Rule for Windows event 26212
356 views
Skip to first unread message
Secure moi
Sep 13, 2023, 9:24:57 AM9/13/23
to Wazuh | Mailing List
Hi all, I'm trying to use Wazuh to test against various Windows events (I have an ubuntu wazuh server, primarily windows clients/agents). I'm trying to get what I thought would be a simple test case to work with "check disk", event id 26212. I've tried a range of things, suspect there is some sort of rule sequencing issue going on involving default rule 1002 in /var/ossec/ruleset/rules/0020-syslog_rules.xml (my understanding is default rules fire before custom ones, and maybe this is a factor).
Q do I need to use sysmon? I'm hoping not as this would seem to involve more set up on the client's end.
Some detail:
1) When I run a wazuh-logtest using a test string (included in output below) with no custom rules, it finishes showing I think 1002 getting fired but I get no alerts. If I change the default rule's level to 12 (as a temporary test), that change shows in the wazuh-logtest output and I get some emails but I think they are only from my ubuntu wazuh server's events. E.g.,
Rule: 1002 fired (level 12) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Sep 12 17:52:34 server gnome-shell[101117]: (../clutter/clutter/clutter-actor.c:12457):clutter_actor_event: runtime check failed: (retval == CLUTTER_EVENT_PROPAGATE)
2) If I copy the default rule into local_rules.xml and use overwrite="yes" (I've tried various things, below are my current test rules) and use a local file statement on a windows client, and an <if_sid> as a child rule, my wazuh-logtest does not finish phase 3.
NOTE, I'm getting desired event data in archives.log but not alerts.log or alerts.json. I'm getting emails and desired log entries for other default and one test rule.
More detail:
LOCAL FILE ON WINDOWS CLIENT
<localfile>
<location>Microsoft-Windows-Chkdsk/Operational</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=26212]</query>
</localfile>
CUSTOM RULES (I suspect I may be overcomplicating my rules here...don't need a parent and child but maybe so? I'm cranking the "level" in these tests)
<rule id="1002" level="12" overwrite="yes">
<match>$BAD_WORDS</match>
<description>Unknown problem somewhere in the system.</description>
<group>gpg13_4.3,</group>
</rule>
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
WAZUH-LOGTEST (sample output)
Starting wazuh-logtest v4.5.1
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Chkdsk","eventID":"26212","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2023-09-10T21:14:37.9799898Z","eventRecordID":"225196","processID":"0","threadID":"0","channel":"Application","computer":"My-PC","severityValue":"INFORMATION","message":"\"Chkdsk was executed in read-only mode on a volume snapshot. \r\n\r\nChecking file system on C:\r\nThe type of the file system is NTFS.\r\nVolume label is OS.\r\n\r\nWARNING! /F parameter not specified.\r\nRunning CHKDSK in read-only mode.\r\n\r\nStage 1: Examining basic file system structure ...\r\n 891904 file records processed. \r\r\nFile verification completed.\r\n Phase duration (File record verification): 45.24 seconds.\r\n 30061 large file records processed. \r\r\n Phase duration (Orphan file record recovery): 0.00 milliseconds.\r\n 0 bad file records processed. \r\r\n Phase duration (Bad file record checking): 0.15 milliseconds.\r\n\r\nStage 2: Examining file name linkage ...\r\n 67145 reparse records processed. \r\r\n 1304598 index entries processed. \r\r\nIndex verification completed.\r\n Phase duration (Index verification): 2.85 minutes.\r\n 0 unindexed files scanned. \r\r\n Phase duration (Orphan reconnection): 10.43 seconds.\r\n 0 unindexed files recovered to lost and found. \r\r\n Phase duration (Orphan recovery to lost and found): 0.23 milliseconds.\r\n 67145 reparse records processed. \r\r\n Phase duration (Reparse point and Object ID verification): 154.00 milliseconds.\r\n\r\nStage 3: Examining security descriptors ...\r\nSecurity descriptor verification completed.\r\n Phase duration (Security descriptor verification): 133.09 milliseconds.\r\n 206348 data files processed. \r\r\n Phase duration (Data attribute verification): 1.53 milliseconds.\r\nCHKDSK is verifying Usn Journal...\r\n 34571576 USN bytes processed. \r\r\nUsn Journal verification completed.\r\n Phase duration (USN journal verification): 1.28 seconds.\r\n\r\nWindows has scanned the file system and found no problems.\r\nNo further action is required.\r\n\r\n 477651967 KB total disk space.\r\n 116020404 KB in 481484 files.\r\n 413544 KB in 206349 indexes.\r\n 4 KB in bad sectors.\r\n 1023271 KB in use by the system.\r\n 65536 KB occupied by the log file.\r\n 360194744 KB available on disk.\r\n\r\n 4096 bytes in each allocation unit.\r\n 119412991 total allocation units on disk.\r\n 90048686 allocation units available on disk.\r\nTotal duration: 3.80 minutes (228368 ms).\r\n\""},"eventdata":{"binary":"009C0D00E47E0A00425B12000000000075020000D40301000000000000000000","data":" Checking file system on C: The type of the file system is NTFS. Volume label is OS. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... 891904 file records processed. File verification completed. Phase duration (File record verification): 45.24 seconds. 30061 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.15 milliseconds. Stage 2: Examining file name linkage ... 67145 reparse records processed. 1304598 index entries processed. Index verification completed. Phase duration (Index verification): 2.85 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 10.43 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.23 milliseconds. 67145 reparse records processed. Phase duration (Reparse point and Object ID verification): 154.00 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 133.09 milliseconds. 206348 data files processed. Phase duration (Data attribute verification): 1.53 milliseconds. CHKDSK is verifying Usn Journal... 34571576 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 1.28 seconds. Windows has scanned the file system and found no problems. No further action is required. 477651967 KB total disk space. 116020404 KB in 481484 files. 413544 KB in 206349 indexes. 4 KB in bad sectors. 1023271 KB in use by the system. 65536 KB occupied by the log file. 360194744 KB available on disk. 4096 bytes in each allocation unit. 119412991 total allocation units on disk. 90048686 allocation units available on disk. Total duration: 3.80 minutes (228368 ms)."}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.binary: '009C0D00E47E0A00425B12000000000075020000D40301000000000000000000'
win.eventdata.data: ' Checking file system on C: The type of the file system is NTFS. Volume label is OS. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... 891904 file records processed. File verification completed. Phase duration (File record verification): 45.24 seconds. 30061 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.15 milliseconds. Stage 2: Examining file name linkage ... 67145 reparse records processed. 1304598 index entries processed. Index verification completed. Phase duration (Index verification): 2.85 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 10.43 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.23 milliseconds. 67145 reparse records processed. Phase duration (Reparse point and Object ID verification): 154.00 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 133.09 milliseconds. 206348 data files processed. Phase duration (Data attribute verification): 1.53 milliseconds. CHKDSK is verifying Usn Journal... 34571576 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 1.28 seconds. Windows has scanned the file system and found no problems. No further action is required. 477651967 KB total disk space. 116020404 KB in 481484 files. 413544 KB in 206349 indexes. 4 KB in bad sectors. 1023271 KB in use by the system. 65536 KB occupied by the log file. 360194744 KB available on disk. 4096 bytes in each allocation unit. 119412991 total allocation units on disk. 90048686 allocation units available on disk. Total duration: 3.80 minutes (228368 ms).'
