Exceptions of registration of some events for windows agent.
94 views
Skip to first unread message
Александр Коледа
Apr 8, 2024, 7:37:11 AM4/8/24
to Wazuh | Mailing List
Hey, everybody. I am just starting to learn wazooh and I am unable to add to the agent configuration exceptions for two windows log events. When saving the agent configuration I get the following error: wazuh-agent: ERROR: Could not EvtSubscribe() for (Security) which returned (15001).
Windows events:
Windows events:
....{
"agent": {
"ip": "10.*.*.*",
"name": "agent019",
"id": "019"
},
"manager": {
"name": "wazuhsrv"
},
"data": {
"win": {
"eventdata": {
"targetLogonId": "0x3930b325",
"targetUserName": "MAIN-RU$",
"targetDomainName": "DOMAIN",
"targetUserSid": "S-1-5-18",
"logonType": "3"
},
"system": {
"eventID": "4634",
"keywords": "0x8020000000000000",
"providerGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"level": "0",
"channel": "Security",
"opcode": "0",
"message": ..........
and......{ "agent": { "ip": "10.*.*.*", "name": "agent019", "id": "019" }, "manager": { "name": "wazuhsrv" }, "data": { "win": { "eventdata": { "targetLogonId": "0x3930b2ed", "targetUserName": "LDAPAuthTest", "targetDomainName": "DOMAIN", "targetUserSid": "S-1-5-21-2607927850-10554458-353216286-7239", "logonType": "3" }, "system": { "eventID": "4634", "keywords": "0x8020000000000000", "providerGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "level": "0", "channel": "Security", "opcode": "0", "message": ......
Agent Configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157] or Event/Eventdata[TargetUserName != LDAPAuthTest and TargetUserName != MAIN-RU$]</query>
</localfile>
and......{ "agent": { "ip": "10.*.*.*", "name": "agent019", "id": "019" }, "manager": { "name": "wazuhsrv" }, "data": { "win": { "eventdata": { "targetLogonId": "0x3930b2ed", "targetUserName": "LDAPAuthTest", "targetDomainName": "DOMAIN", "targetUserSid": "S-1-5-21-2607927850-10554458-353216286-7239", "logonType": "3" }, "system": { "eventID": "4634", "keywords": "0x8020000000000000", "providerGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "level": "0", "channel": "Security", "opcode": "0", "message": ......
Agent Configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157] or Event/Eventdata[TargetUserName != LDAPAuthTest and TargetUserName != MAIN-RU$]</query>
</localfile>
Jeremiah Kolawole
Apr 8, 2024, 8:51:43 AM4/8/24
to Wazuh | Mailing List
Hello
Александр,
Looking at your configuration file, it is possible that the addition of the keyword -
or Event/Eventdata[TargetUserName != LDAPAuthTest and TargetUserName != MAIN-RU$]
could be the reason you're getting the error.
Agent Configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157] or Event/Eventdata[TargetUserName != LDAPAuthTest and TargetUserName != MAIN-RU$]</query>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157] or Event/Eventdata[TargetUserName != LDAPAuthTest and TargetUserName != MAIN-RU$]</query>
</localfile>
If you want to add the event ID to the configuration, enter it as a new value like below and ensure that you have properly configured the event to be monitored.
You can find how to do that here
Agent Configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157 and EventID = 4634]</query> </localfile>
Александр Коледа
Apr 8, 2024, 9:09:29 AM4/8/24
to Wazuh | Mailing List
Thanks for your reply, but I need to exclude event 4634 for LDAPAuthTest and MAIN-RU$ users.
понедельник, 8 апреля 2024 г. в 15:51:43 UTC+3, Jeremiah Kolawole:
Message has been deleted
Jeremiah Kolawole
Apr 29, 2024, 4:25:14 AM4/29/24
to Wazuh | Mailing List
Hello Александр,
Apologies for the late response.
To exclude event for the users as specified, you can modify the conf file as below
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event[System/EventID = 4634 and (EventData/Data[@Name='targetUserName'] != MAIN-RU$ or EventData/Data[@Name='targetUserName'] != LDAPAuthTest)]</query>
<localfile>
<localfile>
I hope this helps
Reply all
Reply to author
Forward
0 new messages