No failed Windows login (id 4625) alerts in the dashbaord
83 views
Skip to first unread message
Логойский РГС
Mar 12, 2025, 4:43:34 AM3/12/25
to Wazuh | Mailing List
Hi
I configured ossec.conf file on the Wazuh server to register minimum level 7 alerts, copied the rule for a failed WIn login to local_rules.xlm file, edited the alert level to 7 and added the overwrite tag, restarted the manager but still don't see any 4625 events being registered in wazuh even though I could find the 4625 events in the Even viewer on the PC.
I configured ossec.conf file on the Wazuh server to register minimum level 7 alerts, copied the rule for a failed WIn login to local_rules.xlm file, edited the alert level to 7 and added the overwrite tag, restarted the manager but still don't see any 4625 events being registered in wazuh even though I could find the 4625 events in the Even viewer on the PC.
Stuti Gupta
Mar 12, 2025, 5:05:37 AM3/12/25
to Wazuh | Mailing List
Hi
Please check the archive.json log if you have an alert related to 4625, is there. For that you can use the following command:
cat /var/ossec/logs/archives/archives.json | grep 4625
Share the output of the same
There are two rules related to 4625, please check which one is triggering
<rule id="60105" level="5">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</field>
<description>Windows Logon Failure</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
In case the log is not present, please share the ossec.log of both wazuh-manager and agent
Looking forward to your response
Please check the archive.json log if you have an alert related to 4625, is there. For that you can use the following command:
cat /var/ossec/logs/archives/archives.json | grep 4625
Share the output of the same
There are two rules related to 4625, please check which one is triggering
<rule id="60105" level="5">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</field>
<description>Windows Logon Failure</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="60122" level="5">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<description>Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
In case the log is not present, please share the ossec.log of both wazuh-manager and agent
Looking forward to your response
Reply all
Reply to author
Forward
0 new messages