Reading a plan text file lines through Wazuh Agent
659 views
Skip to first unread message
Abid Hussain
May 12, 2022, 10:56:39 AM5/12/22
to Wazuh mailing list
Dear All,
I am new in wazuh. I have Wazuh Server on centoz and agent on windows. I want to read a log file form a give location on windows.
C:\myLogs\defender.txt
2022/05/12 16:40:01 wazuh-agent: INFO: (1950): Analyzing file: 'c:\myLogs\audit.log'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1950): Analyzing file: 'C:\myLogs\defender.txt'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-Windows Defender/Operational'.
2022/05/12 16:40:01 wazuh-agent: INFO: Started (pid: 15728).
2022/05/12 16:40:01 rootcheck: INFO: Starting rootcheck scan.
2022/05/12 16:40:01 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/12 16:40:01 wazuh-agent: INFO: (6000): Starting daemon...
2022/05/12 16:40:01 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 300 seconds
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1950): Analyzing file: 'C:\myLogs\defender.txt'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2022/05/12 16:40:01 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-Windows Defender/Operational'.
2022/05/12 16:40:01 wazuh-agent: INFO: Started (pid: 15728).
2022/05/12 16:40:01 rootcheck: INFO: Starting rootcheck scan.
2022/05/12 16:40:01 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/12 16:40:01 wazuh-agent: INFO: (6000): Starting daemon...
2022/05/12 16:40:01 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 300 seconds
I want every line send to a wazuh server through wazuh agent.
my agent ossec.conf having
<localfile>
<location>C:\myLogs\defender.txt</location>
<log_format>syslog</log_format>
</localfile>
<location>C:\myLogs\defender.txt</location>
<log_format>syslog</log_format>
</localfile>
Logs shows analyzing and nothing is sent to server.
Please Advice.
Thanks Advance.
Luis Daniel Avendaño Larios
May 12, 2022, 12:36:35 PM5/12/22
to Wazuh mailing list
Hi,
Thanks for using wazuh!
The ideal, in this case, would be to divide the agents by OS, since we will use the groups to load this configuration of log collector. That is, having a group of agents only for agents with Windows and adding the configuration corresponding to the OS only to this group in question. This is to avoid any log reading error by the log collector.
From what I see your configuration looks correct, but you can try with the following configuration (This configuration will search among all the files in the myLogs folder for logs in syslog format):
<location>C:\myLogs\*</location>
<log_format>syslog</log_format>
</localfile>
In the attached image you can see how this configuration brings the logs from the logs.txt file that I have created.
It is important to note that you must have rules and decoders for these logs that you will be collecting in order for them to show up as alerts in the GUI.
Below you can find references in our documentation about the aforementioned:
Creating decoders and rules from scratch
Custom rules and decoders
Please note that for these logs to reach Wazuh/Elasticsearch. They must match with a decoder and rule with a level greater than or equal to 3 (default).
I hope this helps let me know if you need anything else.
Regards,
Luis Avendaño.
Abid Hussain
May 13, 2022, 3:34:02 AM5/13/22
to Wazuh mailing list
Thanks Luis Avendano for your good response.
Dear,
I am following the same docs but getting no result. Can u advice me some correction in my following configurations
agent: ossec.conf
<localfile>
<location>C:\myLogs\Accounting_2022-04-25_1.log</location>
<log_format>syslog</log_format>
</localfile>
<location>C:\myLogs\Accounting_2022-04-25_1.log</location>
<log_format>syslog</log_format>
</localfile>
C:\myLogs\Accounting_2022-04-25_1.log Data is following.
