windows event logs from a perticular folder to wazuh

[Leo Francis]

Hi Team, I have been using Wazuh for a considerable period of time. However, I have recently faced a constraint where I need to analyse Windows event logs that are stored in a specific folder on my Wazuh server. I would greatly appreciate your guidance on how to effectively analyse these logs and obtain the necessary insights. Thank you for your assistance.

[Antonio Kim]

Hi Leo

Thanks for using Wazuh.
In order to work with Windows event logs I recommend to you check this documentation.

Unfortunately, Wazuh does not support Windows event logs as usual logs.
When you are trying to decode a log you will realize that the structure of the log that Wazuh is importing from the Windows Agent is completely different than the usual log.
Therefore, you will not be able to use normal decoders but you will be able to use rulesets to parse the information.
The event will be structured in a format similar to 'json'', then you can use the rule with this setting <decoded_as> with 'json' parameter:

<rule id="60000" level="0"> <decoded_as>json</decoded_as> <field name="win.system.providerName">\.+</field> <options>no_full_log</options> <description>Group of windows rules.</description> </rule>

Hope this information is useful for facing your use case.

Antonio

[Leo Francis]

Hi Antonio,

Thank you for your prompt response. My primary concern is analyzing 2 months' worth of Windows logs in the ".evtx" format. I want to push these logs to Wazuh for analysis, but I'm unable to use the Wazuh agent to pull the logs directly from Windows. The logs are already stored in a specific folder on my Wazuh server. Could you please provide guidance on the next steps to import the logs into Wazuh and analyze them using the pre-built decoders and rules?

Thank you

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/B7dY-uQnN4M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d21b2192-0263-487f-ae24-808ff3a1dcd9n%40googlegroups.com.

--

Best Regards,

Leo Francis | CEH® |

Trainee Security Engineer | Soc Team | 

Auriseg Consulting Private Limited

CERT - IN Empaneled Security Agency (India Region)

 M: +91 7902505482

[Antonio Kim]

Hi Leo,

Let me research about this use case.
I will be back with an answer.

Antonio

[Antonio Kim]

I got a question before start my research.

May I ask you how those logs are in Wazuh-manager instead of in Wazuh-agent?
Did you move it there for some specific purpose?

Antonio

[Leo Francis]

Hi Antonio, 

Right now I am conducting a compromise assessment, and for this purpose, I need to analyze logs from the past 2-3 months. These logs are currently saved in a folder. I was thinking of transferring these logs to the Wazuh server and fetching them from there. If there is an alternative method, please let me know. My main objective is to analyze the logs stored in the folder from the past 2-3 months.

Thank you

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/36ff5d99-74ba-46d1-a382-64971d252726n%40googlegroups.com.

[Antonio Kim]

Ok.

I could do some research about your use case and I could find this previous issue.

I believe that the answer fits perfectly with your use case.

You can try using Winlogbeat-Bulk-Read.ps1 to consume the information from your 'evtx' file. This is an alternative solution (Wazuh does not have an implementation to do so directly)

Hope this information is useful.

Antonio

[Leo Francis]

Hi Antonio,

Thankyou for your response, I definitely look to  this use case and if any doubt i will get back to you.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d21b912a-fcf2-47ce-a816-bbf0a1e0626cn%40googlegroups.com.