win.system.channel: 'Application'
win.system.computer: 'My-PC'
win.system.eventID: '26212'
win.system.eventRecordID: '225196'
win.system.keywords: '0x80000000000000'
win.system.level: '4'
win.system.message: '"Chkdsk was executed in read-only mode on a volume snapshot.
Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
891904 file records processed.
File verification completed.
Phase duration (File record verification): 45.24 seconds.
30061 large file records processed.
Phase duration (Orphan file record recovery): 0.00 milliseconds.
0 bad file records processed.
Phase duration (Bad file record checking): 0.15 milliseconds.
Stage 2: Examining file name linkage ...
67145 reparse records processed.
1304598 index entries processed.
Index verification completed.
Phase duration (Index verification): 2.85 minutes.
0 unindexed files scanned.
Phase duration (Orphan reconnection): 10.43 seconds.
0 unindexed files recovered to lost and found.
Phase duration (Orphan recovery to lost and found): 0.23 milliseconds.
67145 reparse records processed.
Phase duration (Reparse point and Object ID verification): 154.00 milliseconds.
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
Phase duration (Security descriptor verification): 133.09 milliseconds.
206348 data files processed.
Phase duration (Data attribute verification): 1.53 milliseconds.
CHKDSK is verifying Usn Journal...
34571576 USN bytes processed.
Usn Journal verification completed.
Phase duration (USN journal verification): 1.28 seconds.
Windows has scanned the file system and found no problems.
No further action is required.
477651967 KB total disk space.
116020404 KB in 481484 files.
413544 KB in 206349 indexes.
4 KB in bad sectors.
1023271 KB in use by the system.
65536 KB occupied by the log file.
360194744 KB available on disk.
4096 bytes in each allocation unit.
119412991 total allocation units on disk.
90048686 allocation units available on disk.
Total duration: 3.80 minutes (228368 ms).
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-09-10T21:14:37.9799898Z'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
Lastly, when I run the same wazuh-logtest with no custom rule attempt, it finishes all 3 phases, ending with
Total duration: 3.80 minutes (228368 ms).
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-09-10T21:14:37.9799898Z'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
**Alert to be generated.
Suggestions welcomed - thx
Q do I need to use sysmon? I'm hoping not as this would seem to involve more set up on the client's end.
Some detail:
1) When I run a wazuh-logtest using a test string (included in output below) with no custom rules, it finishes showing I think 1002 getting fired but I get no alerts. If I change the default rule's level to 12 (as a temporary test), that change shows in the wazuh-logtest output and I get some emails but I think they are only from my ubuntu wazuh server's events. E.g.,
Rule: 1002 fired (level 12) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Sep 12 17:52:34 server gnome-shell[101117]: (../clutter/clutter/clutter-actor.c:12457):clutter_actor_event: runtime check failed: (retval == CLUTTER_EVENT_PROPAGATE)
2) If I copy the default rule into local_rules.xml and use overwrite="yes" (I've tried various things, below are my current test rules) and use a local file statement on a windows client, and an <if_sid> as a child rule, my wazuh-logtest does not finish phase 3.
NOTE, I'm getting desired event data in archives.log but not alerts.log or alerts.json. I'm getting emails and desired log entries for other default and one test rule.
