Filtering Windows events in the logcollector of a Wazuh agent.
347 views
Skip to first unread message
Karl Napf
Jan 16, 2025, 4:23:33 AM1/16/25
to Wazuh | Mailing List
Hello,
I have a few questions regarding filtering Windows events in the logcollector of a Wazuh agent.
According to the official Wazuh documentation (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query) you can use queries in XPATH format and there is an example where a query with logical operators is used.
In the Wazuh GitHub repository (https://github.com/wazuh/wazuh-agent/blob/master/src/modules/logcollector/README.md) you will find the following note for the log collector under Windows: “query: Query string to filter logs. XPATH and QueryLists supported.”
There does not seem to be any more information from the official side.
Question 1:
Which subset of the XPATH syntax is used/supported by Wazuh?
Question 2:
The example in the documentation uses a query that appears to use a “whitelisting” mechanism, i.e. the events that should NOT be filtered out are included in the query. Given the number of existing Windows events, this would (in most cases) result in very large queries. Is this really what you want?
Question 3:
When using common XPATH validators, there are differences when evaluating file/process paths.
The following query works in the common XPATH validators. The character “\” does not need to be escaped.
<query>
Event[EventData/Data[@Name='CallerProcessName'] != “C:\Windows\System32\net1.exe”]
</query>
The previous example does not work in our Wazuh productive systems but must be adapted as follows.
<query>
Event[EventData/Data[@Name='CallerProcessName'] != “C:\\Windows\\System32\\net1.exe”]
</query>
Is this desired behavior or could it be the (or one of the) causes of the following problem (question 4)?
Question 4:
<query>
Event[
System/EventID != 5145 and
System/EventID != 5156 and
System/EventID != 5447 and
System/EventID != 4656 and
System/EventID != 4658 and
System/EventID != 4663 and
System/EventID != 4660 and
System/EventID != 4670 and
System/EventID != 4690 and
System/EventID != 4703 and
System/EventID != 4907 and
System/EventID != 5152 and
System/EventID != 5157 and
System/EventID != 4768 and
(System/EventID != 4634 or (System/EventID = 4634 and EventData[Data[@Name='LogonType'] != 3])) and
System/EventID != 4627 and
(System/EventID != 4798 or (System/EventID = 4798 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 4799 or (System/EventID = 4799 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 192 or (System/EventID = 192 and System/Provider[@Name != 'DriveLock'])) and
(System/EventID != 286 or (System/EventID = 286 and System/Provider[@Name != 'DriveLock']))
]
</query>
This query should filter out the listed events. Unfortunately, it does not work as desired. No event is filtered at all, i.e. all events are collected by the log collector.
If you remove the last line “(System/EventID != 286 or (System/EventID = 286 and System/Provider[@Name != ‘DriveLock’])” or change the order of the events as follows, the query works as desired and filters the listed events.
<query>
Event[
(System/EventID != 4634 or (System/EventID = 4634 and EventData[Data[@Name='LogonType'] != 3])) and
System/EventID != 4627 and
(System/EventID != 4798 or (System/EventID = 4798 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 4799 or (System/EventID = 4799 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 192 or (System/EventID = 192 and System/Provider[@Name != 'DriveLock'])) and
(System/EventID != 286 or (System/EventID = 286 and System/Provider[@Name != 'DriveLock']))
System/EventID != 5145 and
System/EventID != 5156 and
System/EventID != 5447 and
System/EventID != 4656 and
System/EventID != 4658 and
System/EventID != 4663 and
System/EventID != 4660 and
System/EventID != 4670 and
System/EventID != 4690 and
System/EventID != 4703 and
System/EventID != 4907 and
System/EventID != 5152 and
System/EventID != 5157 and
System/EventID != 4768
]
</query>
I have a few questions regarding filtering Windows events in the logcollector of a Wazuh agent.
According to the official Wazuh documentation (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query) you can use queries in XPATH format and there is an example where a query with logical operators is used.
In the Wazuh GitHub repository (https://github.com/wazuh/wazuh-agent/blob/master/src/modules/logcollector/README.md) you will find the following note for the log collector under Windows: “query: Query string to filter logs. XPATH and QueryLists supported.”
There does not seem to be any more information from the official side.
Question 1:
Which subset of the XPATH syntax is used/supported by Wazuh?
Question 2:
The example in the documentation uses a query that appears to use a “whitelisting” mechanism, i.e. the events that should NOT be filtered out are included in the query. Given the number of existing Windows events, this would (in most cases) result in very large queries. Is this really what you want?
Question 3:
When using common XPATH validators, there are differences when evaluating file/process paths.
The following query works in the common XPATH validators. The character “\” does not need to be escaped.
<query>
Event[EventData/Data[@Name='CallerProcessName'] != “C:\Windows\System32\net1.exe”]
</query>
The previous example does not work in our Wazuh productive systems but must be adapted as follows.
<query>
Event[EventData/Data[@Name='CallerProcessName'] != “C:\\Windows\\System32\\net1.exe”]
</query>
Is this desired behavior or could it be the (or one of the) causes of the following problem (question 4)?
