windows event filtering
158 views
Skip to first unread message
Ethan Thompson
Apr 5, 2023, 8:17:20 AM4/5/23
to Wazuh mailing list
Hello Team
(Filtering conditions that are 18456 and test-dev-04.domain.local )
I tried several ways but it doesn't work.
Below is an example of one of the things I tried.
I need help with this
data.win.system.evedID: 18456
data.win.system.computer: TEST-DEV.domain.local
wazuh version: 4.3.10
releated file: agent.conf
Ethan Thompson
Apr 7, 2023, 6:19:58 AM4/7/23
to Wazuh mailing list
Hello Team
Sorry. I was mistaken.
Event ID 18456 is the Application log.
I'll try filtering again.
Regards,
Ethan
Sorry. I was mistaken.
Event ID 18456 is the Application log.
I'll try filtering again.
Regards,
Ethan
2023년 4월 5일 수요일 오후 9시 17분 20초 UTC+9에 Ethan Thompson님이 작성:
Daniel Folch
Apr 10, 2023, 3:03:09 AM4/10/23
to Wazuh mailing list
Hello,
The correct suppress query should be:
\<Suppress Path="Security"\>*[System[(EventID=18456)]] and *[System[Data[@Name='computer']='TEST-DEV.domian.local']]\</Suppress\>Remember that this will only exclude the events that match both conditions simultaneously, so if you want to exclude the events that match either condition you need to use or.
You can test your query before applying it to Wazuh creating a custom view in the Windows event viewer.
Ethan Thompson
Apr 10, 2023, 3:27:17 AM4/10/23
to Wazuh mailing list
Hello Daniel
thank you for the reply
I did several tests and applied it normally through the settings below.
thank you
\<Suppress Path="Application"\>*[System[(EventID=18456)]] and *[System[(Computer='TEST-DEV.domain.local')]]\</Suppress\>
\<Suppress Path="Application"\>*[System[(EventID=18456)]] and *[System[(Message=\.+Failed to open the explicitly specified database\.+)]]\</Suppress\>
Regards,
Ethan
thank you for the reply
I did several tests and applied it normally through the settings below.
thank you
\<Suppress Path="Application"\>*[System[(EventID=18456)]] and *[System[(Computer='TEST-DEV.domain.local')]]\</Suppress\>
\<Suppress Path="Application"\>*[System[(EventID=18456)]] and *[System[(Message=\.+Failed to open the explicitly specified database\.+)]]\</Suppress\>
Regards,
Ethan
2023년 4월 10일 월요일 오후 4시 3분 9초 UTC+9에 Daniel Folch님이 작성:
Ethan Thompson
Apr 10, 2023, 6:36:04 AM4/10/23
to Wazuh mailing list
Hello Daniel
Looking at the logs now, I can see that there is something wrong with the way I set it up.
Full application logs are not recorded.
I'll test it out enough and share the results.
Full application logs are not recorded.
I'll test it out enough and share the results.
Regards,
Ethan
2023년 4월 10일 월요일 오후 4시 27분 17초 UTC+9에 Ethan Thompson님이 작성:
Ethan Thompson
Apr 10, 2023, 10:39:12 PM4/10/23
to Wazuh mailing list
Hello Daniel
<log_format>eventchannel</log_format>
<query>
\<QueryList\>
There aren't many application logs, so it's difficult to determine if this is a good enough test.
However, it is judged to operate normally in the settings below.
As another question, I would like to ask if the "suppress" tag does not apply regular expression syntax.
Best Regards,
Ethan
However, it is judged to operate normally in the settings below.
As another question, I would like to ask if the "suppress" tag does not apply regular expression syntax.
Best Regards,
Ethan
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList\>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*\</Select\>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList\>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*\</Select\>
\<Suppress Path="Security"\>*[System[(EventID=5145)]] or *[System[(EventID=5156)]] or *[System[(EventID=5447)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4656)]] or *[System[(EventID=4658)]] or *[System[(EventID=4663)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4660)]] or *[System[(EventID=4670)]] or *[System[(EventID=4690)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4703)]] or *[System[(EventID=4907)]] or *[System[(EventID=5152)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=5157)]] or *[System[(EventID=5158)]] or *[System[(EventID=4957)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=5031)]]\</Suppress\>
\<Suppress Path="Security"\>*[EventData[Data[@Name='objectName'] and (Data = 'LSM')]]\</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
<localfile>
<location>Application</location>
\<Suppress Path="Security"\>*[System[(EventID=4656)]] or *[System[(EventID=4658)]] or *[System[(EventID=4663)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4660)]] or *[System[(EventID=4670)]] or *[System[(EventID=4690)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4703)]] or *[System[(EventID=4907)]] or *[System[(EventID=5152)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=5157)]] or *[System[(EventID=5158)]] or *[System[(EventID=4957)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=5031)]]\</Suppress\>
\<Suppress Path="Security"\>*[EventData[Data[@Name='objectName'] and (Data = 'LSM')]]\</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList\>
\<Query Id="0" Path="Application"\>
\<Select Path="Application"\>*\</Select\>
\<Suppress Path="Application"\>*[System[(EventID=1001)]]\</Suppress\>
\<Suppress Path="Application"\>*[System[(EventID=18456)]] and *[System[(Computer='TEST-DEV.domain.local')]]\</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
\<Select Path="Application"\>*\</Select\>
\<Suppress Path="Application"\>*[System[(EventID=1001)]]\</Suppress\>
\<Suppress Path="Application"\>*[System[(EventID=18456)]] and *[System[(Computer='TEST-DEV.domain.local')]]\</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
2023년 4월 10일 월요일 오후 7시 36분 4초 UTC+9에 Ethan Thompson님이 작성:
Reply all
Reply to author
Forward
0 new messages