<102> 2022-05-12 18:50:08 [172.17.100.215:27907] 05/12/2022 18:50:08 NAS_IP=172.17.100.215 Port=tty1 rem_addr=192.168.39.125 User=jawwad.hussain Flags=Stop task_id=1014 timezone=PK service=shell start_time=1652363408 priv-lvl=15 cmd=show running-config interface GigabitEthernet 2 0 17 <cr>
<102> 2022-05-12 18:50:20 [172.17.100.215:20280] 05/12/2022 18:50:20 NAS_IP=172.17.100.215 Port=tty1 rem_addr=192.168.39.125 User=jawwad.hussain Flags=Stop task_id=1015 timezone=PK service=shell start_time=1652363420 priv-lvl=15 cmd=clear port-security sticky interface GigabitEthernet 2 0 17 <cr>
<102> 2022-05-12 18:51:00 [172.17.100.215:39777] 05/12/2022 18:51:00 NAS_IP=172.17.100.215 Port=tty1 rem_addr=192.168.39.125 User=jawwad.hussain Flags=Stop task_id=1016 timezone=PK service=shell start_time=1652363460 priv-lvl=15 cmd=clear port-security sticky interface GigabitEthernet 2 0 17 <cr>
<102> 2022-05-12 18:51:08 [172.17.100.215:21492] 05/12/2022 18:51:08 NAS_IP=172.17.100.215 Port=tty1 rem_addr=192.168.39.125 User=jawwad.hussain Flags=Stop task_id=1017 timezone=PK service=shell start_time=1652363468 priv-lvl=15 cmd=show running-config interface GigabitEthernet 2 0 17 <cr>
<102> 2022-05-12 18:51:12 [172.17.100.215:34356] 05/12/2022 18:51:12 NAS_IP=172.17.100.215 Port=tty1 rem_addr=192.168.39.125 User=jawwad.hussain Flags=Stop task_id=1018 timezone=PK service=shell start_time=1652363472 priv-lvl=15 cmd=write <cr>
<102> 2022-05-12 18:56:33 [172.17.100.215:20589] 05/12/2022 18:56:33 NAS_IP=172.17.100.215 Port=tty1 rem_addr=192.168.39.125 User=jawwad.hussain Flags=Stop task_id=1013 timezone=PK service=shell start_time=1652363380 disc-cause=1 disc-cause-ext=9 pre-session-time=3 elapsed_time=413 stop_time=1652363793
<102> 2022-05-12 19:34:45 [172.17.100.218:63603] 05/12/2022 19:34:45 NAS_IP=172.17.100.218 Port=tty1 rem_addr=EEM:hangcommands User= Flags=Stop task_id=41 timezone=PK service=shell start_time=1652366085 disc-cause=9 disc-cause-ext=2 pre-session-time=0 elapsed_time=0 stop_time=1652366085
<102> 2022-05-12 19:34:45 [172.17.100.218:18095] 05/12/2022 19:34:45 NAS_IP=172.17.100.218 Port=tty1 User= Flags=Stop task_id=4 unknown=BADFMT unknown=2.80.75.0 unknown=113 unknown=C422DB2
<102> 2022-05-13 07:34:46 [172.17.100.218:28225] 05/13/2022 07:34:46 NAS_IP=172.17.100.218 Port=tty1 rem_addr=EEM:hangcommands User= Flags=Stop task_id=42 timezone=PK service=shell start_time=1652409286 disc-cause=9 disc-cause-ext=2 pre-session-time=1 elapsed_time=0 stop_time=1652409286
<102> 2022-05-13 07:34:46 [172.17.100.218:65323] 05/13/2022 07:34:46 NAS_IP=172.17.100.218 Port=tty1 User= Flags=Stop task_id=5 unknown=BADFMT unknown=2.80.75.0 unknown=113 unknown=C422DB2
Agent Log File is as following.
2022/05/13 12:17:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:17:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:17:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:17:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:17:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:17:50 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2022/05/13 12:17:50 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2022/05/13 12:17:50 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2022/05/13 12:17:50 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
2022/05/13 12:17:50 wazuh-agent: INFO: Started (pid: 14376).
2022/05/13 12:17:50 sca: INFO: Module started.
2022/05/13 12:17:50 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/05/13 12:17:50 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/13 12:17:50 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/13 12:17:50 sca: INFO: Starting Security Configuration Assessment scan.
2022/05/13 12:17:50 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/05/13 12:17:50 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/05/13 12:17:50 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows 10 Pro [Ver: 10.0.18363] - Wazuh v4.3.0).
2022/05/13 12:17:50 wazuh-agent: INFO: (1950): Analyzing file: 'C:\myLogs\Accounting_2022-04-25_1.log'.
2022/05/13 12:17:50 wazuh-modulesd:syscollector: INFO: Module started.
2022/05/13 12:17:50 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/13 12:17:50 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2022/05/13 12:17:50 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2022/05/13 12:17:50 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2022/05/13 12:17:50 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2022/05/13 12:17:50 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-Windows Defender/Operational'.
2022/05/13 12:17:50 rootcheck: INFO: Starting rootcheck scan.
2022/05/13 12:17:50 wazuh-agent: INFO: Started (pid: 14376).
2022/05/13 12:17:50 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/13 12:17:50 wazuh-agent: INFO: (6000): Starting daemon...
2022/05/13 12:17:50 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 300 seconds
2022/05/13 12:17:50 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2022/05/13 12:17:52 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/13 12:17:54 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/13 12:17:54 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/13 12:17:56 rootcheck: INFO: Ending rootcheck scan.
