XPATH Filters Syntax.

423 views
Skip to first unread message

InfoSec

unread,
Apr 22, 2018, 12:03:16 PM4/22/18
to Wazuh mailing list
I am trying to implement filters such as the following in agent.conf:

  <localfile>
    <location>Microsoft-Windows-DNS-Client/Operational</location>
    <log_format>eventchannel</log_format>
    <query>
      \<Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]\</Select>\
      \<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="queryOptions"]="140737488355328"]]\</Suppress>\
      \<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="queryResults"]=""]]\</Suppress>\
    </query>
  </localfile>

The Wazuh agent complains that agent.conf is corrupted, *without* giving any indication why.

Question 1:
What is wrong in the above XPATH query?

Question 2:
Are any practical examples of advanced XPATH queries published, or at least a reference that explains what is doable and what is not, and a guide as to how to construct advanced XPATH queries.

The Microsoft reference in the Wazuh documentation is useless and does not really explain anything.

Question 3:
It is more manageable to split queries for Security Log events into multiple localfile rules all pointing to the Security log.
Does this have a negative impact on performance versus specifying multiple XPATH queries in one localfile rule, assuming these queries can be expressed (a very iffy assumption)?
In other words, does joining XPATH queries from the same log file improve performance? Can someone explain why, or why not?

InfoSec

unread,
Apr 22, 2018, 4:17:07 PM4/22/18
to Wazuh mailing list
Forget about question 2, I figured out the correct syntax.

Questions 1 and 3 remain.

InfoSec

unread,
Apr 22, 2018, 4:22:38 PM4/22/18
to Wazuh mailing list
Forget about questions 1 & 2, I figured out the correct syntax.

Only question 3 remains.

miguel....@wazuh.com

unread,
Aug 16, 2018, 1:00:03 PM8/16/18
to Wazuh mailing list
Hi InfoSec,

First of all, sorry for the very late response.

Regarding your Question 3, Wazuh read the ossec.conf file loads it in memory and apply the configuration so there is not a significant difference between specify multiple XPATH queries or not and this does not affect Wazuh´s performance.

I hope this helps you and feel free to contact us if you need any further information.

Best regards,

Miguel Casares

InfoSec

unread,
Feb 28, 2019, 9:22:35 AM2/28/19
to Wazuh mailing list
Multiple <location>security</location> entries with different filters result in a warning in the agent log file.

Is there any negative impact? I am not too clear as to how the agent behaves when presented with multiple localfile entries for the same log file with different filter expressions.

In other words is there any difference between:

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>
      \<QueryList>
        \<Query Id="0" Path="Security">
          \<Select Path="Security">*[System[(EventID=4817 or EventID=4826)]]\</Select>
          \<Select Path="Security">*[System[(EventID=4688 or EventID=4689)]]\</Select>
        \</Query>
      \</QueryList>
    </query>
  </localfile>

and

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>
      \<QueryList>
        \<Query Id="0" Path="Security">
          \<Select Path="Security">*[System[(EventID=4817 or EventID=4826)]]\</Select>
        \</Query>
      \</QueryList>
    </query>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>
      \<QueryList>
        \<Query Id="0" Path="Security">
          \<Select Path="Security">*[System[(EventID=4688 or EventID=4689)]]\</Select>
        \</Query>
      \</QueryList>
    </query>
  </localfile>

Two 'locafile' directives pointing to the same location result in a warning of duplicate log files in the agent log:

2019/02/27 06:14:03 ossec-agent: WARNING: (1958): Log file 'Security' is duplicated.

cris...@wazuh.com

unread,
Mar 15, 2019, 7:08:15 AM3/15/19
to Wazuh mailing list
Hello InfoSec and sorry for the late response,

At present if you set multiple localfile blocks with the same location it only triggers the last one you wrote, in your example it would only show events with IDs 4688 or 4689, ignoring the first localfile block and therefore events 4817 and 4826. So the best and unique option is the first one you wrote with both filtering sentences.

Kind regards,
Cristina
Reply all
Reply to author
Forward
0 new messages