More detail:
LOCAL FILE ON WINDOWS CLIENT
<localfile>
<location>Microsoft-Windows-Chkdsk/Operational</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=26212]</query>
</localfile>
CUSTOM RULES (I suspect I may be overcomplicating my rules here...don't need a parent and child but maybe so? I'm cranking the "level" in these tests)
<rule id="1002" level="12" overwrite="yes">
<match>$BAD_WORDS</match>
<description>Unknown problem somewhere in the system.</description>
<group>gpg13_4.3,</group>
</rule>
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
WAZUH-LOGTEST (sample output)
Starting wazuh-logtest v4.5.1
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Chkdsk","eventID":"26212","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2023-09-10T21:14:37.9799898Z","eventRecordID":"225196","processID":"0","threadID":"0","channel":"Application","computer":"My-PC","severityValue":"INFORMATION","message":"\"Chkdsk was executed in read-only mode on a volume snapshot. \r\n\r\nChecking file system on C:\r\nThe type of the file system is NTFS.\r\nVolume label is OS.\r\n\r\nWARNING! /F parameter not specified.\r\nRunning CHKDSK in read-only mode.\r\n\r\nStage 1: Examining basic file system structure ...\r\n 891904 file records processed. \r\r\nFile verification completed.\r\n Phase duration (File record verification): 45.24 seconds.\r\n 30061 large file records processed. \r\r\n Phase duration (Orphan file record recovery): 0.00 milliseconds.\r\n 0 bad file records processed. \r\r\n Phase duration (Bad file record checking): 0.15 milliseconds.\r\n\r\nStage 2: Examining file name linkage ...\r\n 67145 reparse records processed. \r\r\n 1304598 index entries processed. \r\r\nIndex verification completed.\r\n Phase duration (Index verification): 2.85 minutes.\r\n 0 unindexed files scanned. \r\r\n Phase duration (Orphan reconnection): 10.43 seconds.\r\n 0 unindexed files recovered to lost and found. \r\r\n Phase duration (Orphan recovery to lost and found): 0.23 milliseconds.\r\n 67145 reparse records processed. \r\r\n Phase duration (Reparse point and Object ID verification): 154.00 milliseconds.\r\n\r\nStage 3: Examining security descriptors ...\r\nSecurity descriptor verification completed.\r\n Phase duration (Security descriptor verification): 133.09 milliseconds.\r\n 206348 data files processed. \r\r\n Phase duration (Data attribute verification): 1.53 milliseconds.\r\nCHKDSK is verifying Usn Journal...\r\n 34571576 USN bytes processed. \r\r\nUsn Journal verification completed.\r\n Phase duration (USN journal verification): 1.28 seconds.\r\n\r\nWindows has scanned the file system and found no problems.\r\nNo further action is required.\r\n\r\n 477651967 KB total disk space.\r\n 116020404 KB in 481484 files.\r\n 413544 KB in 206349 indexes.\r\n 4 KB in bad sectors.\r\n 1023271 KB in use by the system.\r\n 65536 KB occupied by the log file.\r\n 360194744 KB available on disk.\r\n\r\n 4096 bytes in each allocation unit.\r\n 119412991 total allocation units on disk.\r\n 90048686 allocation units available on disk.\r\nTotal duration: 3.80 minutes (228368 ms).\r\n\""},"eventdata":{"binary":"009C0D00E47E0A00425B12000000000075020000D40301000000000000000000","data":" Checking file system on C: The type of the file system is NTFS. Volume label is OS. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... 891904 file records processed. File verification completed. Phase duration (File record verification): 45.24 seconds. 30061 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.15 milliseconds. Stage 2: Examining file name linkage ... 67145 reparse records processed. 1304598 index entries processed. Index verification completed. Phase duration (Index verification): 2.85 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 10.43 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.23 milliseconds. 67145 reparse records processed. Phase duration (Reparse point and Object ID verification): 154.00 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 133.09 milliseconds. 206348 data files processed. Phase duration (Data attribute verification): 1.53 milliseconds. CHKDSK is verifying Usn Journal... 34571576 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 1.28 seconds. Windows has scanned the file system and found no problems. No further action is required. 477651967 KB total disk space. 116020404 KB in 481484 files. 413544 KB in 206349 indexes. 4 KB in bad sectors. 1023271 KB in use by the system. 65536 KB occupied by the log file. 360194744 KB available on disk. 4096 bytes in each allocation unit. 119412991 total allocation units on disk. 90048686 allocation units available on disk. Total duration: 3.80 minutes (228368 ms)."}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.binary: '009C0D00E47E0A00425B12000000000075020000D40301000000000000000000'
win.eventdata.data: ' Checking file system on C: The type of the file system is NTFS. Volume label is OS. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... 891904 file records processed. File verification completed. Phase duration (File record verification): 45.24 seconds. 30061 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.15 milliseconds. Stage 2: Examining file name linkage ... 67145 reparse records processed. 1304598 index entries processed. Index verification completed. Phase duration (Index verification): 2.85 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 10.43 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.23 milliseconds. 67145 reparse records processed. Phase duration (Reparse point and Object ID verification): 154.00 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 133.09 milliseconds. 206348 data files processed. Phase duration (Data attribute verification): 1.53 milliseconds. CHKDSK is verifying Usn Journal... 34571576 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 1.28 seconds. Windows has scanned the file system and found no problems. No further action is required. 477651967 KB total disk space. 116020404 KB in 481484 files. 413544 KB in 206349 indexes. 4 KB in bad sectors. 1023271 KB in use by the system. 65536 KB occupied by the log file. 360194744 KB available on disk. 4096 bytes in each allocation unit. 119412991 total allocation units on disk. 90048686 allocation units available on disk. Total duration: 3.80 minutes (228368 ms).'
win.system.channel: 'Application'
win.system.computer: 'My-PC'
win.system.eventID: '26212'
win.system.eventRecordID: '225196'
win.system.keywords: '0x80000000000000'
win.system.level: '4'
win.system.message: '"Chkdsk was executed in read-only mode on a volume snapshot.
Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
891904 file records processed.
File verification completed.
Phase duration (File record verification): 45.24 seconds.
30061 large file records processed.
Phase duration (Orphan file record recovery): 0.00 milliseconds.
0 bad file records processed.
Phase duration (Bad file record checking): 0.15 milliseconds.
Stage 2: Examining file name linkage ...
67145 reparse records processed.
1304598 index entries processed.
Index verification completed.
Phase duration (Index verification): 2.85 minutes.
0 unindexed files scanned.
Phase duration (Orphan reconnection): 10.43 seconds.
0 unindexed files recovered to lost and found.
Phase duration (Orphan recovery to lost and found): 0.23 milliseconds.
67145 reparse records processed.
Phase duration (Reparse point and Object ID verification): 154.00 milliseconds.
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
Phase duration (Security descriptor verification): 133.09 milliseconds.
206348 data files processed.
Phase duration (Data attribute verification): 1.53 milliseconds.
CHKDSK is verifying Usn Journal...
34571576 USN bytes processed.
Usn Journal verification completed.
Phase duration (USN journal verification): 1.28 seconds.
Windows has scanned the file system and found no problems.
No further action is required.
