IIS logs are not showing in dashboard.
160 views
Skip to first unread message
ismailctest C
Jul 24, 2023, 1:08:24 AM7/24/23
to Wazuh mailing list
Hi,
Please support on this, IIS logs are not showing in dashboard.
Issue: archive.json logs are coming with decoder.name is windows_eventchannel. But, custom rules are not triggering.
Wazuh Version: 4.3.8
agent version: 4.3.8
Decoder name : windows_eventchannel
Rule:
<rule id="100401" level="2">
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.providerName">^Microsoft-Windows-IIS-Logging$</field>
<field name="win.system.channel">^Microsoft-IIS-Configuration/Operational$|^Microsoft-IIS-Logging/Logs$</field>
<description>MS-IIS: Messages grouped.</description>
</rule>
SAMPLE LOG:
{"win":{"system":{"providerName":"Microsoft-Windows-IIS-Logging","providerGuid":"{xxxxxxxx-B271-4EA2-A783-A47xxx291xxx}","eventID":"xxxx","version":"0","level":"4","task":"0","opcode":"0","keywords":"0xx000xxxxx000xxx00","systemTime":"2023-07-14T00:01:03.249226300Z","eventRecordID":"xxxxxxxx","processID":"xxxx","threadID":"xx552","channel":"Microsoft-IIS-Logging/Logs","computer":"xxxx.xxxx.com","severityValue":"INFORMATION","message":"\"date 2023-07-14 time 00:00:59 s-sitename W3SVC9 s-computername xxxxx s-ip x.x.x.x cs-method GET cs-uri-stem / cs-uri-query - s-port 80 cs-username - c-ip x.x.x.x cs-version - cs(User-Agent) - cs(Cookie) - cs(Referer) - cs-host - sc-status 0 sc-substatus 0 sc-win32-status 0 sc-bytes 612 cs-bytes 7 time-taken 0 \""},"eventdata":{"enabledFieldsFlags":"2478079","date":"2023-07-14","time":"00:00:59","c-ip":"x.x.x.x","s-sitename":"W3SVC9","s-computername":"xxx","s-ip":"x.x.x.x","cs-method":"GET","cs-uri-stem":"/","sc-status":"0","sc-win32-status":"0","sc-bytes":"612","cs-bytes":"7","time-taken":"0","s-port":"80","sc-substatus":"0"}}}
Harshal Paliwal
Jul 24, 2023, 2:30:51 AM7/24/23
to Wazuh mailing list
Hi Team,
Thanks for using the Wazuh.Can you please share the full log output from the archive.json so I can test your rule in my local lab and provide you with a solution?
Waiting for your response soon.Regards,
Thanks for using the Wazuh.Can you please share the full log output from the archive.json so I can test your rule in my local lab and provide you with a solution?
