Windows folder monitoring
403 views
Skip to first unread message
Monah Baki
Sep 22, 2022, 1:58:09 PM9/22/22
to Wazuh mailing list
Hi all,
We have a "Accounting" folder that I want to monitor for deletion. Server is running 2016.
I can see in the security event logs event id 4656/4663 and I removed the negation in my ossec.conf
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4658 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4658 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
If I cat on the manager ossec.log and grepped for the text file I created/modified and deleted, no alerts show up.
Thanks
Monah
Anthony Faruna
Sep 22, 2022, 2:45:16 PM9/22/22
to Wazuh mailing list
Hello Monah
Thank you for using Wazuh
If I understand you clearly, you want to monitor the accounting folder for possible deletion of files
To achieve this task, you can leverage the File Integrity Monitoring component of Wazuh
Please edit the Wazuh agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf and add the folder to be monitored.
This should be within the <syscheck> block. The configuration should look like this:
<directories whodata="yes">C:\Users\administrator\Downloads</directories>
Restart the agent after applying the configuration
There is a default rule on Wazuh server that send alerts when a file is deleted however to you could also configure a custom role to alert you whenever a file is deleted in the Accounting folder
Add the following rule to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rules detects file deletion events in the monitored directory, and also fire alert when files are deleted on the monitored folder
<group name= "syscheck,">
<rule id="100050" level="7">
<if_sid>553</if_sid>
<field name="file">C:\\Users\\administrator\\Downloads</field>
<description>File deleted in C:\Users\administrator\Downloads directory.</description>
</rule>
Restart Wazuh server after adding the rule
Note: please replace C:\Users\administrator\Downloads on both Wazuh agent and server with the path of the Accounting directoryPlease let me know if you need further assistance
Best Regards
Monah Baki
Sep 22, 2022, 8:50:18 PM9/22/22
to Wazuh mailing list
Hello Anthony,
<group name="syscheck,">
<rule id="100050" level="7">
<if_sid>553</if_sid>
<description>File deleted in E:\Accounting directory.</description>
</rule>
</group>
ossec.conf (agent)
<directories whodata="yes">E:\Accounting</directories>
Restarted both manager and agent, created,modified and deleted a file under E:\Accounting, got no alerts
Is it in realtime or I have to wait 43200 seconds?
Thanks
Monah
Monah Baki
Sep 23, 2022, 9:33:41 AM9/23/22
to Wazuh mailing list
Hi Anthony,
It's working I think I had to wait a bit cause there's s lot of folders and subfolders within the accounting folder.
Thanks for all your help.
Monah
Anthony Faruna
Sep 23, 2022, 10:24:58 AM9/23/22
to Monah Baki, Wazuh mailing list
Hello Monah
This is great to know
Let me know if you have additional questions
Best Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/059ad5aa-5b30-49d1-91f4-592848755cb0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages