Exclude windows Login and logoff events

[Sait Batıkan Dülger]

Hi Team,

My agents are flooding because of login and logoff events in windows.

We have 2 domain controllers. so every authentication will generate a events.

How can i exclude these logs in the agents config file, so that they are not monitored.

[Awwal Ishiaku]

Hello,

It is a good practice to keep track of logon and logoff events because they can serve as indicators when there is an attack.
Having so many logons and logoffs in one second as seen in your log might also be an indicate a problem or may be part of normal activity of an application on your endpoints. Still worth investigating.

However, to stop login these events you should do the following:

• Open the rule file /var/ossec/ruleset/rules/0580-win-security_rules.xml and set the severity levels of rule ID  60106 and 60137 to 0
• Restart the Wazuh manager to apply the changes

An example is below

<rule id="60137" level="0">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>
<options>no_full_log</options>
<description>Windows User Logoff.</description>
<group>gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>  

[Sait Batıkan Dülger]

Hii Thanks for your reaction. The problem is our AD's creating 2 Million login and logoff events each 48 hours and i get events like the agent in flooding.

Whats the best practice? 

Op maandag 28 februari 2022 om 10:08:44 UTC+1 schreef awwal....@wazuh.com:

[Awwal Ishiaku]

This depends on your domain setup and can depend on a number of factors. 

You need to identify the user(s) and the endpoint(s) that majority of these logon and logoff events are coming from. Investigate them to know if it's normal/expected behaviour or abnormal.

Fix the issue if it's abnormal.

If you deem such events to be normal but you still don't want to see all the logon and logoff events on the dashboard, you can do the following:

• Filter the Kibana dashboard not to show rule ID 60106 and  60137.

This way, the events will not hinder you from seeing other relevant data and the Wazuh manager processes and correlates them in case of a breach.

[Sait Batıkan Dülger]

Alright, thanks!

The agent flooding is that expected? 

Is it possible to exclude Events logs for Service accounts. like exclude srv-........ in the agents?

Op maandag 28 februari 2022 om 10:45:33 UTC+1 schreef awwal....@wazuh.com:

[Awwal Ishiaku]

You can manage the logs that are being sent to Wazuh from the AD itself. Check the Event Log Subscriptions and configure it to send only relevant logs.

Agent flooding is not normal. It could be as a result of your logon and logoff events. 

Refer to this for steps on how to increase the queue size. I'd suggest that you find the root cause of the event flood and try to fix it before you increase the queue size if necessary.

[Sait Batıkan Dülger]

Hi Thanks,

I see the following:

• If these events are not important for you, we can set up the agent configuration to prevent it from collecting them.

I checked the events and its as expected. How can i exclude these events in the ossecc.conf? so that the agent does not monitor the events?

And can i push this with centralizes agents management. agent.conf?

Op maandag 28 februari 2022 om 11:25:33 UTC+1 schreef awwal....@wazuh.com:

[Awwal Ishiaku]

How are the windows logs being sent to Wazuh?
From the DC or from the agent installed on all the endpoints?

[Sait Batıkan Dülger]

We installed a agent

Met vriendelijke groet,

Batikan Dülger

---

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Awwal Ishiaku <awwal....@wazuh.com>
Sent: Monday, February 28, 2022 12:00:35 PM
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Exclude windows Login and logoff events

 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QhrTnFyykgo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/955c60e2-1bb1-419e-a80c-7479038b5393n%40googlegroups.com.

[Awwal Ishiaku]

You can change this by adding or modifying the following section in the agent configuration file:

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

Include the event ID whose log you don't want to forward to the Wazuh manager.

You can remotely configure this on all agents from the manager by performing this modification on the shared agent configuration file at /var/ossec/etc/shared/default/agent.conf

The setting will be shared with all agents in the default group.

[Sait Batıkan Dülger]

Thank you very much!!

I have also another question.

i enabled vulnerability scanning. I get all events out of this. what i see is wazuh looks at the patch that comes with it and sees if it is installed. Only on windows, for example, can the patch be combined with other patches, so the KB no longer matches, while the vulnerability has already been mitigated. How exactly does this work and can it be fixed?

Op maandag 28 februari 2022 om 12:44:49 UTC+1 schreef awwal....@wazuh.com:

[Awwal Ishiaku]

The vulnerability detector relies on the feed it gets from the provider.

Unfortunately, non-conventional mitigations might not be identified by this detector. And this is the case for many vulnerability scanners.

I suggest you open another thread if you have more questions of this new topic.

Thanks.

[Sait Batıkan Dülger]

Alright Thank you very much!

Is it possible to exclude login and logoff for one account. Its a service account and it generate a lot of events. And how can i exclude PAM login sessions:

Op maandag 28 februari 2022 om 14:50:29 UTC+1 schreef awwal....@wazuh.com:

[Awwal Ishiaku]

Is this for a Unix-based agent?

[Sait Batıkan Dülger]

Thats right!

Op dinsdag 1 maart 2022 om 08:04:47 UTC+1 schreef awwal....@wazuh.com:

[Awwal Ishiaku]

Like I mentioned earlier, you can exclude the alerts by setting the level of the alert to 0 in the rule file.

This should be located at ruleset/rules/0085-pam_rules.xml

[mailtosa...@gmail.com]

Hi Team

In this scenario, is it possible to log only user account events and not computer account in Windows AD log in/Off.

  <rule id="60137" level="3">

    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^538$|^551$|^4634$|^4647$</field>

     NEGATE ACCOUNT NAMES ENDING WITH $

    <options>no_full_log</options>
    <description>Windows User Logoff.</description>
    <group>gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

Sanjay 

[Awwal Ishiaku]

Hi Sanjay,

Yes, you can to suppress alerts from Windows AD log off.

You can add a new rule to the local rule file /var/ossec/etc/rules/local_rules.xml.

<rule id="100002" level="0">
  <if_sid>60137</if_sid>
  <field name="win.eventData.targetUserName">\$$</field>

  <description>Suppress Windows User Logoff for computer accounts.</description>
</rule>

This rule suppresses all user logoff events from any username that ends with a $.

Restart the Wazuh manager to apply the changes

# systemctl restart wazuh-manager

Regards