2022/05/13 12:17:57 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/13 12:17:57 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2022/05/13 12:27:28 wazuh-agent: INFO: Received exit signal. Starting exit process.
2022/05/13 12:27:28 wazuh-agent: INFO: Set pending exit signal.
2022/05/13 12:27:28 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2022/05/13 12:27:28 wazuh-modulesd:syscollector: INFO: Module finished.
2022/05/13 12:27:28 wazuh-agent: INFO: Exit completed successfully.
2022/05/13 12:27:28 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.
2022/05/13 12:27:29 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60
2022/05/13 12:27:29 wazuh-agent: INFO: (1410): Reading authentication keys file.
2022/05/13 12:27:29 wazuh-agent: INFO: Started (pid: 5756).
2022/05/13 12:27:29 wazuh-agent: INFO: Server IP Address: 192.168.99.104
2022/05/13 12:27:29 wazuh-agent: INFO: Using AES as encryption method.
2022/05/13 12:27:29 wazuh-agent: INFO: Trying to connect to server (192.168.99.104:1514/tcp).
2022/05/13 12:27:29 wazuh-agent: INFO: (4102): Connected to the server (192.168.99.104:1514/tcp).
2022/05/13 12:27:29 rootcheck: INFO: Started (pid: 5756).
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\apple', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | report_changes | realtime'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\orange', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2022/05/13 12:27:29 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/05/13 12:27:29 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2022/05/13 12:27:29 sca: INFO: Module started.
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2022/05/13 12:27:29 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2022/05/13 12:27:29 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2022/05/13 12:27:29 sca: INFO: Starting Security Configuration Assessment scan.
2022/05/13 12:27:29 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/05/13 12:27:29 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2022/05/13 12:27:29 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2022/05/13 12:27:29 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
2022/05/13 12:27:29 wazuh-agent: INFO: Started (pid: 5756).
2022/05/13 12:27:29 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows 10 Pro [Ver: 10.0.18363] - Wazuh v4.3.0).
2022/05/13 12:27:29 wazuh-agent: INFO: (1950): Analyzing file: 'C:\myLogs\Accounting_2022-04-25_1.log'.
2022/05/13 12:27:29 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2022/05/13 12:27:29 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2022/05/13 12:27:29 wazuh-modulesd:syscollector: INFO: Module started.
2022/05/13 12:27:29 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/05/13 12:27:29 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2022/05/13 12:27:29 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2022/05/13 12:27:29 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-Windows Defender/Operational'.
2022/05/13 12:27:30 wazuh-agent: INFO: Started (pid: 5756).
2022/05/13 12:27:30 rootcheck: INFO: Starting rootcheck scan.
2022/05/13 12:27:30 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/13 12:27:30 wazuh-agent: INFO: (6000): Starting daemon...
2022/05/13 12:27:30 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 300 seconds
2022/05/13 12:27:30 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2022/05/13 12:27:31 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/05/13 12:27:33 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2022/05/13 12:27:33 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/13 12:27:35 rootcheck: INFO: Ending rootcheck scan.
2022/05/13 12:27:36 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2022/05/13 12:27:36 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
But nothing on Dashboard
Luis Daniel Avendaño Larios
May 16, 2022, 12:06:18 PM5/16/22
to Wazuh mailing list
Hello,
Sorry for the late response.
Your log collector configuration should be working without problems, but when doing tests with the data that you are collecting from the file I can see that it is not triggering any default wazuh rules, so you should create the custom rules and decoders for this class of logs below you can find documentation about this:It is also important to know the regex supported by wazuh and the classification of wazuh rules which I attach below:
You can test that your custom rules are triggering with our wazuh ruleset test tool you can find it at wazuh>tools>ruleset test.
Hope this helps, let me know if you need anything else.
Regards,
Luis Avendano.
Sorry for the late response.
Your log collector configuration should be working without problems, but when doing tests with the data that you are collecting from the file I can see that it is not triggering any default wazuh rules, so you should create the custom rules and decoders for this class of logs below you can find documentation about this:It is also important to know the regex supported by wazuh and the classification of wazuh rules which I attach below:
I can also recommend the following page to test your regex:
You can test that your custom rules are triggering with our wazuh ruleset test tool you can find it at wazuh>tools>ruleset test.
Hope this helps, let me know if you need anything else.
Regards,
Luis Avendano.
Reply all
Reply to author
Forward
0 new messages