Sysmon Monitoring
570 views
Skip to first unread message
Wade
Mar 15, 2019, 1:11:57 AM3/15/19
to Wazuh mailing list
Hey,
<!-- Added these two for sysmon monitoring -->
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
<only-future-events>yes</only-future-events>
</localfile>
Unfortunately, I do only get ERROR events in Wazuh log. I would like to get all INFORMATIONAL events as well.
I do not know what might be wrong. Is there something wrong, e.g. the decoders cannot understand the sysmon events?
I am running sysmon with this configuration file: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
Thanks,
Wade
Wade
Mar 15, 2019, 1:29:10 AM3/15/19
to Wazuh mailing list
Oh forgot to mention I am running Wazuh 3.8.2 with both server and agents.
cris...@wazuh.com
Mar 18, 2019, 10:13:13 AM3/18/19
to Wazuh mailing list
Hello Wade,
Wazuh v3.8.2 was released with a bug when adapting Sysmon rules from the old one to the new eventchannel. This was caused by the rule with ID 20485, which was filtering by providerName when the right key was channel. This was fixed for Wazuh v3.9.0 at this file. Sorry for the inconveniences and hope it helps, if you have any more questions do not hesitate to ask again.
Best regards,
Cristina
Wade
Mar 18, 2019, 6:34:16 PM3/18/19
to Wazuh mailing list
Hey Cristina,
Can I simply copy that file over the one in my Wazuh 3.8.2 server directory and then restart everything?
Thanks,
Wade
Wade
Mar 18, 2019, 10:31:44 PM3/18/19
to Wazuh mailing list
Hey Cristina,
What I really am trying to ask is... is there a workaround I can use temporarily to get around this issue?
Thanks,
Wade
cris...@wazuh.com
Mar 19, 2019, 4:23:30 AM3/19/19
to Wazuh mailing list
Hello Wade,
Yes, you can replace the file by that one, but something to keep in mind is that the way of filtering has changed, now to filter by event ID we write "win.system.eventID" instead of "EventChannel.System.EventID". I think for your use case you can just modify the rule 20485 as follows:
<rule id="20485" level="0">
| <if_sid>20001</if_sid> |
| <field name="EventChannel.System.Channel">^Microsoft-Windows-Sysmon/Operational</field> |
| <description>Sysmon - Group of events</description> |
| <options>no_full_log</options> |
Let me know if this works for you and if you have any questions. Best regards, Cristina |
Miki Alkalay
Mar 19, 2019, 4:48:42 AM3/19/19
to Wazuh mailing list
Hi,
in this rule i cant see the parent rule 20001 as it's written in the below rule:
<if_sid>20001</if_sid>
please advice
Miki
cris...@wazuh.com
Mar 19, 2019, 6:12:49 AM3/19/19
to Wazuh mailing list
Hi Miki,
Rule 20001 is written at 0220-msauth_rules.xml. You don't need to do anything to include it, as this file is processed before the 0330-sysmon_rules.xml file where the child rule 20485 is included.
Kind regards,
Cristina
Miki Alkalay
Mar 19, 2019, 6:41:45 AM3/19/19
to Wazuh mailing list
ok tnx,
i just updates the rule with the new 0330 rule and upgrade my agent to 3.8.2 to be able get event from sysmon,
i'm not able to get event after replacing the agent (with agent 3.7.2 i'm able to get alerts)
miki
Chris Berge
Mar 20, 2019, 1:45:14 PM3/20/19
to Miki Alkalay, Wazuh mailing list
In the ossec.conf you can set windows debug level to 2 on your agent.
With sysmon running check the output and you should see the event channel logs and see what the output is like.
Then use ossec-logtest with the output to see how it is parsed, what decoder is used, and what rule is matched.
That should help you narrow the issue to either the agent or the decoder/rules.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5a829653-b6f1-4198-8280-907d3fa73f65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Juan Carlos
Mar 21, 2019, 4:51:34 AM3/21/19
to Wazuh mailing list
Hello Chris,
Just a few quick clarifications to avoid confusion.
The debug levels are controlled in the internal_options.conf file or the local_internal_options.conf
file if you want it to be persistent through updates.
file if you want it to be persistent through updates.
However this may not be necessary as this information can be observed using ossec-logtest with the -v modifier.
/var/ossec/bin/ossec-logtest -vI hope this helps,
Best Regards,
Juan Carlos Tello
On Wednesday, March 20, 2019 at 6:45:14 PM UTC+1, Chris Berge wrote:
In the ossec.conf you can set windows debug level to 2 on your agent.With sysmon running check the output and you should see the event channel logs and see what the output is like.Then use ossec-logtest with the output to see how it is parsed, what decoder is used, and what rule is matched.That should help you narrow the issue to either the agent or the decoder/rules.
cris...@wazuh.com
Mar 22, 2019, 7:13:33 AM3/22/19
to Wazuh mailing list
Hello Miki,
Can you paste your rule 20485? Also, are the alert level for the rules you need to match 3 or more so that you can see alerts generated? Please let me know so that we can try and reproduce your issue.
Regards,
Cristina
cris...@wazuh.com
Apr 11, 2019, 2:45:56 AM4/11/19
to Wazuh mailing list
Hello Miki,
I was wondering if you were able to solve your problem with Sysmon, if you didn't, remember that we can help you with anything you need.
Kind regards,
Cristina
Reply all
Reply to author
Forward
0 new messages