Windows agent doesn't send all security events
223 views
Skip to first unread message
Mohamed Maslouh
Sep 2, 2024, 2:02:00 AM9/2/24
to Wazuh | Mailing List
Hello,
i can see just a few security events comming from my domain controllers, i don't get every all securty events.
for exemle i get 10 x "4769 events" in 30 minutes.
i tried to run a kerbresoating attack, the event is logged well in windows events console but not showed in wazuh.
hasitha.u...@wazuh.com
Sep 2, 2024, 4:56:54 AM9/2/24
to Wazuh | Mailing List
Hello Mohamed,
To investigate the attack, start by checking the number of events in the Event Viewer and compare them with the alerts in the Dashboard, specifically looking for Event ID 4769.
Alerts triggered with Rule ID 60131 are associated with Event ID 4769:
<rule id="60131" level="5">
<if_sid>60104</if_sid>
<field name="win.system.eventID">^673$|^675$|^681$|^4769$</field>
<description>Windows DC Logon Failure</description>
<options>no_full_log</options>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
If the number of alerts in the Dashboard does not match the number of events in the Event Viewer, you should also check the archive logs.
To access all logs, enable archive logging in the Wazuh configuration file by following these steps:
Open the Wazuh configuration file located at /var/ossec/ossec.conf.
Set <logall_json> to yes as shown below:
<ossec_config>
<global>
...
<logall_json>yes</logall_json>
...
</global>
</ossec_config>
Restart the Wazuh manager with the following command:
systemctl restart wazuh-manager
Once archive logging is enabled, you can find the logs in the archive log file. Use the following command to filter the logs for specific text:
cat /var/ossec/logs/archives/archives.json | grep -i -E "text which match with log"
Based on these logs, you may need to create custom rules. For more information on creating custom rules, please refer to the Wazuh documentation.
Let me know if you need further assistance.
Regards,Hasitha Upekshitha
Mohamed Maslouh
Sep 2, 2024, 7:28:36 AM9/2/24
to Wazuh | Mailing List
Hello Hasitha,
The 4769 events on dashboard are less than what i get in archive log file,
3299 line on the json log file vs 391 on dashboard.
Also when i test the event log on logtest tool, the rule below is not triggered.
<rule id="110002" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4769$</field>
<field name="win.eventdata.TicketOptions" type="pcre2">0x40810000</field>
<field name="win.eventdata.TicketEncryptionType" type="pcre2">0x17</field>
<options>no_full_log</options>
<description>Possible Keberoasting attack</description>
</rule>
Mohamed Maslouh
Sep 2, 2024, 7:45:38 AM9/2/24
to Wazuh | Mailing List
Hello,
I Can many ignore messages on the Lrules test console.
**Messages:
WARNING: (7003): 'a24e5dfa' token expires
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110001'.
WARNING: (7619): Empty 'if_sid' value. Rule '110001' will be ignored.
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110009'.
WARNING: (7619): Empty 'if_sid' value. Rule '110009' will be ignored.
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110002'.
WARNING: (7619): Empty 'if_sid' value. Rule '110002' will be ignored.
WARNING: (7617): Signature ID '61600' was not found and will be ignored in the 'if_sid' option of rule '110004'.
WARNING: (7619): Empty 'if_sid' value. Rule '110004' will be ignored.
WARNING: (7610): Group 'sysmon_event1' was not found. Invalid 'if_group'. Rule '110006' will be ignored.
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110007'.
WARNING: (7619): Empty 'if_sid' value. Rule '110007' will be ignored.
WARNING: (7617): Signature ID '61612' was not found and will be ignored in the 'if_sid' option of rule '110008'.
WARNING: (7619): Empty 'if_sid' value. Rule '110008' will be ignored.
WARNING: (7617): Signature ID '61603' was not found and will be ignored in the 'if_sid' option of rule '107000'.
WARNING: (7619): Empty 'if_sid' value. Rule '107000' will be ignored.
WARNING: (7617): Signature ID '61610' was not found and will be ignored in the 'if_sid' option of rule '107001'.
WARNING: (7619): Empty 'if_sid' value. Rule '107001' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160010' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160011' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160012' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160013' will be ignored.