Waiting for your response soon.Regards,
ismailctest C
Jul 25, 2023, 1:52:34 AM7/25/23
to Wazuh mailing list
Hi Harshal,
Please find the log from archive.json
{"timestamp":"2023-07-18T15:11:04.154+0000","agent":{"id":"173","name":"xxxxxx76","ip":"1.1.1.1"},"manager":{"name":"xxxxx94"},"id":"1688698064.1378925820","cluster":{"name":"xxx-xxm-cluster","node":"xxxxx94"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-IIS-Logging\",\"providerGuid\":\"{xxxxx27f-bxx1-4xx2-axx3-a47xxe29143b}\",\"eventID\":\"6200\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-07-18T15:11:04.875962800Z\",\"eventRecordID\":\"184256\",\"processID\":\"10724\",\"threadID\":\"13420\",\"channel\":\"Microsoft-IIS-Logging/Logs\",\"computer\":\"xxxx76.xxx.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"date 2023-07-18 time 15:11:03 s-sitename W3SVC1 s-computername xxxx76 s-ip 1.1.1.1 cs-method POST cs-uri-stem /GemSymphonyService/GemSymphonyService.asmx cs-uri-query - s-port 80 cs-username - c-ip 1.1.1.1 cs-version - cs(User-Agent) Apache-CXF/3.2.11-sap-05 cs(Cookie) - cs(Referer) - cs-host - sc-status 200 sc-substatus 0 sc-win32-status 0 sc-bytes 1472 cs-bytes 1947 time-taken 16 \\\"\"},\"eventdata\":{\"enabledFieldsFlags\":\"2478079\",\"date\":\"2023-07-18\",\"time\":\"15:11:03\",\"c-ip\":\"10.1.1.1\",\"s-sitename\":\"W3SVC1\",\"s-computername\":\"xxxxx76\",\"s-ip\":\"1.1.1.1\",\"cs-method\":\"POST\",\"cs-uri-stem\":\"/GemSymphonyService/GemSymphonyService.asmx\",\"sc-status\":\"200\",\"sc-win32-status\":\"0\",\"sc-bytes\":\"1472\",\"cs-bytes\":\"1947\",\"time-taken\":\"16\",\"s-port\":\"80\",\"csUser-Agent\":\"Apache-CXF/3.2.11-sap-05\",\"sc-substatus\":\"0\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-IIS-Logging","providerGuid":"{7e11127f-xx71-4xx2-axx3-a47bxxxx43b}","eventID":"6200","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-07-18T15:11:04.875962800Z","eventRecordID":"184256","processID":"10724","threadID":"13420","channel":"Microsoft-IIS-Logging/Logs","computer":"xxxx76.xxx.com","severityValue":"INFORMATION","message":"\"date 2023-07-18 time 15:11:03 s-sitename W3SVC1 s-computername xxxx76 s-ip 1.x.1.x cs-method POST cs-uri-stem /GemSymphonyService/GemSymphonyService.asmx cs-uri-query - s-port 80 cs-username - c-ip 1.0.1.0 cs-version - cs(User-Agent) Apache-CXF/3.2.11-sap-05 cs(Cookie) - cs(Referer) - cs-host - sc-status 200 sc-substatus 0 sc-win32-status 0 sc-bytes 1472 cs-bytes 1947 time-taken 16 \""},"eventdata":{"enabledFieldsFlags":"2478079","date":"2023-07-18","time":"15:11:03","c-ip":"1.1.1.1","s-sitename":"W3SVC1","s-computername":"xxxx76","s-ip":"1.1.1.1","cs-method":"POST","cs-uri-stem":"/GemSymphonyService/GemSymphonyService.asmx","sc-status":"200","sc-win32-status":"0","sc-bytes":"1472","cs-bytes":"1947","time-taken":"16","s-port":"80","csUser-Agent":"Apache-CXF/3.2.11-sap-05","sc-substatus":"0"}}},"location":"EventChannel"}
ismailctest C
Jul 26, 2023, 1:40:38 AM7/26/23
to Wazuh mailing list
Hi Team,
Kindly support.
Message has been deleted
ismailctest C
Jul 31, 2023, 2:56:12 AM7/31/23
to Wazuh mailing list
Hi Team,
Kindly support on this.
On Saturday, 29 July 2023 at 17:31:33 UTC+5:30 ismailctest C wrote:
Hi,Please support.
ismailctest C
Aug 1, 2023, 8:00:28 AM8/1/23
to Wazuh mailing list
Hi Team,
Please find the another sample log also from archives.json & support to fix the issue.
Issue: archive.json logs are coming with decoder.name is windows_eventchannel. But, custom rules are not triggering.
