Doubts Ruleset: Security and System
106 views
Skip to first unread message
jonatha...@a2secure.com
Jan 22, 2021, 4:13:32 AM1/22/21
to Wazuh mailing list
Hi guys,
Recently I configure a new integration for my Windows Servers, i activated a new ruleset: Security and System and I created a new group for this Where I added:
Recently I configure a new integration for my Windows Servers, i activated a new ruleset: Security and System and I created a new group for this Where I added:
<agent_config>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</agent_config>
Right now my problem is that some events are not decoder well.
The wazuh only decoder some fields, but not all.
full_log:
2021 Jan 22 09:01:35 WinEvtLog: Security: AUDIT_SUCCESS(4735): Microsoft-Windows-Security-Auditing: (no user): no domain: XXXXXXXXXXX: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: XXXXXXX$ Account Domain: XXXXXX Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
For example: The fields are not decoder:
Group Name: Backup Operators
or
2021 Jan 22 09:01:35 WinEvtLog: Security: AUDIT_SUCCESS(4735): Microsoft-Windows-Security-Auditing: (no user): no domain: XXXXXXXXXXX: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: XXXXXXX$ Account Domain: XXXXXX Logon ID: 0x3e7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
For example: The fields are not decoder:
Group Name: Backup Operators
or
Group Domain: Builtin
I'm working with the next versions:
elasticsearch: 7.8
wazuh: 3.9.2
How I can decoder this fields? I need create a custom rule? perhaps upgratins the last versions it fix my problem? or how I can do it?
Kind regards.
I'm working with the next versions:
elasticsearch: 7.8
wazuh: 3.9.2
How I can decoder this fields? I need create a custom rule? perhaps upgratins the last versions it fix my problem? or how I can do it?
Kind regards.
Jesus Linares
Jan 25, 2021, 2:24:14 PM1/25/21
to Wazuh mailing list
Hi,
Try to use a different log_format: eventchannel. I recommend this configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
Events should be decoded as JSON.
Check out this blog post for more information: https://wazuh.com/blog/how-to-collect-windows-events-with-wazuh/.
I hope it helps.
Regards.
jonatha...@a2secure.com
Jan 26, 2021, 6:08:59 AM1/26/21
to Wazuh mailing list
Hi Jesus,
Many thanks for your comments.
When I put your config, I don't have any data, about Security or System.
Is not working, I d'ont know becase is not working.
I checked this config: https://documentation.wazuh.com/3.9/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
I checked this config: https://documentation.wazuh.com/3.9/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
Other topic, because you don't want ingest these EventID?
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
Kind regards.
Jesus Linares
Jan 27, 2021, 1:40:21 PM1/27/21
to Wazuh mailing list
Hi,
> I don't have any data, about Security or System.
I understand that you mean that you don't see any alert on Wazuh WUI regarding Security or System sources, right? It could be for several reasons.
The log flow is:
- Agent collect events
- Manager receives events
- The rule engine decodes the event and checks if it matches with a rule
- In case a rule is matched and the level is higher or equal to 3, an alert is generated. So, you will see it in the alerts.json file and in Wazuh WUI.
You need to review each step:
- Review the ossec.log of your agent and check if there is an error.
- Force an event in your agent. Enable log_all in your manager: this file will log in /var/ossec/logs/archives/archives.json any event received in the manager.
- / 4. If you see the event in the archives.json file, but not in the /var/ossec/logs/alerts/alerts.json file means that any rule is matching that event. So, you will need to create your own rules.
> Other topic, because you don't want ingest these EventID?
It is the default configuration. Some event IDs could be potentially dangerous. For example, if you collect an event for "every new tcp connection", Wazuh is going to read that event and send it to the manager. That is a new connection, so a new event will be generated.
Let me know if you need more help.
Reply all
Reply to author
Forward
0 new messages