Re: Symantec Events
580 views
Skip to first unread message
Message has been deleted
Federico Gustavo Galland
Dec 13, 2022, 10:37:30 AM12/13/22
to Wazuh mailing list
Federico,
I'm sending this reply again since I think I hit the "reply to author" button instead of "reply to all".
First, you need to set up your "localfile" block on the Agent's config file as follows:
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
For all of the Application channel events to be forwarded to the Wazuh Manager.
Afterwards, you will need to enable logging of all incoming events to /var/ossec/logs/archives/archives.json by setting the "logall_json" variable to "yes" in /var/ossec/etc/ossec.conf.
Whenever you modify the ossec.conf file you need to restart the Manager by running:
systemctl restart wazuh-manager
With these two settings in place, any new events coming in from the Symantec Endpoint Protection software should be logged in raw form to the archives.json file.
You will need to trigger an event from the software on your endpoint, making sure it is visible in the Windows Event viewer. If it is, you will also need to make sure it's reaching archives.json.
With that, you will know we are pulling the logs correctly.
At this stage, these events may trigger one of our default Symantec rules:
If you don't see any alerts, you will need to write custom rules for this application.
The process is documented in the following links:
Basically you will have to take the json lines from archives.json and use the json fields within to create the conditions under which the new rules will be triggered.
You can share the pertinent archives.json lines with me if you need help setting up those new rules. I can provide some example custom rules based on your sample data for you to understand how to build your own.
Hopefully this will point you in the right direction. Let me know if anything needs clarifying.
Regards,
Federico
On Tuesday, December 13, 2022 at 9:25:37 AM UTC-3 Federico Lozan wrote:
Hello, how do I get wazuh to raise the "Symantec" events? Add the following code so it doesn't work for me:<localfile>
<location>Symantec Endpoint Protection Manager</location>
<log_format>eventchannel</log_format>
</localfile>The events are here:Thanks
Message has been deleted
Federico Lozan
Dec 14, 2022, 9:33:06 AM12/14/22
to Wazuh mailing list
Federico,
Thanks for the help,
I try to add the rules and I get the following error:
Do you know what it is for?
Regards,
Federico Gustavo Galland
Dec 14, 2022, 9:57:25 AM12/14/22
to Federico Lozan, Wazuh mailing list
Hi Federico,
The rule files I shared are part of the standard Wazuh Ruleset, so there is no need to put them into the local_rules.xml file. You are getting an error because they are found to be duplicates.
If you follow the rest of the procedure I outlined in my first reply, namely:
- Setting up the agent's localfile config correctly (change the location to Application)
- Setting up logall_json in the manager's ossec.conf and restarting it
- Triggering the Anti-Virus with a test virus, and checking whether that generated an event visible through Windows Event Viewer
- If the above is true, check whether you can see that Event within "/var/ossec/logs/archives/archives.json" in the manager.
- Share the resulting archives.json alert lines with us.
We can help you start writing your own custom rules for these events. These will probably benefit the community as a whole.
Regards,
Federico
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ANnDRRZKgxk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/398d1b5b-b6a0-40ec-8ccd-c604e079c3fbn%40googlegroups.com.
 |
|
+1 (844) 349 2984
wazuh.com
federico...@wazuh.com
f-gallandFederico Lozan
Dec 14, 2022, 2:03:15 PM12/14/22
to Wazuh mailing list
Federico,
I did all the steps but in the logs I do not receive any from Symantec
Any other recommendation?
Thank you
regards
I did all the steps but in the logs I do not receive any from Symantec
Any other recommendation?
Thank you
regards
Federico Gustavo Galland
Dec 15, 2022, 3:47:29 AM12/15/22
to Federico Lozan, Wazuh mailing list
Hi there,
Can you check if you see any activity on Windows' Event Viewer?
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8b40564f-d3f8-410a-9df2-197d1924f80cn%40googlegroups.com.
Marlon Estrella
Oct 8, 2024, 9:10:27 PM10/8/24
to Wazuh | Mailing List
I also try this setup. I receive logs in the event viewer but nothing in wazuh.
Thank you!
Marlon Estrella
Oct 8, 2024, 9:12:16 PM10/8/24
to Wazuh | Mailing List
I also receive errors. 
Reply all
Reply to author
Forward
0 new messages