477651967 KB total disk space.
116020404 KB in 481484 files.
413544 KB in 206349 indexes.
4 KB in bad sectors.
1023271 KB in use by the system.
65536 KB occupied by the log file.
360194744 KB available on disk.
4096 bytes in each allocation unit.
119412991 total allocation units on disk.
90048686 allocation units available on disk.
Total duration: 3.80 minutes (228368 ms).
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-09-10T21:14:37.9799898Z'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
Lastly, when I run the same wazuh-logtest with no custom rule attempt, it finishes all 3 phases, ending with
Total duration: 3.80 minutes (228368 ms).
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-09-10T21:14:37.9799898Z'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
**Alert to be generated.
Suggestions welcomed - thx
Kevin Ledesma
Sep 13, 2023, 12:46:25 PM9/13/23
to Wazuh | Mailing List
Hi! How you doing?
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
Well, so, just to know if I'm getting the idea. You only need your custom rule 100002 to raise an alert, right? If that is the case, you don't need to overwrite the rule 1002, with using the <if_sid> you are good to go (wazuh doesn't cares about the level of the previous matching rules, the only level that defines if it will raise or not an alert is the one of the last matching rule, the more specific rule). Other thing to note is that the rules need to always be inside of a group, if you are creating a rule outside of the group, it will not work correctly. So, your rule 100002 should be correctly working this way:
<group name="local,syslog,sshd,">
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
</group>
Also, the log that you shared matches 1002 but has some info missing, so it won't match 100002, if you want, share the complete log so we can help you in a better way.
Have a great day! Regards, Kevin
Secure moi
Sep 14, 2023, 12:01:37 PM9/14/23
to Wazuh | Mailing List
Thx Kevin! Awesome...am giving it a try (the wazuh-log test completes all phases), have some windows machines set up to run chkdsk as scheduled task, so will be back once had a chance to see if I get email alerts and if stuff shows up in alerts.log and alerts.json.
Thx again, you guyz are the best!
Secure moi
Sep 16, 2023, 7:50:13 AM9/16/23
to Wazuh | Mailing List
Hi Kevin, hoping to provide an update (thx again so much for the help). I'm trying the suggested rule, though I don't think I have things right yet. I am getting entries in archives.log that reflect check disk running on windows clients (I have it running as a scheduled task), though not in alerts.log (or alerts.json), nor am I getting email alerts yet. If in my ossec.config I throttle back the level, I get email alerts so I think that part is working (at present the level is set to 10, and the rule level to 12).
I've tried a couple of local rule statements on one of the clients, though not sure this is necessary and as best I can tell doesn't seem to change things.
The wazuh-logtests complete the 3 phases. I think the test shows the custom rule is being detected, but rule 1002 is the one that ends up being fired (i.e., towards the end of the logtest results below, there is a entry of "Trying rule: 100002 - Chkdsk event 26212 detected" and
**Phase 3: Completed filtering (rules).
id: '1002'
group name="local,syslog,sshd,">
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
</group>
Type one log per line
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.system.keywords: '0x80000000000000'
win.system.level: '4'
win.system.message: '"Chkdsk was executed in read-only mode on a volume snapshot.
Checking file system on C:
The type of the file system is NTFS.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
Stage 2: Examining file name linkage ...
0 unindexed files recovered to lost and found.
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
CHKDSK is verifying Usn Journal...
Windows has scanned the file system and found no problems.
No further action is required.
65536 KB occupied by the log file.
4096 bytes in each allocation unit.
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
**Alert to be generated.
group name="local,syslog,sshd,">
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
</group>
Type one log per line
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.system.keywords: '0x80000000000000'
win.system.level: '4'
win.system.message: '"Chkdsk was executed in read-only mode on a volume snapshot.
Checking file system on C:
The type of the file system is NTFS.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
Stage 2: Examining file name linkage ...
0 unindexed files recovered to lost and found.
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
CHKDSK is verifying Usn Journal...
Windows has scanned the file system and found no problems.
No further action is required.
65536 KB occupied by the log file.
4096 bytes in each allocation unit.
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
**Alert to be generated.
id: '1002'
I'm not sure what I'm doing wrong, hoping the following will help with diagnosing what to change? Thx!
