Email Alerts from Windows Servers showing raw strings (i.e. newlines \n)

56 views
Skip to first unread message

coreypen...@gmail.com

unread,
Feb 8, 2021, 5:01:58 PM2/8/21
to Wazuh mailing list
Little bit of a sloppy title, but after a recent upgrade from 3.13 I believe, to the latest 4.0 series, our email alerts for certain Windows events are no longer formatted. The "message" value in particular now seems to show the raw string, with \n and \r characters.

Here is an example of a recent alert
```

Wazuh Notification.

2021 Feb 08 16:42:54

 

Received From: (db9101sk) any->EventChannel

Rule: 61102 fired (level 5) -> "Windows System error event"

Portion of the log(s):

 

{"win":{"system":{"providerName":"Microsoft-Windows-DistributedCOM","providerGuid":"{1B562E86-B7AA-4131-BADC-B6F3A001407E}","eventSourceName":"DCOM","eventID":"10016","version":"0","level":"2","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2021-02-08T21:42:56.956675000Z","eventRecordID":"724235","processID":"860","threadID":"7828","channel":"System","computer":"db9101sk.advb.versabank.com","severityValue":"ERROR","message":"\"The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID \r\n{D63B10C5-BB46-4990-A94F-E40B9D520160}\r\n and APPID \r\n{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}\r\n to the user NT AUTHORITY\\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.\""},"eventdata":{"param1":"application-specific","param2":"Local","param3":"Activation","param4":"{D63B10C5-BB46-4990-A94F-E40B9D520160}","param5":"{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}","param6":"NT AUTHORITY","param7":"SYSTEM","param8":"S-1-5-18","param9":"LocalHost (Using LRPC)","param10":"Unavailable","param11":"Unavailable"}}}

win.system.providerName: Microsoft-Windows-DistributedCOM

win.system.providerGuid: {1B562E86-B7AA-4131-BADC-B6F3A001407E}

win.system.eventSourceName: DCOM

win.system.eventID: 10016

win.system.version: 0

win.system.level: 2

win.system.task: 0

win.system.opcode: 0

win.system.keywords: 0x8080000000000000

win.system.systemTime: 2021-02-08T21:42:56.956675000Z

win.system.eventRecordID: 724235

win.system.processID: 860

win.system.threadID: 7828

win.system.channel: System

win.system.computer: db9101sk.advb.versabank.com

win.system.severityValue: ERROR

win.system.message: "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 

```

coreypen...@gmail.com

unread,
Feb 10, 2021, 12:42:28 PM2/10/21
to Wazuh mailing list
My previous email got cut off woops, but yeah as can be seen in the "message" value, the string is not formatted. Where as before the update, these emails alerts were displaying fine.

I tried looking at the ossec.conf but couldn't find any settings related to this. Any help?

coreypen...@gmail.com

unread,
Feb 10, 2021, 2:58:55 PM2/10/21
to Wazuh mailing list
Also to be clear, this same formatting issue is apparent in /var/ossec/logs/alerts/alerts.log

Chema Martinez

unread,
Feb 11, 2021, 2:10:57 AM2/11/21
to Wazuh mailing list
Hi,

First of all, sorry for the delayed response.

The issue you are reporting is already known from versions prior to 4.0.x. I've opened a ticket in the Wazuh repository to fix it as soon as possible: https://github.com/wazuh/wazuh/issues/7443

There you can read more detailed the cause of these format characters. In theory, the format behavior should be consistent since 3.11, where the changes were applied. However, you are reporting that:
  1. Before the update, from 3.13 to 4.0, it was working for you. Could you share with me one of the alerts forwarded by email before the upgrade, please?
  2. The alerts.log is affected by the same issue. Could you send me a complete Windows alert from the alerts.log file with the message bad formatted?
Best regards,
Chema.

coreypen...@gmail.com

unread,
Feb 12, 2021, 9:15:09 AM2/12/21
to Wazuh mailing list
Hi there, I looked more closely at some old files, and it seems we actually upgraded from 3.10.2 to 4.0.x, so that is right in line with the bug.

Here is an example of an alert directly from alerts.log with a bad messaging format


** Alert 1613127639.172541416: - windows,windows_security,pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 Feb 12 06:00:39 (sccm365) any->EventChannel
Rule: 60137 (level 3) -> 'Windows User Logoff'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4634","version":"0","level":"0","task":"12545","opcode":"0","keywords":"0x8020000000000000","systemTime":"2021-02-12T11:00:45.037525900Z","eventRecordID":"31734947","processID":"716","threadID":"796","channel":"Security","computer":"sccm365.advb.versabank.com","severityValue":"AUDIT_SUCCESS","message":"\"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1421505669-4027413098-1157295597-4648\r\n\tAccount Name:\t\tsccm365_reporting\r\n\tAccount Domain:\t\tADVB\r\n\tLogon ID:\t\t0x187CF159\r\n\r\nLogon Type:\t\t\t2\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\""},"eventdata":{"targetUserSid":"S-1-5-21-1421505669-4027413098-1157295597-4648","targetUserName":"sccm365_reporting","targetDomainName":"ADVB","targetLogonId":"0x187cf159","logonType":"2"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d}
win.system.eventID: 4634
win.system.version: 0
win.system.level: 0
win.system.task: 12545
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2021-02-12T11:00:45.037525900Z
win.system.eventRecordID: 31734947
win.system.processID: 716
win.system.threadID: 796
win.system.channel: Security
win.system.computer: sccm365.advb.versabank.com
win.system.severityValue: AUDIT_SUCCESS
win.system.message: "An account was logged off.

Subject:
Security ID: S-1-5-21-1421505669-4027413098-1157295597-4648
Account Name: sccm365_reporting
Account Domain: ADVB
Logon ID: 0x187CF159

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
win.eventdata.targetUserSid: S-1-5-21-1421505669-4027413098-1157295597-4648
win.eventdata.targetUserName: sccm365_reporting
win.eventdata.targetDomainName: ADVB
win.eventdata.targetLogonId: 0x187cf159
win.eventdata.logonType: 2


Chema Martinez

unread,
Feb 12, 2021, 10:33:27 AM2/12/21
to Wazuh mailing list
Hi there,

If you upgraded from 3.10 to 4.x makes sense that you have experienced the issue now. As I said, the raw events contain those characters to apply the format properly when watching the alerts in the WUI.

Regarding the alert you have pasted, notice that the characters appear in the raw event which is printed at the start of the alert. However, in the list of decoded fields, it is correctly formatted, so it is working as expected.

We will try to address the issue I told you (https://github.com/wazuh/wazuh/issues/7443) to apply the correct format when forwarding the alerts by emails, reports or syslog.

Best regards,
Chema.

Reply all
Reply to author
Forward
0 new messages