Some events are missing due to agent.conf
Александр Юсин
Good afternoon
I use this configuration in agent.conf of the default group to avoid sending unnecessary win events:
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<query>Event[System/EventID != 10028 and System/EventID != 10016 and System/EventID != 256 and System/EventID != 10036 and System/EventID != 44 and System/EventID != 7045 and System/EventID != 1257 and System/EventID != 5719 and System/EventID != 7023 and System/EventID != 4 and System/EventID != 1 and System/EventID != 36871 and System/EventID != 6003 and System/EventID ! = 1257 and System/EventID != 103 and System/EventID != 7034 and System/EventID != 36887 and System/EventID != 7000 and System/EventID != 36876 and System/EventID != 10010 and System/EventID != 7 and System/EventID != 36874 and System/EventID != 36882 and System/EventID != 7041 and System/EventID != 102 and System/EventID != 1 and System/EventID != 1069 and System/EventID != 5010 and System/EventID != 10005 and System/EventID != 1 and System/EventID != 7038 and System/EventID != 1014]</query>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event[System/EventID != 4673 and System/EventID != 5145 and System/EventID != 5152 and System/EventID != 5157 and System/EventID != 4656 and System/EventID != 4624 and System/EventID != 4732 and System/EventID != 4733 and System/EventID != 4738 and System/EventID != 4907 and System/EventID != 4719 and System/EventID != 4768 and System/EventID != 4674 and System/EventID ! = 4616 and System/EventID != 4957 and System/EventID != 4726 and System/EventID != 4737 and System/EventID != 4722 and System/EventID != 4742 and System/EventID != 4729 and System/EventID != 4755 and System/EventID != 4728 and System/EventID != 4720]</query>
</localfile>
But I ran into a problem that if I continue to add eventid (for example 4736 4767 4725) to the security section, then events with Event id 4776 simply stop appearing in wazuh. If we return everything to the form I wrote above, then everything works again. Perhaps other events are missing, but so far I have only noticed 4776, because... There were always a lot of them, and then they suddenly began to disappear.
I can’t understand why this behavior wazuh is connected, with a limitation on the number of exceptions in this way or with something else, but I would like to figure it out, because now it seems to me that I may be losing other events because of this setting.
I also know that I can simply write exceptions for these rules and assign them level 0, but I still wanted to understand how this is implemented now
Example of an event that disappears
{
"_index": "wazuh-alerts-4.x-2023.10.25",
"_id": "WMRPZ4sBymlCuJZTtXgm",
"_version": 1,
"_score": null,
"_source": {
"cluster": {
"node": "wazuh-1",
"name": "wazuh_cluster"
},
"input": {
"type": "log"
},
"agent": {
"ip": "172.21.3.15",
"name": "wrudc1i020",
"id": "4921"
},
"manager": {
"name": "urudc2ap476.brc.local"
},
"data": {
"win": {
"eventdata": {
"targetUserName": "******",
"workstation": "WORKSTATION",
"packageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
"status": "0xc0000064"
},
"system": {
"eventID": "4776",
"keywords": "0x8010000000000000",
"providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"level": "0",
"channel": "Security",
"opcode": "0",
"message": "\"The computer attempted to validate the credentials for an account.\r\n\r\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\nLogon Account:\tS.Se...@modulbank.ru\r\nSource Workstation:\tWORKSTATION\r\nError Code:\t0xC0000064\"",
"version": "0",
"systemTime": "2023-10-25T14:49:16.625669900Z",
"eventRecordID": "5631396197",
"threadID": "9284",
"computer": "wrudc1i020.brc.local",
"task": "14336",
"processID": "860",
"severityValue": "AUDIT_FAILURE",
"providerName": "Microsoft-Windows-Security-Auditing"
}
}
},
"rule": {
"firedtimes": 296,
"mail": false,
"level": 5,
"hipaa": [
"164.312.b"
],
"pci_dss": [
"10.6.1"
],
"tsc": [
"CC7.2",
"CC7.3"
],
"description": "Windows audit failure event.",
"groups": [
"windows",
"windows_security"
],
"id": "60104",
"nist_800_53": [
"AU.6"
],
"gdpr": [
"IV_35.7.d"
]
},
"location": "EventChannel",
"decoder": {
"name": "windows_eventchannel"
},
"id": "1698245357.2276761202",
"timestamp": "2023-10-25T14:49:17.127+0000"
},
"fields": {
"timestamp": [
"2023-10-25T14:49:17.127Z"
]
},
"highlight": {
"rule.description": [
"@opensearch-dashboards-highlighted-field@Windows audit failure event.@/opensearch-dashboards-highlighted-field@"
],
"data.win.system.eventID": [
"@opensearch-dashboards-highlighted-field@4776@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1698245357127
]
}
Tomas Benitez Vescio
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*[System[(EventID != 1234)]]\</Select\>
\</Query\>
\</QueryList\>
</query>
</localfile>
Александр Юсин
Hi
I would like to figure out how to change my configuration so that it works without using QueryList, because in my opinion this configuration simply complicates mine.
At the moment we don't explicitly know which events we need and which we don't, if we see a useless event we add it to an exception, as in my configuration above, and before everything worked fine and the event no longer appeared. Now, after the accumulation of exceptions, any new addition completely disables the receipt of any alerts, and not just those in the exceptions.
We managed to figure out a pattern - if you use more than 23 eventids in exceptions, then any events stop appearing. I would like to know if this is how it was designed or if it can be fixed?