1) RULE
1) RULE
group name="local,syslog,sshd,">
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
</group>
2) ossec.conf (I've masked some of the data)
<!--
Wazuh - Manager - Default configuration for ubuntu 22.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>em...@email.net</email_from>
<email_to> em...@email.net </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE OS vulnerabilities -->
<provider name="suse">
<enabled>no</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.53</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>
3) Wazuh-LogTest
Starting wazuh-logtest v4.5.2
<!--
Wazuh - Manager - Default configuration for ubuntu 22.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>em...@email.net</email_from>
<email_to> em...@email.net </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE OS vulnerabilities -->
<provider name="suse">
<enabled>no</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.53</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>
3) Wazuh-LogTest
Starting wazuh-logtest v4.5.2
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Chkdsk","eventID":"26212","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2023-09-15T20:20:16.5744189Z","eventRecordID":"974627","processID":"0","threadID":"0","channel":"Application","computer":"MY-PC","severityValue":"INFORMATION","message":"\"Chkdsk was executed in read-only mode on a volume snapshot. \r\n\r\nChecking file system on C:\r\nThe type of the file system is NTFS.\r\nVolume label is OSDisk.\r\n\r\nWARNING! /F parameter not specified.\r\nRunning CHKDSK in read-only mode.\r\n\r\nStage 1: Examining basic file system structure ...\r\nCleaning up instance tags for file 0x19953.\r\n 836096 file records processed. \r\r\nFile verification completed.\r\n Phase duration (File record verification): 51.94 seconds.\r\n 30480 large file records processed. \r\r\n Phase duration (Orphan file record recovery): 0.00 milliseconds.\r\n 0 bad file records processed. \r\r\n Phase duration (Bad file record checking): 0.10 milliseconds.\r\n\r\nStage 2: Examining file name linkage ...\r\n 77918 reparse records processed. \r\r\n 1181398 index entries processed. \r\r\nIndex verification completed.\r\n Phase duration (Index verification): 3.17 minutes.\r\n 0 unindexed files scanned. \r\r\n Phase duration (Orphan reconnection): 7.44 seconds.\r\n 0 unindexed files recovered to lost and found. \r\r\n Phase duration (Orphan recovery to lost and found): 0.05 milliseconds.\r\n 77918 reparse records processed. \r\r\n Phase duration (Reparse point and Object ID verification): 355.36 milliseconds.\r\n\r\nStage 3: Examining security descriptors ...\r\nSecurity descriptor verification completed.\r\n Phase duration (Security descriptor verification): 167.57 milliseconds.\r\n 172652 data files processed. \r\r\n Phase duration (Data attribute verification): 0.07 milliseconds.\r\nCHKDSK is verifying Usn Journal...\r\n 35106392 USN bytes processed. \r\r\nUsn Journal verification completed.\r\n Phase duration (USN journal verification): 445.86 milliseconds.\r\n\r\nWindows has scanned the file system and found no problems.\r\nNo further action is required.\r\n\r\n 311459395 KB total disk space.\r\n 42802152 KB in 417959 files.\r\n 319752 KB in 172653 indexes.\r\n 0 KB in bad sectors.\r\n 958499 KB in use by the system.\r\n 65536 KB occupied by the log file.\r\n 267378992 KB available on disk.\r\n\r\n 4096 bytes in each allocation unit.\r\n 77864848 total allocation units on disk.\r\n 66844748 allocation units available on disk.\r\nTotal duration: 4.17 minutes (250635 ms).\r\n\""},"eventdata":{"binary":"00C20C001F030900381A1000000000002C020000322E01000000000000000000","data":" Checking file system on C: The type of the file system is NTFS. Volume label is OSDisk. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... Cleaning up instance tags for file 0x19953. 836096 file records processed. File verification completed. Phase duration (File record verification): 51.94 seconds. 30480 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.10 milliseconds. Stage 2: Examining file name linkage ... 77918 reparse records processed. 1181398 index entries processed. Index verification completed. Phase duration (Index verification): 3.17 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 7.44 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.05 milliseconds. 77918 reparse records processed. Phase duration (Reparse point and Object ID verification): 355.36 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 167.57 milliseconds. 172652 data files processed. Phase duration (Data attribute verification): 0.07 milliseconds. CHKDSK is verifying Usn Journal... 35106392 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 445.86 milliseconds. Windows has scanned the file system and found no problems. No further action is required. 311459395 KB total disk space. 42802152 KB in 417959 files. 319752 KB in 172653 indexes. 0 KB in bad sectors. 958499 KB in use by the system. 65536 KB occupied by the log file. 267378992 KB available on disk. 4096 bytes in each allocation unit. 77864848 total allocation units on disk. 66844748 allocation units available on disk. Total duration: 4.17 minutes (250635 ms)."}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.binary: '00C20C001F030900381A1000000000002C020000322E01000000000000000000'
win.eventdata.data: ' Checking file system on C: The type of the file system is NTFS. Volume label is OSDisk. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... Cleaning up instance tags for file 0x19953. 836096 file records processed. File verification completed. Phase duration (File record verification): 51.94 seconds. 30480 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.10 milliseconds. Stage 2: Examining file name linkage ... 77918 reparse records processed. 1181398 index entries processed. Index verification completed. Phase duration (Index verification): 3.17 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 7.44 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.05 milliseconds. 77918 reparse records processed. Phase duration (Reparse point and Object ID verification): 355.36 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 167.57 milliseconds. 172652 data files processed. Phase duration (Data attribute verification): 0.07 milliseconds. CHKDSK is verifying Usn Journal... 35106392 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 445.86 milliseconds. Windows has scanned the file system and found no problems. No further action is required. 311459395 KB total disk space. 42802152 KB in 417959 files. 319752 KB in 172653 indexes. 0 KB in bad sectors. 958499 KB in use by the system. 65536 KB occupied by the log file. 267378992 KB available on disk. 4096 bytes in each allocation unit. 77864848 total allocation units on disk. 66844748 allocation units available on disk. Total duration: 4.17 minutes (250635 ms).'
win.system.channel: 'Application'
win.system.computer: 'MY-PC'
win.system.eventID: '26212'
win.system.eventRecordID: '974627'
win.eventdata.data: ' Checking file system on C: The type of the file system is NTFS. Volume label is OSDisk. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... Cleaning up instance tags for file 0x19953. 836096 file records processed. File verification completed. Phase duration (File record verification): 51.94 seconds. 30480 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.10 milliseconds. Stage 2: Examining file name linkage ... 77918 reparse records processed. 1181398 index entries processed. Index verification completed. Phase duration (Index verification): 3.17 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 7.44 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.05 milliseconds. 77918 reparse records processed. Phase duration (Reparse point and Object ID verification): 355.36 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 167.57 milliseconds. 172652 data files processed. Phase duration (Data attribute verification): 0.07 milliseconds. CHKDSK is verifying Usn Journal... 35106392 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 445.86 milliseconds. Windows has scanned the file system and found no problems. No further action is required. 311459395 KB total disk space. 42802152 KB in 417959 files. 319752 KB in 172653 indexes. 0 KB in bad sectors. 958499 KB in use by the system. 65536 KB occupied by the log file. 267378992 KB available on disk. 4096 bytes in each allocation unit. 77864848 total allocation units on disk. 66844748 allocation units available on disk. Total duration: 4.17 minutes (250635 ms).'
win.system.channel: 'Application'
win.system.computer: 'MY-PC'
win.system.eventID: '26212'
win.system.eventRecordID: '974627'
win.system.keywords: '0x80000000000000'
win.system.level: '4'
win.system.message: '"Chkdsk was executed in read-only mode on a volume snapshot.
Checking file system on C:
The type of the file system is NTFS.