WARNING: (7613): Rule ID '100100' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100101' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100301' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100302' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100303' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100304' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100305' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100306' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100401' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100402' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100403' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100601' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
INFO: (7202): Session initialized with token 'a5902a0a'
WARNING: (7003): 'a24e5dfa' token expires
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110001'.
WARNING: (7619): Empty 'if_sid' value. Rule '110001' will be ignored.
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110009'.
WARNING: (7619): Empty 'if_sid' value. Rule '110009' will be ignored.
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110002'.
WARNING: (7619): Empty 'if_sid' value. Rule '110002' will be ignored.
WARNING: (7617): Signature ID '61600' was not found and will be ignored in the 'if_sid' option of rule '110004'.
WARNING: (7619): Empty 'if_sid' value. Rule '110004' will be ignored.
WARNING: (7610): Group 'sysmon_event1' was not found. Invalid 'if_group'. Rule '110006' will be ignored.
WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110007'.
WARNING: (7619): Empty 'if_sid' value. Rule '110007' will be ignored.
WARNING: (7617): Signature ID '61612' was not found and will be ignored in the 'if_sid' option of rule '110008'.
WARNING: (7619): Empty 'if_sid' value. Rule '110008' will be ignored.
WARNING: (7617): Signature ID '61603' was not found and will be ignored in the 'if_sid' option of rule '107000'.
WARNING: (7619): Empty 'if_sid' value. Rule '107000' will be ignored.
WARNING: (7617): Signature ID '61610' was not found and will be ignored in the 'if_sid' option of rule '107001'.
WARNING: (7619): Empty 'if_sid' value. Rule '107001' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160010' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160011' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160012' will be ignored.
WARNING: (7610): Group 'windows,sysmon' was not found. Invalid 'if_group'. Rule '160013' will be ignored.
WARNING: (7613): Rule ID '100100' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100101' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100301' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100302' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100303' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100304' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100305' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100306' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100401' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100402' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100403' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
WARNING: (7613): Rule ID '100601' does not exist but 'overwrite' is set to 'yes'. Still, the rule will be loaded.
INFO: (7202): Session initialized with token 'a5902a0a'
hasitha.u...@wazuh.com
Sep 3, 2024, 1:56:31 AM9/3/24
to Wazuh | Mailing List
Hello Mohamed,
It appears that rule 60103 is missing from your Wazuh rule files. Please confirm if you've made any changes to the default rule files, particularly in the 0580-win-security_rules.xml file.
You can review the original rule file here: 0580-win-security_rules.xml on GitHub.
The following warnings indicate that the rule is missing:
- WARNING: (7617): Signature ID '60103' was not found and will be ignored in the 'if_sid' option of rule '110002'.
- WARNING: (7619): Empty 'if_sid' value. Rule '110002' will be ignored.
Based on these warnings, it seems the rule is missing.
Let me know the update on this.
Regards,
Hasitha Upekshitha
Message has been deleted
Message has been deleted
Mohamed Maslouh
Sep 9, 2024, 4:22:49 AM9/9/24
to Wazuh | Mailing List
Hello
Hasitha
I had to restart wazuh so the ignore messages are disappeared,
The big problem now is the most of 4769 event are not show on dashboard.
I can see the kerberoasting event on the archive file, but nothing show up on he dashboard, even the related 4769 event.
hasitha.u...@wazuh.com
Sep 11, 2024, 11:18:34 PM9/11/24
to Wazuh | Mailing List
Hello Mohamed,
Can you try on Ruleset Tool under server management? If the logs match the decoders and rules using the Wazuh Ruleset Test, the fact that you don't see the alerts in the dashboard means that there is a communication problem between Filebeat and the Wazuh-Indexer (discarded if you see other events in the dashboard) or that there is a conflict when indexing the information of the alerts.
You can run filebeat test output to verify communication issues. Run this on the Wazuh Manager nodes.
You can check the Filebeat logs, Indexer logs and Dashboard logs in search of clues to verify if this is the issue.
grep -iE "error|warn" /var/logs/filebeat/filebeat* (Manager nodes)
grep -iE "error|warn" /var/logs/wazuh-indexer/(cluster-name).log (Wazuh Indexer nodes)
journalctl -xeu wazuh-dashboard --no-pager | grep -iE "error|warn" (Wazuh Dashboard node)
For further assistance, please share a full log with masking the sensitive data with unusable values.
