Wazuh Not Logging Event ID 4688

[Fbodieslive]

Hello All,

I am trying to get wazuh to log event ID 4688 in windows security logs. The log is active in windows and I see it generating event, but Wazuh is not recording this data. I have edited the config file to include it. A snip of my config is located below, did I do something wrong? The agent is running as well.

 <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID = 4688]</query>
  </localfile>

[elw...@wazuh.com]

Hello,

Using the default configuration Wazuh agent should be forwarding the event 4688 as it is not being discarded with the local file query, however, it will need to create a rule to trigger the alert at the Wazuh manager level, Similar example https://wazuh.com/blog/how-to-monitor-folder-access-on-windows/.

Can you share an example of event 4688 so that I can help you create the custom rule?
Regards,
Wali

[SOC Team]

Dears,

you can create a custom rule, and it started logging after I created this rule 

 <rule id="110047" level="3">
    <if_sid>60103,60104</if_sid>
    <field name="win.system.eventID">^4688$</field>
    <options>no_full_log</options>
    <description>A new process has been created </description>