Volume label is OSDisk.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
Cleaning up instance tags for file 0x19953.
836096 file records processed.
File verification completed.
Phase duration (File record verification): 51.94 seconds.
30480 large file records processed.
836096 file records processed.
File verification completed.
Phase duration (File record verification): 51.94 seconds.
30480 large file records processed.
Phase duration (Orphan file record recovery): 0.00 milliseconds.
0 bad file records processed.
0 bad file records processed.
Phase duration (Bad file record checking): 0.10 milliseconds.
Stage 2: Examining file name linkage ...
77918 reparse records processed.
1181398 index entries processed.
Index verification completed.
Phase duration (Index verification): 3.17 minutes.
0 unindexed files scanned.
Phase duration (Orphan reconnection): 7.44 seconds.
1181398 index entries processed.
Index verification completed.
Phase duration (Index verification): 3.17 minutes.
0 unindexed files scanned.
Phase duration (Orphan reconnection): 7.44 seconds.
0 unindexed files recovered to lost and found.
Phase duration (Orphan recovery to lost and found): 0.05 milliseconds.
77918 reparse records processed.
Phase duration (Reparse point and Object ID verification): 355.36 milliseconds.
77918 reparse records processed.
Phase duration (Reparse point and Object ID verification): 355.36 milliseconds.
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
Phase duration (Security descriptor verification): 167.57 milliseconds.
172652 data files processed.
Phase duration (Data attribute verification): 0.07 milliseconds.
172652 data files processed.
Phase duration (Data attribute verification): 0.07 milliseconds.
CHKDSK is verifying Usn Journal...
35106392 USN bytes processed.
Usn Journal verification completed.
Phase duration (USN journal verification): 445.86 milliseconds.
Usn Journal verification completed.
Phase duration (USN journal verification): 445.86 milliseconds.
Windows has scanned the file system and found no problems.
No further action is required.
311459395 KB total disk space.
42802152 KB in 417959 files.
319752 KB in 172653 indexes.
0 KB in bad sectors.
958499 KB in use by the system.
42802152 KB in 417959 files.
319752 KB in 172653 indexes.
0 KB in bad sectors.
958499 KB in use by the system.
65536 KB occupied by the log file.
267378992 KB available on disk.
4096 bytes in each allocation unit.
77864848 total allocation units on disk.
66844748 allocation units available on disk.
Total duration: 4.17 minutes (250635 ms).
66844748 allocation units available on disk.
Total duration: 4.17 minutes (250635 ms).
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-09-15T20:20:16.5744189Z'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched
*Trying child rules
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 650 - Active Response JSON Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 400 - Rules for Wazuh API events.
Trying rule: 420 - Rules for Wazuh API events.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache: Messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: Messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 44400 - FortiNet Rules.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81641 - Fortigate v6 messages grouped.
Trying rule: 44640 - FortiMail Rules.
Trying rule: 44698 - FortiMail: System Event System log messages.
Trying rule: 44730 - Alert from Forti Authenticator.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 64270 - savscan category
Trying rule: 64274 - Update category
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim: SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 65000 - GCP alert.
Trying rule: 65260 - F5 Networks BigIP events
Trying rule: 65293 - F5 BigIP CEF decoded grouped alerts
Trying rule: 64500 - Palo Alto $(type) event.
Trying rule: 70020 - Sophos XG210 Firewall event
Trying rule: 70000 - FreePBX parent
Trying rule: 91100 - GitHub alert.
Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation.
Trying rule: 88800 - Arbor
Trying rule: 150100 - FireEye
Trying rule: 89200 - Grouping of Huawei USG rules.
Trying rule: 91500 - cisco-ftd rules
Trying rule: 42001 - ESET console logs.
Trying rule: 92501 - Cloudflare WAF rules
Trying rule: 99000 - Amazon Security Lake rules grouped.
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
*Rule 1003 matched
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 91002 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-26855).
Trying rule: 91003 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-27065).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 89101 - Oracle DB alerts.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 87508 - Exim: RCPT rejected. Error: $(error_message).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 1010 - Process segfaulted.
Trying rule: 2501 - syslog: User authentication failure.
Trying rule: 2503 - syslog: Connection blocked by Tcp Wrappers.
Trying rule: 5604 - telnetd: Reverse lookup error (bad hostname config).
Trying rule: 14101 - racoon: VPN authentication failed.
Trying rule: 66001 - Zeek: SSH Connection
Trying rule: 66002 - Zeek: SSL Connection
Trying rule: 66003 - Zeek: DNS Query
Trying rule: 66004 - Zeek: Connection detail
Trying rule: 65601 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65602 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 65607 - (Gitlab) $(message).
Trying rule: 65609 - (Gitlab) $(severity):$(message).
Trying rule: 65611 - (Gitlab) $(severity):$(message).
Trying rule: 65617 - (Gitlab) $(severity): $(message).
Trying rule: 65619 - (Gitlab) $(severity): $(message).
Trying rule: 65622 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65623 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 89600 - $(application) has been granted permission to $(service) at $(time).
Trying rule: 89601 - $(application) has been denied permission to $(service) at $(time).
Trying rule: 89606 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) failed.
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 2945 - rsyslog may be dropping messages due to rate-limiting.
Trying rule: 5553 - PAM misconfiguration.
Trying rule: 5554 - PAM misconfiguration.
Trying rule: 12112 - Zone transfer error.
Trying rule: 51524 - System was rebooted.
Trying rule: 2505 - syslog: Physical root login.
Trying rule: 2506 - syslog: Pop3 Authentication passed.
Trying rule: 5903 - Group (or user) deleted from the system.
Trying rule: 5555 - PAM: User changed password.
Trying rule: 13112 - Samba: Segfault in gvfs-smb.
Trying rule: 51531 - User account deleted.
Trying rule: 52000 - Apparmor messages grouped.
Trying rule: 44691 - FortiMail: DNS query event.
