Most of windows log wont show up on wazuh 4.8

[M Sakarino]

Dear Team Wazuh,

Iam having a problem with the wazuh 4.8 wont display all the windows log that i already save on /var/ossec/etc/shared/default/agent.conf
Before using 4.8, it always displayed on version 4.7 on Security Events tab. But after i upgrade to version 4.8, it wont display all those log anymore.  It should be on Threat Hunting tab, but it only show a very few logs since i use wazuh to collect windows logs on our clients.  Right now, i reinstall my pc wazuh server and re deploy it again to test on the clients, but still facing the same issue.

Note: I use centralized conf and already change wazuh_command.remote_commands=1 on internal options local client

Here is my conf.

Here is the sample of Threat Hunting tabs that only show a few windows logs.

Here is example of 1 client stats that should be displaying all those counted logs on Security Event usually before the update

Please help and give me advice for this trouble.
Thank you

[Cedrick Foko]

Hello,

From what I can see in the screenshots you provided, logs are being received from all configured channels, so it's not a configuration issue.

The most likely reason that you are not receiving some alerts on the dashboard is that your logs are triggering level 0 rules;

In this case, you need to analyze the events that were created in the event channel but did not trigger an alert and create new custom rules for those events.

You can also enable archives in your manager configuration to collect all logs in the manager. You will be able to identify the events that trigger the level 0 rules in the archives.json file.
You can share the events here (in JSON format) and I'll help you with the rules.

Looking forward to your comments.

[M Sakarino]

Hello Wazuh team,

Thank you for your response. Below is an example of the logs that are not being displayed on the dashboard:

And here is what is currently being displayed on the dashboard:

My goal with Wazuh is to collect all logs from Application, Security, and System logs, as well as Microsoft Defender alerts, regardless of their level.
For rules, i havent edited any, still use the default one.

I'm avoiding activate the Wazuh Archives on my manager because it would exceed what I need.

Do you have any advice on what I can do from my end?

Thank you very much for your attention.
Best regards,

[Cedrick Foko]

Hello,

As I explained previously, you cannot see all of those alerts on the dashboard because they are triggering a level 0 rules.

For instance, all the informational events (level: INFORMATION) fall under the rule 60009 which is level 0 rule by default.

  <rule id="60009" level="0">

    <if_sid>60000</if_sid>
    <field name="win.system.severityValue">^INFORMATION$</field>
    <options>no_full_log</options>
    <description>Windows informational event.</description>
  </rule>

You can overwrite the rule by creating the following custom rule in your environment:

  <rule id="60009" level="3" overwrite="yes">
    <if_sid>60000</if_sid>
    <field name="win.system.severityValue">^INFORMATION$</field>
    <options>no_full_log</options>
    <description>Windows informational event.</description>
  </rule>

This will change the level to 3 and you will be able to see all the alerts on the dashboard.
You need to do the same for other event channels. But you need to identify which rule your events fall under, because overwriting the wrong rule will not help.

The System logs for instance fall under the rule 60002:

  <rule id="60002" level="0">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^System$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the system channel.</description>
  </rule>

You can overwrite it by the following custom rule:

  <rule id="60002" level="3" overwrite="yes">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^System$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the system channel.</description>
  </rule>

For Windows Defender logs, they trigger the rule 60005 by default:

  <rule id="60005" level="0">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-Windows Defender/Operational$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the system channel.</description>
  </rule>

You can overwrite it with the following custom rule:

  <rule id="60005" level="3" overwrite="yes">
    <if_sid>60000</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-Windows Defender/Operational$</field>
    <options>no_full_log</options>
    <description>Group of Windows rules for the system channel.</description>
  </rule>

Please keep in mind that you won't be able to identify the default rules triggered unless you enable the archives.

Most of the rules you will need to overwrite are in /var/ossec/ruleset/rules/0575-win-base_rules.xml file in your manager.

I hope this helps.

Please let me know if you have any other question.

[M Sakarino]

Hello,

Apologies for the delayed response, and thank you for your advice. I’ve already tried using the custom rule, but the output remains unchanged.  

And here is the output on below image

Here are the logs that appeared when I activated archives (below image): it displayed all the logs I want on my Wazuh server (Application, System, Security, and Defender).

What changes should I make to achieve this output? Also, are there any logs not displayed in Wazuh alerts that lack descriptions and only show a dash (-)?

Thank you, and I look forward to your advice.

Best Regards