPv4Address: '10.201.19.44'
win.eventdata.proxyPolicyName: 'Use Windows authentication for all users'
win.eventdata.subjectMachineSID: 'S-1-0-0'
win.eventdata.subjectUserName: 'vi1cb17'
win.eventdata.subjectUserSid: 'S-1-0-0'
win.system.channel: 'Security'
win.system.computer: 'ithvbotp1op01'
win.system.eventID: '6272'
win.system.eventRecordID: '39507771'
win.system.keywords: '0x8020000000000000'
win.system.level: '0'
win.system.message: 'Network Policy Server granted access to a user.'
win.system.opcode: '0'
win.system.processID: '672'
win.system.providerGuid: '{54849625-5478-4994-A5BA-3E3B0328C30D}'
win.system.providerName: 'Microsoft-Windows-Security-Auditing'
win.system.severityValue: 'AUDIT_SUCCESS'
win.system.systemTime: '2024-08-09T08:23:41.073661300Z'
win.system.task: '12552'
win.system.threadID: '5748'
win.system.version: '1'
**Phase 3: Completed filtering (rules).
id: '100002'
level: '8'
description: 'OTP Used - Auth Sucessful'
groups: '["local","syslog","sshd"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
Please let me know if this helps.
Vladislav Antolik
Aug 13, 2024, 2:49:06 AM8/13/24
to Anthony Faruna, Wazuh | Mailing List
Hi Anthony,
I changed the rule exactly according to you and restarted wazuh-manager. The result was, that I didn't receive any event not only 6272(wazuh dashboard was empty for this period of time). Also, the wazuh-log test stuck after phase 3 without alert to be generated.
root@dmza-c1-lse01:/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.8.1
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"6272","version":"1","level":"0","task":"12552","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-08-09T08:23:41.073661300Z","eventRecordID":"39507771","processID":"672","threadID":"5748","channel":"Security","computer":"ithvbotp1op01","severityValue":"AUDIT_SUCCESS","message":"Network Policy Server granted access to a user."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectUserName":"vi1cb17","subjectMachineSID":"S-1-0-0","nASIPv4Address":"10.201.19.44","clientName":"Smart_1_VPN","clientIPAddress":"10.201.166.21","proxyPolicyName":"Use Windows authentication for all users","authenticationProvider":"<none>","authenticationServer":"ithvbotp1op01","authenticationType":"Extension","loggingResult":"Accounting information was written to the local log file."}}}
**Phase 1: Completed pre-decoding.
id: '60103'
level: '0'
description: 'Windows audit success event.'
groups: '['windows', 'windows_security']'
firedtimes: '1'
mail: 'False'
After return the rule to this:
<rule id="60000" level="0">
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
the events started to appear in dashboard, except 6272.
Thank you.
Best regards,
V.
Anthony Faruna
Aug 13, 2024, 12:16:55 PM8/13/24
to Vladislav Antolik, Wazuh | Mailing List
Hello Vladislav,
I don't understand what you mean by the event started to appear except 6272.
I thought the event was a log that contained event ID 6272.
The Wazuh Logtest would return no alert to be generated because the default rule is set to level zero, so I created a custom rule.
The result of the Wazuh Logtest is in my previous email, with a level 8 and an alert to be generated-message.
The result of the Wazuh Logtest is in my previous email, with a level 8 and an alert to be generated-message.
Regards
Reply all
Reply to author
Forward
0 new messages