Only logon-logoff event

[Luca Marchetti]

Hi everyone, I'm new to Wazuh.
I'm trying it for a simple functionality.
I only need to track logon and logoff event ids on a server, all other events don't interest me.
In the file ossec.conf I inserted this query:

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 4634 and EventID != 4647 and EventID != 4624 and
      EventID != 4625 and EventID != 4626 and EventID != 4648 and EventID != 4675]</query>
  </localfile>

But I continue to see the other events, in fact I don't see the logon and logoff events at all
Thanks to those who will help me

[Leonardo Daniel Sancho]

Hello Luca  Marchetti, thanks for choosing Wazuh!

By default, Wazuh does monitor logon and logoff events from Windows Agents (see attached screenshot), and these are included in the default ruleset for Windows Agents, you can learn more about the default Windows ruleset by going to Management > Rules, then by using the search bar you can type either logon or logoff to see the existing ruleset. 

Now in regards to focusing only on specific events for an agent, first you need to know the type of EventID you want to receive alerts for, these can be found in the Microsoft documentation, as well as the Windows Event Viewer, once you know the correct EventID and Event Channel you can edit your agent's local ossec.conf file. Keep in mind that events that have an exclamation mark "!" will be ignored (see attached screenshots).

Should you have further questions, let us know!

Have a great day!