query and QueryList

439 views

Skip to first unread message

atiye dehghani

unread,

May 11, 2020, 5:13:58 PM5/11/20

to Wazuh mailing list

,hi

? what's the difference between query and querylist in wazuh

Juan Pablo Saez

unread,

May 12, 2020, 5:40:17 AM5/12/20

to Wazuh mailing list

Hello atiye dehghani,

,hi
? what's the difference between query and querylist in wazuh

I think you are referring to <query> and <QueryList> options in “Filtering events from Windows Event Channel with queries” context.

<query> option filters eventchannel events that Wazuh will process by using an XPATH query following the event schema.
<QueryList> is an XPATH expression.

You can ingest Eventchannel logs and trim some using the query option.

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event[System/EventID = 4624 and (EventData/Data[@Name='LogonType'] = 2 or EventData/Data[@Name='LogonType'] = 10)]</query>
</localfile>

You can ingest Eventchannel logs and trim also using the <QueryList> to go further in the filtering.

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>
      \<QueryList>
        \<Query Id="0" Path="Security">
          \<Select Path="Security">*[System[(EventID=4817 or EventID=4826)]]\</Select>
          \<Select Path="Security">*[System[(EventID=4688 or EventID=4689)]]\</Select>
        \</Query>
      \</QueryList>
    </query>
  </localfile>

In short, <query> is a Wazuh <localfile> option. <QueryList> is a Windows option for filtering events. You can use <QueryList> within <localfile>.

Let me know if you need further guidance on Windows log collecting.
Greetings,
JP

Reply all

Reply to author

Forward

0 new messages