Wazuh Version: 4.3.8
agent version: 4.3.8
Decoder name : windows_eventchannel
Wazuh Version: 4.3.8
agent version: 4.3.8
Decoder name : windows_eventchannel
{"timestamp":"2023-08-01T11:54:03.769+0000","agent":{"id":"011","name":"XDR-DC1","ip":"172.16.24.10"},"manager":{"name":"xdr-wm1"},"id":"1690890843.8178599","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-IIS-Logging\",\"providerGuid\":\"{7e8ad27f-b271-4ea2-a783-a47bde29143b}\",\"eventID\":\"6200\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-08-01T11:54:00.815068800Z\",\"eventRecordID\":\"81\",\"processID\":\"2800\",\"threadID\":\"2908\",\"channel\":\"Microsoft-IIS-Logging/Logs\",\"computer\":\"XDR-DC1.xdr.lab\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"date 2023-08-01 time 11:53:57 s-sitename W3SVC1 s-computername XDR-DC1 s-ip 172.16.24.10 cs-method GET cs-uri-stem /favicon.ico cs-uri-query - s-port 80 cs-username - c-ip 10.81.294.2 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/115.0 cs(Cookie) - cs(Referer) http://172.16.24.10/ cs-host - sc-status 404 sc-substatus 0 sc-win32-status 2 sc-bytes 1383 cs-bytes 298 time-taken 434 X-Forwarded-For -\\\"\"},\"eventdata\":{\"enabledFieldsFlags\":\"2149961727\",\"date\":\"2023-08-01\",\"time\":\"11:53:57\",\"c-ip\":\"10.81.294.2\",\"s-sitename\":\"W3SVC1\",\"s-computername\":\"XDR-DC1\",\"s-ip\":\"172.16.24.10\",\"cs-method\":\"GET\",\"cs-uri-stem\":\"/favicon.ico\",\"sc-status\":\"404\",\"sc-win32-status\":\"2\",\"sc-bytes\":\"1383\",\"cs-bytes\":\"298\",\"time-taken\":\"434\",\"s-port\":\"80\",\"csUser-Agent\":\"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/115.0\",\"csReferer\":\"http://172.16.24.10/\",\"sc-substatus\":\"0\",\"customFields\":\"X-Forwarded-For -\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-IIS-Logging","providerGuid":"{7e8ad27f-b271-4ea2-a783-a47bde29143b}","eventID":"6200","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-08-01T11:54:00.815068800Z","eventRecordID":"81","processID":"2800","threadID":"2908","channel":"Microsoft-IIS-Logging/Logs","computer":"XDR-DC1.xdr.lab","severityValue":"INFORMATION","message":"\"date 2023-08-01 time 11:53:57 s-sitename W3SVC1 s-computername XDR-DC1 s-ip 172.16.24.10 cs-method GET cs-uri-stem /favicon.ico cs-uri-query - s-port 80 cs-username - c-ip 10.81.294.2 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/115.0 cs(Cookie) - cs(Referer) http://172.16.24.10/ cs-host - sc-status 404 sc-substatus 0 sc-win32-status 2 sc-bytes 1383 cs-bytes 298 time-taken 434 X-Forwarded-For -\""},"eventdata":{"enabledFieldsFlags":"2149961727","date":"2023-08-01","time":"11:53:57","c-ip":"10.81.294.2","s-sitename":"W3SVC1","s-computername":"XDR-DC1","s-ip":"172.16.24.10","cs-method":"GET","cs-uri-stem":"/favicon.ico","sc-status":"404","sc-win32-status":"2","sc-bytes":"1383","cs-bytes":"298","time-taken":"434","s-port":"80","csUser-Agent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:109.0)+Gecko/20100101+Firefox/115.0","csReferer":"http://172.16.24.10/","sc-substatus":"0","customFields":"X-Forwarded-For -"}}},"location":"EventChannel"}
Harshal Paliwal
Aug 4, 2023, 6:41:25 AM8/4/23
to Wazuh mailing list
Hi Team,
Can you please remove this custom rule and restart your Wazuh manager once?
Please share the archive.json
after that.
Regards,
chris
Aug 8, 2023, 7:59:51 AM8/8/23
to Wazuh mailing list
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Dear Harshal,
Please find below log as requested.
As advised we have removed custom rule and restarted service.
We received below log after restart.
