Check S.M.A.R.T. info for disk health with Wazuh

[Stefan Penchev]

Hello everyone, 

I am trying to trigger an alert based on S.M.A.R.T. info for disk health on a Windows endpoint.

For the HealthStatus there are 4 possible states:
Healthy
Warning
Unhealthy
Unknown

I will make 4 rules, depending on this status, with different severity level.

I have modified  with group policy editor -> computer configuration -> administrative templates -> windows components -> windows powershell :

Turn on module logging - show modules - *
Turn on powershell script block logging
Turn on powershell transcription logging

All these 3 are enabled, thus giving detailed log in Event viewer:  Microsoft-Windows-PowerShell/Operational

In agents ossec.conf i have :

<localfile>
  <log_format>command</log_format>
  <command>powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "$d = Get-PhysicalDisk | Select-Object FriendlyName, HealthStatus; foreach($x in $d){ $x | ConvertTo-Json -Compress }"</command>
  <alias>disk_health</alias>
  <frequency>60</frequency>  <!-- every 1 minute for the test -->
</localfile>

I see in windows event viewer this command and the information after the execution.

At the Wazuh server side in agents.conf i have:

<localfile>

    <location>Microsoft-Windows-PowerShell/Operational</location>

    <log_format>eventchannel</log_format>

</localfile>

Then in custom rules - local_rules.xml i put just 1 rule, for status Healthy, for test purposes.

Later i will make the rest 3 accordingly (i will make for Unhealthy (Critical, Level 12+); Warning (High, Level 8) → Alert but not as critical; Unknown (Medium, Level 6) → Needs investigation; Healthy (Info, Level 3).

So my rule for healthy status is:

<rule id="100111" level="3">
    <if_group>windows</if_group>
    <field name="win.system.channel">^Microsoft-Windows-PowerShell/Operational$</field>
    <match>"HealthStatus":"Healthy"</match>
    <description>SMART: Disk is healthy (${FriendlyName})</description>
  </rule>

I see in windows event manager the command executed each minute, i see in data field the name of the disk and "HealthStatus":"Healthy".

But the rule does not trigger an alarm.

Only "Suspicious Windows cmd shell execution"  rule ID 92032 is triggered. 

This proves the command is executed, as i can see in the event viewer.

Please advise.

 

[leon....@wazuh.com]

Hello Stefan,

I have followed your steps and was not able to achieve the end results. However, I can provide a workaround that might be helpful in your case, as I think a <wodle> is more suitable than a <localfile> for commands.

Let me guide you through the steps I have followed:

1. Enable remote commands on the Wazuh manager

nano /var/ossec/etc/local_internal_options.conf

# Add the following:

wazuh_command.remote_commands=1

systemctl restart wazuh-manager

2. Add the following wodle into the agent group, in my case 'Windows' (you can also add the configuration in the agent itself):

  <agent_config>

    <wodle name="command">
      <disabled>no</disabled>
      <tag>disk_health2</tag>
      <command>Powershell -c "$d = Get-PhysicalDisk | Select-Object FriendlyName, HealthStatus; foreach($x in $d){ $x | ConvertTo-Json -Compress }"</command>
      <interval>1m</interval>
      <ignore_output>no</ignore_output>
      <run_on_start>yes</run_on_start>
      <timeout>0</timeout>
    </wodle>
  </agent_config>

3. Add the following custom rule into local_rules.xml:

<group name="WinCounter,">

    <rule id="100111" level="3">

      <decoded_as>json</decoded_as>
      <match>^{"FriendlyName":</match>
      <field name="FriendlyName">VBOX HARDDISK</field> <!-- Note that this is my device name, please change it or just replace it with \.+ -->
      <description>Windows Counter: Disk Space $(HealthStatus)</description>
      <group>CPUUsage,</group>
    </rule>
</group>

You should be able to see alerts on the dashboard:

Note that you can create custom rules and use the 'HealthStatus' field for filtering. For instance, the following custom rule:

    <rule id="303004" level="7">
      <if_sid>303003</if_sid>
      <match>^{"FriendlyName":</match>
      <field name="HealthStatus">Unhealthy</field>
      <description>Windows Counter: Disk Space $(HealthStatus)</description>
      <group>CPUUsage,</group>
    </rule>

Let me know if this worked for you or if you have any other issues or questions.

Regards,

[Stefan Penchev]

Thank you for your help !

Following your instructions the problem is solved.

Here is my rule depending on health status:

<rule id="100111" level="3">
    <decoded_as>json</decoded_as>

    <field name="HealthStatus">Healthy</field>
    <description>SMART: Disk $(FriendlyName) status is: OK/ $(HealthStatus)</description>
  </rule>

I made the rules for the other Health statuses correspondingly, using Unhealthy (Critical, Level 12+); Warning (Potential Failure, Level 8);  Unknown (Attention needed, Level 6).

Thank you once again.