Question 4:
<query>
Event[
System/EventID != 5145 and
System/EventID != 5156 and
System/EventID != 5447 and
System/EventID != 4656 and
System/EventID != 4658 and
System/EventID != 4663 and
System/EventID != 4660 and
System/EventID != 4670 and
System/EventID != 4690 and
System/EventID != 4703 and
System/EventID != 4907 and
System/EventID != 5152 and
System/EventID != 5157 and
System/EventID != 4768 and
(System/EventID != 4634 or (System/EventID = 4634 and EventData[Data[@Name='LogonType'] != 3])) and
System/EventID != 4627 and
(System/EventID != 4798 or (System/EventID = 4798 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 4799 or (System/EventID = 4799 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 192 or (System/EventID = 192 and System/Provider[@Name != 'DriveLock'])) and
(System/EventID != 286 or (System/EventID = 286 and System/Provider[@Name != 'DriveLock']))
]
</query>
This query should filter out the listed events. Unfortunately, it does not work as desired. No event is filtered at all, i.e. all events are collected by the log collector.
If you remove the last line “(System/EventID != 286 or (System/EventID = 286 and System/Provider[@Name != ‘DriveLock’])” or change the order of the events as follows, the query works as desired and filters the listed events.
<query>
Event[
(System/EventID != 4634 or (System/EventID = 4634 and EventData[Data[@Name='LogonType'] != 3])) and
System/EventID != 4627 and
(System/EventID != 4798 or (System/EventID = 4798 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 4799 or (System/EventID = 4799 and EventData/Data[@Name='CallerProcessName'] != 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe')) and
(System/EventID != 192 or (System/EventID = 192 and System/Provider[@Name != 'DriveLock'])) and
(System/EventID != 286 or (System/EventID = 286 and System/Provider[@Name != 'DriveLock']))
System/EventID != 5145 and
System/EventID != 5156 and
System/EventID != 5447 and
System/EventID != 4656 and
System/EventID != 4658 and
System/EventID != 4663 and
System/EventID != 4660 and
System/EventID != 4670 and
System/EventID != 4690 and
System/EventID != 4703 and
System/EventID != 4907 and
System/EventID != 5152 and
System/EventID != 5157 and
System/EventID != 4768
]
</query>
Can anyone explain this behavior?
Thank You!
Bony V John
Jan 16, 2025, 6:02:23 AM1/16/25
to Wazuh | Mailing List
Hello Karl,
Answer: 1
Windows Eventchannel XPATH query format follows the event schema.
Answer: 2
Filtering events using queries is essential to avoid unnecessary data ingestion and excessive data growth. Based on the use cases and requirements, the query might become large to fine-tune Wazuh log ingestion effectively.
Answer: 3
This is expected behavior because the query is passed in XML format. For XML format, you need to escape the \ character using another \.
Answerer: 4
Based on your requirements, I have written a sample query. You can use it as a reference to create a complete query:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList\>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*\</Select\>
\<Suppress Path="Security"\>
*[System[
EventID = 5145 or EventID = 5156 or EventID = 5447 or
EventID = 4656 or EventID = 4658 or EventID = 4663 or
EventID = 4660 or EventID = 4670 or EventID = 4690 or
EventID = 4703 or EventID = 4907 or EventID = 5152 or
EventID = 5157
]]
\</Suppress\>
\<Suppress Path="Security"\>
*[System[(EventID = 4634)]] and
*[EventData[Data[@Name='LogonType'] and (Data ='3')]]
\</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
In the above example, we have used <QueryList> and <Suppress> tags to suppress specific events. For instance, the suppression query filters out events with ID 4634 where LogonType is 3.
For more details, you can refer to the Wazuh documentation on configuring log collection for different operating systems.
I hope this helps you!
Regards,
Karl Napf
Jan 17, 2025, 2:51:04 AM1/17/25
to Wazuh | Mailing List
Hi,
thanks for the answer and your input!
Regarding answer 4:
I tried your code snippet in a test system, but unfortunately it didn't work. Due to lack of time I could not test the query further using Querylist, but I will try again.
Nevertheless, the question arises as to why my original query does not work correctly and why does it seem to work correctly when the order in the query is swapped or the query is reduced?
What is wrong with my original query?
When should I use Querylist?
Many thanks for your support!
thanks for the answer and your input!
Regarding answer 4:
I tried your code snippet in a test system, but unfortunately it didn't work. Due to lack of time I could not test the query further using Querylist, but I will try again.
Nevertheless, the question arises as to why my original query does not work correctly and why does it seem to work correctly when the order in the query is swapped or the query is reduced?
What is wrong with my original query?
When should I use Querylist?
Many thanks for your support!
Bony V John
Jan 21, 2025, 11:30:06 PM1/21/25
to Wazuh | Mailing List
Hi,
I apologize for the late response. Regarding your 4th question, you have used some complex queries that combine OR and AND conditions. This can lead to breaking the filtering, and your first syntax shows that you have placed the complex queries at the beginning and normal queries at the end of the syntax. As a result, the first syntax will break at the beginning due to the complexity and syntax errors.
In the second syntax, it worked because you have placed the simple queries at the beginning and complex queries at the end. This allows the system to check the simple queries without issues, and it only fails when it reaches the end.
In the case of the <QueryList> tag, you can refer to the Microsoft Event Suppression documentation to understand the use of each tag that I have mentioned above.
Regards,
Reply all
Reply to author
Forward
0 new messages