Custom EventChannel log not generating alert

[Àngel Rigau i Pedraza]

Hello,

I've created a custom rule to integrate custom windows application windows events.

I installed the agent and I received the logs in the archive.log. To debug the rule with ossec-logtest, I've changed the tags

    <category>ossec</category>

    <decoded_as>windows_eventchannel</decoded_as>

to 

<decoded_as>json</decoded_as>

And with the ossec-logtest is working fine. I use the log copied directly from the archive.log

{"win":{"system":{"providerName":"BvSshServer","eventID":"4097","level":"4","task":"0","keywords":"0x80000000000000","systemTime":"2019-05-08T16:24:29.000000000Z","eventRecordID":"33797","channel":"Application","computer":"WIN-VPJPRP9VDUI","severityValue":"INFORMATION","message":"event"},"eventdata":{"data":"event    time: 2019-05-08 18:24:29.248598 +0200    app: BvSshServer 7.46    name: I_LOGON_AUTH_FAILED    desc: User authentication failed.    session      id: 19533      service: SSH      remoteAddress: 218.92.0.211:40341    authentication      attemptNr: 3      userName: root      method: password    parameters      failureReason: WindowsAccountLookupError    error      type: Exception      message: Account lookup failed: [Nt4] First LookupAccountName() failed with the following error: Windows error 1332: No se efectuó ninguna asignación entre los nombres de cuenta y los identificadores de seguridad.    help      message: The supplied user name could not be looked up. Only the GSSAPI authentication method can possibly proceed with this username."}}}

But when I changed again to 

    <category>ossec</category>

    <decoded_as>windows_eventchannel</decoded_as>

the alert is never generated.

There's a way to debug it and know what is happening?

Thanks!!

Àngel

[Àngel Rigau i Pedraza]

The rules that I'm using are the following

<rule id="61063" level="0">

    <!-- <if_sid>60003</if_sid> -->

   <category>ossec</category>

    <decoded_as>windows_eventchannel</decoded_as>

    <field name="win.system.providerName">^BvSshServer$</field>

    <description>Group of windows rules</description>

</rule>

<rule id="61064" level="3">

    <if_sid>61063</if_sid>

    <match>I_LOGON_AUTH_FAILED</match>

    <description>LOGON_AUTH_FAILED Event BvSshServer</description>

    <group>authentication_failed</group>

</rule>

<rule id="61065" level="3">

    <if_sid>61063</if_sid>

    <match>SocketError</match>

    <description>SocketError Event BvSshServer</description>

    <group>authentication_failed</group>

</rule>

El dissabte, 11 maig de 2019 11:44:06 UTC+2, Àngel Rigau i Pedraza va escriure:

[Cristina Garrido López]

Hello Àngel,

I've got some questions that could help us solve your problem.

- Is the log you pasted the same as the one that is trying to match with your rules without using logtest?

- Which log alert level are you using, is it 3 or higher? (see the log_alert_level option from the ossec.conf file).

- At the agent side, are you monitoring the Application channel with the localfile block?

Kind regards,

Cristina

[Àngel Rigau]

Hi,

Yes, this is the log taken from archive.log file. So, it means the data is collected from the agent and sent to the server.

The alert is 3. I also tried to change it to 1 and 0, but with the same result.

Best Regards,

Àngel Rigau

El 13 maig 2019, a les 8:40, Cristina Garrido López <cris...@wazuh.com> va escriure:

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/54c68567-11ab-4e7b-940b-c0ea83d7aa2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Cristina Garrido López]

Hi Àngel,

You are using a new rule that has the category and decoded_as sections. This may be the problem, as every Windows EventChannel event matches the rule 60000, as your custom rules are not children of this one, this specific event is not being alerted, your rules are not being taken into account. Can you try setting the if_sid option with the rule ID 60003 (the one for events contained in the Application channel) and test it again?