Please let me know if you find any errors in these logs.
Regards,
Hasitha Upekshitha
Can you try on Ruleset Tool under server management? If the logs match the decoders and rules using the Wazuh Ruleset Test, the fact that you don't see the alerts in the dashboard means that there is a communication problem between Filebeat and the Wazuh-Indexer (discarded if you see other events in the dashboard) or that there is a conflict when indexing the information of the alerts.
You can run filebeat test output to verify communication issues. Run this on the Wazuh Manager nodes.
You can check the Filebeat logs, Indexer logs and Dashboard logs in search of clues to verify if this is the issue.
grep -iE "error|warn" /var/logs/filebeat/filebeat* (Manager nodes)
grep -iE "error|warn" /var/logs/wazuh-indexer/(cluster-name).log (Wazuh Indexer nodes)
journalctl -xeu wazuh-dashboard --no-pager | grep -iE "error|warn" (Wazuh Dashboard node)
For further assistance, please share a full log with masking the sensitive data with unusable values.
Please let me know if you find any errors in these logs.
Regards,
Hasitha Upekshitha
Message has been deleted
Mohamed Maslouh
Sep 12, 2024, 4:55:09 AM9/12/24
to Wazuh | Mailing List
Hello Hasitha,
Here is event log that im using for test, after masking all sensitive data (i get it from wazuh logs).
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{XXXXXX-XXXXXX-XXXXXXX-XXXXXXX}","eventID":"4769","version":"0","level":"0","task":"14337","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-09-02T11:13:03.314159800Z","eventRecordID":"158604995","processID":"760","threadID":"2008","channel":"Security","computer":"DC.LAB.LOCAL","severityValue":"AUDIT_SUCCESS","message":"\"Un ticket de service Kerberos a été demandé.\r\n\r\nInformations sur le compte :\r\n\tNom du compte :\t\tt...@LAB.LOCAL\r\n\tDomaine du compte :\t\tLAB.LOCAL\r\n\tGUID d’ouverture de session :\t\t{XXXXXXX-XXXXX-XXXXXXX-XXXX}\r\n\r\nInformations sur le service :\r\n\tNom du service :\t\tTestWeb\r\n\tID du service :\t\tS-1-5-21-ZZZZ-ZZZZZ-ZZZZZZ-ZZZZZ\r\n\r\nInformations sur le réseau :\r\n\tAdresse du client :\t\t::ffff:Y.Y.Y.Y\r\n\tPort client :\t\t50816\r\n\r\nInformations supplémentaires :\r\n\tOptions du ticket :\t\t0x40810010\r\n\tType de chiffrement du ticket :\t0x17\r\n\tCode d’échec :\t\t0x0\r\n\tServices en transit :\t-\r\n\r\nC’et événement est généré à chaque fois qu’un accès est demandé à une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource à laquelle l’accès à été demandé.\r\n\r\nCet événement peut être associé à des événements de connexion Windows en comparant les champs GUID d’ouverture de session de chaque événement. L’événement de connexion se produit sur l’ordinateur sur lequel l’accès s’est effectué, qui souvent n’est pas le même ordinateur que le contrôleur de domaine qui a émis le ticket de service.\r\n\r\nLes options de ticket, les types de chiffrement et les codes d’échec sont définis dans la RFC 4120.\""},"eventdata":{"targetUserName":"te...@LAB.LOCAL","targetDomainName":"LAB.LOCAL","serviceName":"TestWeb","serviceSid":"S-1-5-21-ZZZZ-ZZZZZ-ZZZZZZ-ZZZZZ","ticketOptions":"0x40810010","ticketEncryptionType":"0x17","ipAddress":"::ffff:Y.Y.Y.Y","ipPort":"50816","status":"0x0","logonGuid":"{XXXXXXX-XXXXX-XXXXXXX-XXXX}"}}}
On Wazuh Ruleset Tool, when i run this event with the real data for test, in the first time it show me many ignorance warnings. Also, it show me the **Phase 1: Completed pre-decoding and the **Phase 2: Completed decoding and i can see the decoded data but no matching rule.
Here are screenshots after removing sensitive data.
If i run the test for a seconde time, the ignorance warning disappears but i got the same result.
Here is event log that im using for test, after masking all sensitive data (i get it from wazuh logs).