Trying rule: 44707 - FortiMail: IMAP-related events.
Trying rule: 44708 - FortiMail: POP3-related events.
Trying rule: 44717 - FortiMail: Event Webmail log messages.
Trying rule: 24000 - osquery message
Trying rule: 17000 - Kaspersky Endpoint Security - Task $(TaskName) changed to state $(TaskState)
Trying rule: 87801 - Azure: Log analytics
Trying rule: 87802 - Azure: AD $(activity)
Trying rule: 87803 - Azure: Storage
Trying rule: 87804 - Azure: Storage
Trying rule: 61053 - Event created in the application log.
Trying rule: 65600 - (Gitlab) $(method) request completed succesfully.
Trying rule: 65603 - (Gitlab) User $(new_user) was created.
Trying rule: 65604 - (Gitlab) $(project_autor) created a new project.
Trying rule: 65605 - (Gitlab) User $(removed_user) was removed.
Trying rule: 65606 - (Gitlab) Project $(project_removed) was removed.
Trying rule: 65608 - (Gitlab) $(message).
Trying rule: 65610 - (Gitlab) $(severity):$(message).
Trying rule: 65612 - (Gitlab) $(severity):changed $(change) from $(from) to $(to).
Trying rule: 65613 - Group of gitlab_sidekiq.
Trying rule: 65616 - (Gitlab) $(severity): $(message).
Trying rule: 65618 - (Gitlab) $(severity): $(message).
Trying rule: 65620 - (Gitlab) graphql_query_string: $(query_string).
Trying rule: 65621 - (Gitlab) $(method) request completed succesfully.
Trying rule: 150150 - FireEye NX: Silverfish
Trying rule: 89100 - OracleDB transaction.
Trying rule: 89602 - Screen unlocked with userID:$(userID).
Trying rule: 89603 - Screen locked with userID:$(userID).
Trying rule: 89604 - User logoff.
Trying rule: 89605 - User login.
Trying rule: 89607 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) succeeded.
Trying rule: 89608 - Session $(sessionId) has been created.
Trying rule: 89609 - Session $(sessionId) has been destroyed.
Trying rule: 1001 - File missing. Root access unrestricted.
Trying rule: 1002 - Unknown problem somewhere in the system.
*Rule 1002 matched
*Trying child rules
Trying rule: 1009 - Ignoring known false positives on rule 1002.
Trying rule: 2942 - Uninteresting gnome error.
Trying rule: 3752 - ignore
Trying rule: 100002 - Chkdsk event 26212 detected
Trying rule: 51533 - dhclient receive_packet failed.
Trying rule: 51535 - SIOCDIFADDR failed
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched
*Trying child rules
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 650 - Active Response JSON Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 400 - Rules for Wazuh API events.
Trying rule: 420 - Rules for Wazuh API events.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache: Messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: Messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 44400 - FortiNet Rules.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81641 - Fortigate v6 messages grouped.
Trying rule: 44640 - FortiMail Rules.
Trying rule: 44698 - FortiMail: System Event System log messages.
Trying rule: 44730 - Alert from Forti Authenticator.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 64270 - savscan category
Trying rule: 64274 - Update category
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim: SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 65000 - GCP alert.
Trying rule: 65260 - F5 Networks BigIP events
Trying rule: 65293 - F5 BigIP CEF decoded grouped alerts
Trying rule: 64500 - Palo Alto $(type) event.
Trying rule: 70020 - Sophos XG210 Firewall event
Trying rule: 70000 - FreePBX parent
Trying rule: 91100 - GitHub alert.
Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation.
Trying rule: 88800 - Arbor
Trying rule: 150100 - FireEye
Trying rule: 89200 - Grouping of Huawei USG rules.
Trying rule: 91500 - cisco-ftd rules
Trying rule: 42001 - ESET console logs.
Trying rule: 92501 - Cloudflare WAF rules
Trying rule: 99000 - Amazon Security Lake rules grouped.
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
*Rule 1003 matched
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 91002 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-26855).
Trying rule: 91003 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-27065).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 89101 - Oracle DB alerts.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 87508 - Exim: RCPT rejected. Error: $(error_message).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 1010 - Process segfaulted.
Trying rule: 2501 - syslog: User authentication failure.
Trying rule: 2503 - syslog: Connection blocked by Tcp Wrappers.
Trying rule: 5604 - telnetd: Reverse lookup error (bad hostname config).
Trying rule: 14101 - racoon: VPN authentication failed.
Trying rule: 66001 - Zeek: SSH Connection
Trying rule: 66002 - Zeek: SSL Connection
Trying rule: 66003 - Zeek: DNS Query
Trying rule: 66004 - Zeek: Connection detail
Trying rule: 65601 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65602 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 65607 - (Gitlab) $(message).
Trying rule: 65609 - (Gitlab) $(severity):$(message).
Trying rule: 65611 - (Gitlab) $(severity):$(message).
Trying rule: 65617 - (Gitlab) $(severity): $(message).
Trying rule: 65619 - (Gitlab) $(severity): $(message).
Trying rule: 65622 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65623 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 89600 - $(application) has been granted permission to $(service) at $(time).
Trying rule: 89601 - $(application) has been denied permission to $(service) at $(time).
Trying rule: 89606 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) failed.
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 2945 - rsyslog may be dropping messages due to rate-limiting.
Trying rule: 5553 - PAM misconfiguration.
Trying rule: 5554 - PAM misconfiguration.
Trying rule: 12112 - Zone transfer error.
Trying rule: 51524 - System was rebooted.
Trying rule: 2505 - syslog: Physical root login.
Trying rule: 2506 - syslog: Pop3 Authentication passed.
Trying rule: 5903 - Group (or user) deleted from the system.
Trying rule: 5555 - PAM: User changed password.
Trying rule: 13112 - Samba: Segfault in gvfs-smb.
Trying rule: 51531 - User account deleted.
Trying rule: 52000 - Apparmor messages grouped.
