Service Restart Trigger On Mail

73 views
Skip to first unread message

Prajapati Hitesh

unread,
Nov 18, 2023, 6:06:57 AM11/18/23
to Wazuh | Mailing List
Hi,

How to enable mail alert if any windows services are Start/Stop or Restart. 

Daniel Sappa

unread,
Nov 19, 2023, 8:11:53 AM11/19/23
to Wazuh | Mailing List

To enable email alerts when specific Windows services are started, stopped, or restarted using Wazuh, you can create custom rules within the Wazuh ruleset. Wazuh monitors Windows event logs for service-related events and can trigger alerts based on defined rules. Here's an outline of the steps:

1. Identify the Windows Event IDs:

Identify the Windows Event IDs associated with service start, stop, or restart events. Typically, these events are logged under the 'System' or 'Security' event logs in Windows.

2. Create Custom Rules in Wazuh:

Edit the local_rules.xml file in the Wazuh manager (/var/ossec/etc/rules/local_rules.xml) to define custom rules that trigger alerts when these specific events occur. Here's a simplified example:

<rule id="100001" level="7">
  <decoded_as>sysmon</decoded_as> <!-- Ensure proper decoder is used -->
  <field name="win.system.eventID">7036</field> <!-- Replace with the relevant Event ID -->
  <description>Windows Service Started, Stopped, or Restarted</description>
  <group>sysmon,</group> <!-- Replace with your chosen group -->
  <options>alert_by_email</options>
  <!-- Additional conditions or specific service names can be added as needed -->
</rule>

Replace <decoded_as> with the appropriate decoder used for Windows event logs (e.g., sysmon, winevent, etc.).

  • <field name="win.system.eventID">7036</field> should be replaced with the relevant Event ID(s) associated with service start/stop events.
  • Customize the rule description, group, and add more conditions to specify particular service names or further refine the rule if needed.
3. Define Email Alerts:

Ensure that the appropriate action is set to trigger email alerts for the custom rule(s) you've created. The <options> tag in the rule should include alert_by_email.

4. Apply Changes and Restart Wazuh:

Save the changes made to the ruleset file and restart the Wazuh manager to apply the new configuration:

# /var/ossec/bin/wazuh-control restart

5. Test the Custom Rule:

Test the custom rule by manually starting, stopping, or restarting a Windows service that should trigger the alert. Check if the Wazuh manager generates the expected alerts and sends email notifications as configured.

This setup enables Wazuh to monitor specific Windows service events and send email alerts when service start, stop, or restart events occur. Ensure that the rule configuration matches the event IDs and conditions related to the services you want to monitor. Adjust the rule as needed based on your specific requirements and the Windows event log details.

Reply all
Reply to author
Forward
0 new messages