<rule id="61063" level="0">

    <if_sid>60003</if_sid>

    <field name="win.system.providerName">^BvSshServer$</field>

    <description>Group of windows rules</description>

</rule>

Also, remember that the rule range for custom rules begin at 100000 and they should be included at the etc/local_rules.xml file, as they will be removed with any update.

Best regards,

Cristina

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

[Àngel Rigau]

Hi,

I’ve changed the rules according to yours recommendations with the same result.

The new rules are:

<rule id="100002" level="3">

   <if_sid>60003</if_sid>

<!--  <decoded_as>json</decoded_as>

   <category>ossec</category>

    <decoded_as>windows_eventchannel</decoded_as> -->

    <field name="data.win.system.providerName">^BvSshServer$</field>

    <options>no_full_log</options>

    <description>Event BvSshServer</description>

</rule>

 

<rule id="100003" level="3">

    <if_sid>100002</if_sid>

    <match>I_LOGON_AUTH_FAILED</match>

    <options>no_full_log</options>

    <description>LOGON_AUTH_FAILED Event BvSshServer</description>

    <group>authentication_failed</group>

</rule>

 

<rule id="100004" level="3">

    <if_sid>100002</if_sid>

    <match>SocketError</match>

    <options>no_full_log</options>

    <description>SocketError Event BvSshServer</description>

    <group>authentication_failed</group>

</rule>

Àngel Rigau

El 13 maig 2019, a les 11:42, Cristina Garrido López <cris...@wazuh.com> va escriure:

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bca66570-598c-4663-b140-4385922f1d42%40googlegroups.com.

[Cristina Garrido López]

Hello Àngel,

you need to remove the `data` part of your field section, as it is only shown in Kibana, your first rule should be:

<rule id="100002" level="3">

    <if_sid>60003</if_sid>

    <field name="win.system.providerName">^BvSshServer$</field>

    <description>Group of windows rules</description>

</rule>

Let me know if this helped.

Kind regards,

Cristina

[Cristina Garrido López]

Hello Àngel,

I think I have found the problem. It is an issue with an application rule. Your provider name is called BvSshServer, at the time of matching with the rules, there is a silent one at the application file, the rule 60675. It matches the provider name VSS. This word is contained in BvSshServer. As the rule is silenced, you cannot see any alerts. I have opened an issue to take this into account. To fix this by yourself, you can change the rule 60675 as follows:

<rule id="60675" level="0">

  <if_sid>60600</if_sid>

  <field name="win.system.providerName">^VSS$</field>

  <description>Group of VSS events</description>

  <options>no_full_log</options>

</rule>

Try this change and test your rules again. Let me know if you solved this problem or if you have any questions.

Also, remember to click on the 'replay all' button so that this thread is public and can help other users.

Best regards,

Cristina.

On Mon, May 13, 2019 at 2:27 PM Àngel Rigau <angel...@gmail.com> wrote:

Hi,

It behaves the same way....

Àngel Rigau

El 13 maig 2019, a les 13:03, Cristina Garrido López <cris...@wazuh.com> va escriure:

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/54c68567-11ab-4e7b-940b-c0ea83d7aa2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bca66570-598c-4663-b140-4385922f1d42%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6048bbc6-a988-420b-bb92-5141df673ea6%40googlegroups.com.

[Àngel Rigau]

HI! 

Sorry, but it behaves the same way....

Àngel Rigau

El 15 maig 2019, a les 13:48, Cristina Garrido López <cris...@wazuh.com> va escriure:

[Cristina Garrido López]

Hi Àngel,

I was wrong, the parent rule for your custom rule with ID 100002 is not 60003, as the event will match with 60600, 60601 or 60602, which are children of that one. Try changing the <if_sid> option to be <if_sid>60600,60601,60602</if_sid> so that any event, informational, warning or error can match your rule 100002. To sum up, add the following to your /var/ossec/etc/rules/local_rules.xml file in addition to the modification to the rule 60675 I mentioned below. Then, restart the manager:

<rule id="100002" level="3">

  <if_sid>60600,60601,60602</if_sid>

  <field name="win.system.providerName">^BvSshServer$</field>

  <options>no_full_log</options>

  <description>Event BvSshServer</description>

</rule>

<rule id="100003" level="3">

  <if_sid>100002</if_sid>

  <match>I_LOGON_AUTH_FAILED</match>

  <options>no_full_log</options>

  <description>LOGON_AUTH_FAILED Event BvSshServer</description>

  <group>authentication_failed</group>

</rule>

<rule id="100004" level="3">

  <if_sid>100002</if_sid>

  <match>SocketError</match>

  <options>no_full_log</options>

  <description>SocketError Event BvSshServer</description>

  <group>authentication_failed</group>

</rule>

Please let me know if this helped and solved the issue.

Kind regards,

Cristina

[Àngel Rigau i Pedraza]

Hi Crsitina,

Thanks for your answers, but the alert still doesn’t appers.

Àngel Rigau

El 16 maig 2019, a les 9:21, Cristina Garrido López <cris...@wazuh.com> va escriure:

[Cristina Garrido López]

Hi Àngel,

These changes are working for me, so there should be something different in your environment which is not right. Summing up some facts:

- You told me that the `log_alert_level` from your ossec.conf is 3, this means that every event that matches a rule with level 3 or higher will trigger an alert.

- These changes are working for ossec-logtest when you change the <decoded as>windows_eventchannel</decoded_as> by <decoded_as>json</decoded_as> and remove the <category>ossec</category>.

- When you revert those changes, restart the manager and generate the log at the agent side, you are receiving the event at your /var/ossec/logs/archives/archives.log file from your manager.

- Your rules have the changes I mentioned in the last comment and the one for rule 60675.

- You are running Wazuh v3.9.0 in both agent and manager.

Is this correct? Is the event that you are receiving the same as the one you pasted in the first comment?

Let's try to narrow the problem so that we can find out what is happening.

Kind regards,

Cristina

Àngel Rigau

HI! 

Hi,

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/54c68567-11ab-4e7b-940b-c0ea83d7aa2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bca66570-598c-4663-b140-4385922f1d42%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

[Cristina Garrido López]

Hi Àngel,

In addition, can you tell me if you have any other custom rules that may match with this log and are silent?

Kind regards,

Cristina

[Àngel Rigau i Pedraza]

Hi,

I finally found the error. This was my rule:

<rule id="100002" level="3">
   <if_sid>60600,60601,60602</if_sid>

    <field name="data.win.system.providerName">^BvSshServer$</field>

    <description>Event BvSshServer</description>
</rule>

The problem is that the filed name is wrong. The correct one is <field name="win.system.providerName">^BvSshServer$</field> without the data before win.

I don’t know in which point I changed it, but it really was driving me crazy. After your last mail I’ve test it all again and then I realized of that.

Thanks for you help!!!!

Àngel 

El 17 maig 2019, a les 9:18, Cristina Garrido López <cris...@wazuh.com> va escriure:

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a2f74df7-2863-478c-ab58-8c31d2db9880%40googlegroups.com.

[Cristina Garrido López]

Hello Àngel,

I am glad that you could solve your problem. If you have any more doubts I'll be happy to help!

Kind regards,

Cristina

[Miki Alkalay]

Hi,

We are a Cyber company that want to know in a much deeper way Wazuh.

We would like to have a technical session with one of your technical colleague (couple of hours) for better understand some of the issues that we have here.

we are whiling to pay money for this tech. session.

please advise

Miki

Àngel Rigau

HI! 

Hi,

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/54c68567-11ab-4e7b-940b-c0ea83d7aa2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bca66570-598c-4663-b140-4385922f1d42%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6048bbc6-a988-420b-bb92-5141df673ea6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3iJ_6sYzjc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a2f74df7-2863-478c-ab58-8c31d2db9880%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0f166337-565c-4a3b-94bc-a37d3c93ba33%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

[Cristina Garrido López]

Hi Miki,

We will be pleased to help you with any doubt you may have. I will get back to you privately to specify details.

Kind regards,

Cristina