Agent ossec.conf file question
76 views
Skip to first unread message
Ivan Rios
Mar 28, 2023, 5:38:01 PM3/28/23
to Wazuh mailing list
Hello,
I recently noticed that in my current configuration ossec.conf file, the eventID's below are being ignored.
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
In the local ossec.config article on the Wazuh site, only two event IDs are being ignored:
<!-- For monitoring Windows eventchannel -->
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<only-future-events>yes</only-future-events>
<query>Event/System[EventID != 5145 and EventID != 5156]</query>
<reconnect_time>10s</reconnect_time>
</localfile>
Why is there a difference between my current configuration and the configuration in the documentation? I made no changes to the file. Should I be ignoring the event ID's in my current configuration? Is that the default install? Or is that the default install that I need to modify?
What, if anything, do you recommend I should ignore?
Mauricio Ruben Santillan
Mar 28, 2023, 5:51:18 PM3/28/23
to Wazuh mailing list
Hello Ivan,
Thanks for reaching the Wazuh community!
I think the specific document you are referring to is this one: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#configuration-examples
And it is only showing configuration examples:
These are not "default configurations".
By default, the agent will filter some innocuous Windows events from the channel Security.
Default Windows event logs settings are next ones:
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
Please let me know if you have further doubts.
Reply all
Reply to author
Forward
0 new messages