{"timestamp":"2023-08-08T10:49:24.679+0000","agent":{"id":"011","name":"XDR-DC1","ip":"172.16.24.62"},"manager":{"name":"xdr-wm1"},"id":"1691491764.1414015614","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-IIS-Logging\",\"providerGuid\":\"{7e8ad27f-b271-4ea2-a783-a47bde29143b}\",\"eventID\":\"6200\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2023-08-08T10:49:22.890020600Z\",\"eventRecordID\":\"86\",\"processID\":\"2800\",\"threadID\":\"3952\",\"channel\":\"Microsoft-IIS-Logging/Logs\",\"computer\":\"XDR-DC1.xdr.lab\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"date 2023-08-08 time 10:49:19 s-sitename W3SVC1 s-computername XDR-DC1 s-ip 172.16.24.62 cs-method GET cs-uri-stem /favicon.ico cs-uri-query - s-port 80 cs-username - c-ip 10.81.234.2 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/115.0.0.0+Safari/537.36 cs(Cookie) - cs(Referer) http://172.16.24.62/ cs-host - sc-status 404 sc-substatus 0 sc-win32-status 2 sc-bytes 1383 cs-bytes 380 time-taken 1451 X-Forwarded-For -\\\"\"},\"eventdata\":{\"enabledFieldsFlags\":\"2149961727\",\"date\":\"2023-08-08\",\"time\":\"10:49:19\",\"c-ip\":\"10.81.234.2\",\"s-sitename\":\"W3SVC1\",\"s-computername\":\"XDR-DC1\",\"s-ip\":\"172.16.24.62\",\"cs-method\":\"GET\",\"cs-uri-stem\":\"/favicon.ico\",\"sc-status\":\"404\",\"sc-win32-status\":\"2\",\"sc-bytes\":\"1383\",\"cs-bytes\":\"380\",\"time-taken\":\"1451\",\"s-port\":\"80\",\"csUser-Agent\":\"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/115.0.0.0+Safari/537.36\",\"csReferer\":\"http://172.16.24.62/\",\"sc-substatus\":\"0\",\"customFields\":\"X-Forwarded-For -\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-IIS-Logging","providerGuid":"{7e8ad27f-b271-4ea2-a783-a47bde29143b}","eventID":"6200","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-08-08T10:49:22.890020600Z","eventRecordID":"86","processID":"2800","threadID":"3952","channel":"Microsoft-IIS-Logging/Logs","computer":"XDR-DC1.xdr.lab","severityValue":"INFORMATION","message":"\"date 2023-08-08 time 10:49:19 s-sitename W3SVC1 s-computername XDR-DC1 s-ip 172.16.24.62 cs-method GET cs-uri-stem /favicon.ico cs-uri-query - s-port 80 cs-username - c-ip 10.81.234.2 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/115.0.0.0+Safari/537.36 cs(Cookie) - cs(Referer) http://172.16.24.62/ cs-host - sc-status 404 sc-substatus 0 sc-win32-status 2 sc-bytes 1383 cs-bytes 380 time-taken 1451 X-Forwarded-For -\""},"eventdata":{"enabledFieldsFlags":"2149961727","date":"2023-08-08","time":"10:49:19","c-ip":"10.81.234.2","s-sitename":"W3SVC1","s-computername":"XDR-DC1","s-ip":"172.16.24.62","cs-method":"GET","cs-uri-stem":"/favicon.ico","sc-status":"404","sc-win32-status":"2","sc-bytes":"1383","cs-bytes":"380","time-taken":"1451","s-port":"80","csUser-Agent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/115.0.0.0+Safari/537.36","csReferer":"http://172.16.24.62/","sc-substatus":"0","customFields":"X-Forwarded-For -"}}},"location":"EventChannel"}
chris
Aug 12, 2023, 4:07:52 AM8/12/23
to Wazuh mailing list
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Hi Harshal,
Please help us to sort out this.
Reply all
Reply to author
Forward
0 new messages