Unable to get windows audit log
83 views
Skip to first unread message
Aman
Sep 5, 2023, 6:52:04 AM9/5/23
to Wazuh | Mailing List
Hi Team,
We are unable to get the events as well as email alerts for windows audit logs.
for example alert like schedule task is created (event ID 4698).
Regards,
Aman
Ifeanyi Onyia Odike
Sep 5, 2023, 8:17:19 AM9/5/23
to Wazuh | Mailing List
Hi Aman,
I'm not sure what the challenge is. Can you include more details as to what the challenge is so we can provide assistance?
Thank you for using Wazuh!
I'm not sure what the challenge is. Can you include more details as to what the challenge is so we can provide assistance?
Regards,
Aman
Sep 6, 2023, 6:30:06 AM9/6/23
to Wazuh | Mailing List
Hi Ifeanyi,
I tried to add the below rule inside local_rules.xml but I am unable to get any event related to this in the wazuh dashboard.
<group name="windows,">
<rule id="100052" level="5">
<if_sid>60112</if_sid>
<field name="win.system.providerName">Microsoft-Windows-Security-Auditing</field>
<field name="win.system.eventID">4698</field>
<description>A scheduled task was created</description>
</rule>
</group>
<rule id="100052" level="5">
<if_sid>60112</if_sid>
<field name="win.system.providerName">Microsoft-Windows-Security-Auditing</field>
<field name="win.system.eventID">4698</field>
<description>A scheduled task was created</description>
</rule>
</group>
Regards
Ifeanyi Onyia Odike
Sep 6, 2023, 10:20:44 AM9/6/23
to Wazuh | Mailing List
Hi Aman,
Please send the event log you would like to get an alert for.
Please send the event log you would like to get an alert for.
Aman
Sep 7, 2023, 2:43:40 AM9/7/23
to Wazuh | Mailing List
Hi Ifeanyi,
I am unable to get the event as well.
Regards,
Ifeanyi Onyia Odike
Sep 13, 2023, 7:39:23 AM9/13/23
to Wazuh | Mailing List
Reply all
Reply to author
Forward
0 new messages