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{XXXXXX-XXXXXX-XXXXXXX-XXXXXXX}","eventID":"4769","version":"0","level":"0","task":"14337","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-09-02T11:13:03.314159800Z","eventRecordID":"158604995","processID":"760","threadID":"2008","channel":"Security","computer":"DC.LAB.LOCAL","severityValue":"AUDIT_SUCCESS","message":"\"Un ticket de service Kerberos a été demandé.\r\n\r\nInformations sur le compte :\r\n\tNom du compte :\t\tt...@LAB.LOCAL\r\n\tDomaine du compte :\t\tLAB.LOCAL\r\n\tGUID d’ouverture de session :\t\t{XXXXXXX-XXXXX-XXXXXXX-XXXX}\r\n\r\nInformations sur le service :\r\n\tNom du service :\t\tTestWeb\r\n\tID du service :\t\tS-1-5-21-ZZZZ-ZZZZZ-ZZZZZZ-ZZZZZ\r\n\r\nInformations sur le réseau :\r\n\tAdresse du client :\t\t::ffff:Y.Y.Y.Y\r\n\tPort client :\t\t50816\r\n\r\nInformations supplémentaires :\r\n\tOptions du ticket :\t\t0x40810010\r\n\tType de chiffrement du ticket :\t0x17\r\n\tCode d’échec :\t\t0x0\r\n\tServices en transit :\t-\r\n\r\nC’et événement est généré à chaque fois qu’un accès est demandé à une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource à laquelle l’accès à été demandé.\r\n\r\nCet événement peut être associé à des événements de connexion Windows en comparant les champs GUID d’ouverture de session de chaque événement. L’événement de connexion se produit sur l’ordinateur sur lequel l’accès s’est effectué, qui souvent n’est pas le même ordinateur que le contrôleur de domaine qui a émis le ticket de service.\r\n\r\nLes options de ticket, les types de chiffrement et les codes d’échec sont définis dans la RFC 4120.\""},"eventdata":{"targetUserName":"te...@LAB.LOCAL","targetDomainName":"LAB.LOCAL","serviceName":"TestWeb","serviceSid":"S-1-5-21-ZZZZ-ZZZZZ-ZZZZZZ-ZZZZZ","ticketOptions":"0x40810010","ticketEncryptionType":"0x17","ipAddress":"::ffff:Y.Y.Y.Y","ipPort":"50816","status":"0x0","logonGuid":"{XXXXXXX-XXXXX-XXXXXXX-XXXX}"}}}
On Wazuh Ruleset Tool, when i run this event with the real data for test, in the first time it show me many ignorance warnings. Also, it show me the **Phase 1: Completed pre-decoding and the **Phase 2: Completed decoding and i can see the decoded data but no matching rule.
Here are screenshots after removing sensitive data.
Mohamed Maslouh
Sep 12, 2024, 11:43:51 AM9/12/24
to Wazuh | Mailing List
Here are results from the logs.
grep -iE "error|warn" /var/log/filebeat/filebeat
grep -iE "error|warn" /var/log/wazuh-indexer/wazuh-cluster.log
journalctl -xeu wazuh-dashboard --no-pager | grep -iE "error|warn"
hasitha.u...@wazuh.com
Sep 13, 2024, 2:45:34 AM9/13/24
to Wazuh | Mailing List
Hello Mohamed,
by default the logtest is not able to test the logs that comes via eventchannel.
However there is a workaround: Backup the file /var/ossec/ruleset/rules/0575-win-base_rules.xml and modify the rule 60000 inside that file, removing the category and changing the decoded_as to json.
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
Now you can test your log with the logtest and confirm if the rule is working. It is not necessary to restart the manager after modifying this or any rules file in order to use the logtest.
systemctl restart wazuh-manager
WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.
Regards,
Hasitha Upekshitha
by default the logtest is not able to test the logs that comes via eventchannel.
However there is a workaround: Backup the file /var/ossec/ruleset/rules/0575-win-base_rules.xml and modify the rule 60000 inside that file, removing the category and changing the decoded_as to json.
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
Now you can test your log with the logtest and confirm if the rule is working. It is not necessary to restart the manager after modifying this or any rules file in order to use the logtest.
systemctl restart wazuh-manager
WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages