Peroblem collecting Kaspesky Log

[Stefano Serano]

Hi all.

i'm trying to collect log from Kaspesky Event Channel, to do shit i've followed this guide:

https://documentation.wazuh.com/3.x/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#monitor-the-windows-event-channel-with-wazuh

So, i've configured inside agent config file this code:

 <localfile>

    <location>Kaspersky Event Log</location>

    <log_format>eventchannel</log_format>

  </localfile>

And restarted the agent, for it all seems fine:

2019/06/06 10:33:37 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.

2019/06/06 10:33:37 ossec-agent: INFO: (1951): Analyzing event log: 'Kaspersky Event Log'.

2019/06/06 10:33:37 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.

2019/06/06 10:33:37 ossec-agent: INFO: (1951): Analyzing event log: 'System'.

I've enabled the "log All" part on manager, then i've generated a KES log restarting the KES agent, after few second i were able to see the log into the Archive.json file(see the attachment).

At this point i've write this rule:

<rule id="100007" level="10">

<field name="win.system.providerName">klnagent</field>

<field name="win.system.eventID">1</field>

<description>Kaspersky Agent Restarted</description>

</rule>

And here i stopped, if i try to trigger the rule restarting the kes agent i can still se the log into Archive file, but the rule is not triggered. What i'm doing wrong?

Have a nice day.

[Juan Pablo Saez]

Hello Stefano,

Your rule has to be linked to the main rule(60000) that is triggered by windows_eventchannel events.  You also need an additional rule to prevent the triggering of similar rules. The following should give you the result you expect:

  <rule id="100007" level="0">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Kaspersky Event Log$</field>
    <options>no_full_log</options>
    <description>Kapersky rule for the System channel</description>
  </rule>

    <rule id="100008" level="10">
    <if_sid>100007</if_sid>

        <field name="win.system.providerName">klnagent</field>
        <field name="win.system.eventID">1</field>
        <description>Kaspersky Agent Restarted</description>
  </rule>

On the further example i used the above rules:

With your archives.json as an input:

{"win":{"system":{"providerName":"klnagent","eventID":"1","level":"4","task":"0","keywords":"0x80000000000000","systemTime":"2019-06-05T15:47:59.000000000Z","eventRecordID":"26424","channel":"Kaspersky Event Log","computer":"share.plasmec-int.it","severityValue":"INFORMATION","message":"Application 'Kaspersky Security 10 for Windows Server' started"},"eventdata":{"data":"Application 'Kaspersky Security 10 for Windows Server' started"}}}

I get the following output :

**Phase 1: Completed pre-decoding.
       full event: '{"win":{"system":{"providerName":"klnagent","eventID":"1","level":"4","task":"0","keywords":"0x80000000000000","systemTime":"2019-06-05T15:47:59.000000000Z","eventRecordID":"26424","channel":"Kaspersky Event Log","computer":"share.plasmec-int.it","severityValue":"INFORMATION","message":"Application 'Kaspersky Security 10 for Windows Server' started"},"eventdata":{"data":"Application 'Kaspersky Security 10 for Windows Server' started"}}}'
       timestamp: '(null)'
       hostname: 'littlePill'
       program_name: '(null)'
       log: '{"win":{"system":{"providerName":"klnagent","eventID":"1","level":"4","task":"0","keywords":"0x80000000000000","systemTime":"2019-06-05T15:47:59.000000000Z","eventRecordID":"26424","channel":"Kaspersky Event Log","computer":"share.plasmec-int.it","severityValue":"INFORMATION","message":"Application 'Kaspersky Security 10 for Windows Server' started"},"eventdata":{"data":"Application 'Kaspersky Security 10 for Windows Server' started"}}}'

**Phase 2: Completed decoding.
       decoder: 'json'
       win.system.providerName: 'klnagent'
       win.system.eventID: '1'
       win.system.level: '4'
       win.system.task: '0'
       win.system.keywords: '0x80000000000000'
       win.system.systemTime: '2019-06-05T15:47:59.000000000Z'
       win.system.eventRecordID: '26424'
       win.system.channel: 'Kaspersky Event Log'
       win.system.computer: 'share.plasmec-int.it'
       win.system.severityValue: 'INFORMATION'
       win.system.message: 'Application 'Kaspersky Security 10 for Windows Server' started'
       win.eventdata.data: 'Application 'Kaspersky Security 10 for Windows Server' started'

**Phase 3: Completed filtering (rules).
       Rule id: '100008'
       Level: '10'
       Description: 'Kaspersky Agent Restarted'
**Alert to be generated.

Please let me know if it helps.

Kind regards,

Juan Pablo Sáez

[Stefano Serano]

Hi Juan

Thank for your help.

I've tried to configure the rules just like yours, but still i can't see the alerts on Kibana, i've tried even to set lvl 10 for the first rule, but the logs still remain on Archive.log queue.

Here the rules:

 <rule id="100007" level="10">

<if_sid>60000</if_sid>
<field name="win.system.channel">^Kaspersky Event Log$</field>
<options>no_full_log</options>
<description>Kapersky rule for the System channel</description>
</rule>
<rule id="100008" level="10">
<if_sid>100007</if_sid>
<field name="win.system.providerName">klnagent</field>
<field name="win.system.eventID">1</field>
<description>Kaspersky Agent Restarted</description>
</rule>

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/G5s5xoG_mak/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2b5fbf99-ebdb-4556-acbc-face72e5d51a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Juan Pablo Saez]

Hello again Stefano,

It seems that the rule I sent you only matches if it is located in the same file, below the 60000 rule. After the 60000 rule is triggered because it is an eventchannel event, the 60009 rule is also triggered because it is an event with severityValue = INFORMATION. So it's this one that yours has to point at if you are placing your rules on local_rules.xml . Sorry for the inconvenience.

• I have merged the two rules into one that should work properly from the local_rules.xml file. Note that this rule points to 60009 :

<rule id="100007" level="10">

 <if_sid>60009</if_sid>

 <field name="win.system.channel">^Kaspersky Event Log$</field>

 <field name="win.system.providerName">klnagent</field>

 <field name="win.system.eventID">1</field>

 <description>Kaspersky Agent Restarted</description>

</rule>

• Example output i get from ossec-logtest:

**Phase 1: Completed pre-decoding.
       full event: '{"win":{"system":{"providerName":"klnagent","eventID":"1","level":"4","task":"0","keywords":"0x80000000000000","systemTime":"2019-06-05T15:47:59.000000000Z","eventRecordID":"26424","channel":"Kaspersky Event Log","computer":"share.plasmec-int.it","severityValue":"INFORMATION","message":"Application 'Kaspersky Security 10 for Windows Server' started"},"eventdata":{"data":"Application 'Kaspersky Security 10 for Windows Server' started"}}}'
       timestamp: '(null)'
       hostname: 'littlePill'
       program_name: '(null)'
       log: '{"win":{"system":{"providerName":"klnagent","eventID":"1","level":"4","task":"0","keywords":"0x80000000000000","systemTime":"2019-06-05T15:47:59.000000000Z","eventRecordID":"26424","channel":"Kaspersky Event Log","computer":"share.plasmec-int.it","severityValue":"INFORMATION","message":"Application 'Kaspersky Security 10 for Windows Server' started"},"eventdata":{"data":"Application 'Kaspersky Security 10 for Windows Server' started"}}}'

**Phase 2: Completed decoding.
       decoder: 'json'
       win.system.providerName: 'klnagent'
       win.system.eventID: '1'
       win.system.level: '4'
       win.system.task: '0'
       win.system.keywords: '0x80000000000000'
       win.system.systemTime: '2019-06-05T15:47:59.000000000Z'
       win.system.eventRecordID: '26424'
       win.system.channel: 'Kaspersky Event Log'
       win.system.computer: 'share.plasmec-int.it'
       win.system.severityValue: 'INFORMATION'
       win.system.message: 'Application 'Kaspersky Security 10 for Windows Server' started'
       win.eventdata.data: 'Application 'Kaspersky Security 10 for Windows Server' started'

**Phase 3: Completed filtering (rules).

       Rule id: '100007'

       Level: '10'
       Description: 'Kaspersky Agent Restarted'
**Alert to be generated.

If it still doesn't work, let me know and we'll work on it until you can use it correctly.

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

[Stefano Serano]

Thank you Juan, now it works, plus i've better understand how to work correctly with wazuh rules.

Have a nice day.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2b5fbf99-ebdb-4556-acbc-face72e5d51a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/G5s5xoG_mak/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/11a6bf9a-b1da-4765-923c-5dc138e679d6%40googlegroups.com.