Generating alerts for windows event IDs
1,062 views
Skip to first unread message
Cézar
Oct 10, 2022, 2:26:05 PM10/10/22
to Wazuh mailing list
Hi everyone!
I am trying to look for some alerts from specific windows event IDs, such as 4670, 4690 and some others.
I know they are being sent to wazuh because my agent.conf looks like this:
```
<agent_config>
<!-- Shared agent configuration here -->
DELETE /agents/001/group/default
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!=4673|4674]</query>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!=4673|4674]</query>
</localfile>
</agent_config>
```
However, they are not generating alerts on wazuh, do I have to write custom rules for these events? or they are just low level alerts and I need to level up them? If that is the case in which file are they located?
<!-- Shared agent configuration here -->
DELETE /agents/001/group/default
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!=4673|4674]</query>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!=4673|4674]</query>
</localfile>
</agent_config>
```
However, they are not generating alerts on wazuh, do I have to write custom rules for these events? or they are just low level alerts and I need to level up them? If that is the case in which file are they located?
Thanks you,
Cézar
Nicolas Zapata
Oct 10, 2022, 3:17:19 PM10/10/22
to Wazuh mailing list
Hello Cezar, thanks for using wazuh!
Here the event ids 5145, 5156, 5447... are excluded, because the != means the event id is will be ignored by the wazuh agent. Here more information about the windows alets.
And when the alert is generated you can see in these file.
You can look at the agent's ossec.conf and see if the event ids you want are excluded. for example:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
Here the event ids 5145, 5156, 5447... are excluded, because the != means the event id is will be ignored by the wazuh agent. Here more information about the windows alets.
we can observe if the event is arriving to the manager as follows:
- Enable logall_json:
<global>
....
...
<logall_json>yes</logall_json>
...
...
</global>
....
...
<logall_json>yes</logall_json>
...
...
</global>
- Restart the manager
- For Systemd:
systemctl restart wazuh-manager
- For SysV Init:
- For SysV Init:
- Set the following command to check the output of that event and verify that it is arriving to the manager:
# tail -f /var/ossec/logs/archives/archives.json | grep '"eventID":"4670"'
And when the alert is generated you can see in these file.
I hope helped you! regards
Cézar
Oct 10, 2022, 3:36:44 PM10/10/22
to Wazuh mailing list
Hello Nicolas, thank you for the response!
What I have shown is the angent.conf file found in /var/ossec/etc/shared/default/agent.conf. It is the default group for my agents, so I think they are collecting the informations I want?
I have a pretty extensive archives.json file that I have enabled logall from some days ago, and I have executed the grep '"eventID":"4670"' on it, and it did not find any results. Now I am thinking these events are not being sent to wazuh.
Any insights on what I might be doing wrong here?
Thanks again,
Cézar
Nicolas Zapata
Oct 11, 2022, 10:34:15 AM10/11/22
to Wazuh mailing list
Hello sorry for the delay!
I understand that you have a centralized file with the agents configuration, but the file I am talking about is in C:\Program Files (x86)\ossec-agent\ossec.confon the agent side. Please check there if the event id is being blocked, since by default many come that way.
And also coud you run /var/ossec/bin/verify-agent-conf ? this to verify that the agent.conf its correct.
you could also see if the status of the agent is correct with the following command: /var/ossec/bin/agent_control -l
Do you see an error in the /var/ossec/logs/ossec.log file of the agent or manager ?
Regards
Cézar
Oct 11, 2022, 1:56:03 PM10/11/22
to Wazuh mailing list
Thanks again for the response, it is not late at all!
I have run the verify-agent-conf and everything shows as OK.
I have looked at the ossec.conf at the agent, and indeed it does shown the config you showed earlier>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
Shouldn't this part be equal with the one at the agent.conf in the manager, since that is the global configuration?
Lastly I see no error at ossec.log for the agent or manager, in fact these agent are sending others alerts to the manager.
Regards,
Cézar
Reply all
Reply to author
Forward
0 new messages