Trying rule: 44691 - FortiMail: DNS query event.
Trying rule: 44707 - FortiMail: IMAP-related events.
Trying rule: 44708 - FortiMail: POP3-related events.
Trying rule: 44717 - FortiMail: Event Webmail log messages.
Trying rule: 24000 - osquery message
Trying rule: 17000 - Kaspersky Endpoint Security - Task $(TaskName) changed to state $(TaskState)
Trying rule: 87801 - Azure: Log analytics
Trying rule: 87802 - Azure: AD $(activity)
Trying rule: 87803 - Azure: Storage
Trying rule: 87804 - Azure: Storage
Trying rule: 61053 - Event created in the application log.
Trying rule: 65600 - (Gitlab) $(method) request completed succesfully.
Trying rule: 65603 - (Gitlab) User $(new_user) was created.
Trying rule: 65604 - (Gitlab) $(project_autor) created a new project.
Trying rule: 65605 - (Gitlab) User $(removed_user) was removed.
Trying rule: 65606 - (Gitlab) Project $(project_removed) was removed.
Trying rule: 65608 - (Gitlab) $(message).
Trying rule: 65610 - (Gitlab) $(severity):$(message).
Trying rule: 65612 - (Gitlab) $(severity):changed $(change) from $(from) to $(to).
Trying rule: 65613 - Group of gitlab_sidekiq.
Trying rule: 65616 - (Gitlab) $(severity): $(message).
Trying rule: 65618 - (Gitlab) $(severity): $(message).
Trying rule: 65620 - (Gitlab) graphql_query_string: $(query_string).
Trying rule: 65621 - (Gitlab) $(method) request completed succesfully.
Trying rule: 150150 - FireEye NX: Silverfish
Trying rule: 89100 - OracleDB transaction.
Trying rule: 89602 - Screen unlocked with userID:$(userID).
Trying rule: 89603 - Screen locked with userID:$(userID).
Trying rule: 89604 - User logoff.
Trying rule: 89605 - User login.
Trying rule: 89607 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) succeeded.
Trying rule: 89608 - Session $(sessionId) has been created.
Trying rule: 89609 - Session $(sessionId) has been destroyed.
Trying rule: 1001 - File missing. Root access unrestricted.
Trying rule: 1002 - Unknown problem somewhere in the system.
*Rule 1002 matched
*Trying child rules
Trying rule: 1009 - Ignoring known false positives on rule 1002.
Trying rule: 2942 - Uninteresting gnome error.
Trying rule: 3752 - ignore
Trying rule: 100002 - Chkdsk event 26212 detected
Trying rule: 51533 - dhclient receive_packet failed.
Trying rule: 51535 - SIOCDIFADDR failed
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
**Alert to be generated.
SCEDULED TASKS
Two machines running check disk ever houer
RULE (only one)
Two machines running check disk ever houer
RULE (only one)
group name="local,syslog,sshd,">
<rule id="100002" level="12">
<if_sid>1002</if_sid>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.eventID">^26212$</field>
<options>alert_by_email</options>
<options>no_full_log</options>
<description>Chkdsk event 26212 detected</description>
</rule>
</group>
ossec.conf
<!--
Wazuh - Manager - Default configuration for ubuntu 22.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from> em...@email.net </email_from>
<email_to> em...@email.net </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE OS vulnerabilities -->
<provider name="suse">
<enabled>no</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.53</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>
3) Wazuh-LogTest
Starting wazuh-logtest v4.5.2
<!--
Wazuh - Manager - Default configuration for ubuntu 22.04
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from> em...@email.net </email_from>
<email_to> em...@email.net </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- SUSE OS vulnerabilities -->
<provider name="suse">
<enabled>no</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>127.0.0.53</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>
3) Wazuh-LogTest
Starting wazuh-logtest v4.5.2
Type one log per line
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Chkdsk","eventID":"26212","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2023-09-15T20:20:16.5744189Z","eventRecordID":"974627","processID":"0","threadID":"0","channel":"Application","computer":"MY-PC","severityValue":"INFORMATION","message":"\"Chkdsk was executed in read-only mode on a volume snapshot. \r\n\r\nChecking file system on C:\r\nThe type of the file system is NTFS.\r\nVolume label is OSDisk.\r\n\r\nWARNING! /F parameter not specified.\r\nRunning CHKDSK in read-only mode.\r\n\r\nStage 1: Examining basic file system structure ...\r\nCleaning up instance tags for file 0x19953.\r\n 836096 file records processed. \r\r\nFile verification completed.\r\n Phase duration (File record verification): 51.94 seconds.\r\n 30480 large file records processed. \r\r\n Phase duration (Orphan file record recovery): 0.00 milliseconds.\r\n 0 bad file records processed. \r\r\n Phase duration (Bad file record checking): 0.10 milliseconds.\r\n\r\nStage 2: Examining file name linkage ...\r\n 77918 reparse records processed. \r\r\n 1181398 index entries processed. \r\r\nIndex verification completed.\r\n Phase duration (Index verification): 3.17 minutes.\r\n 0 unindexed files scanned. \r\r\n Phase duration (Orphan reconnection): 7.44 seconds.\r\n 0 unindexed files recovered to lost and found. \r\r\n Phase duration (Orphan recovery to lost and found): 0.05 milliseconds.\r\n 77918 reparse records processed. \r\r\n Phase duration (Reparse point and Object ID verification): 355.36 milliseconds.\r\n\r\nStage 3: Examining security descriptors ...\r\nSecurity descriptor verification completed.\r\n Phase duration (Security descriptor verification): 167.57 milliseconds.\r\n 172652 data files processed. \r\r\n Phase duration (Data attribute verification): 0.07 milliseconds.\r\nCHKDSK is verifying Usn Journal...\r\n 35106392 USN bytes processed. \r\r\nUsn Journal verification completed.\r\n Phase duration (USN journal verification): 445.86 milliseconds.\r\n\r\nWindows has scanned the file system and found no problems.\r\nNo further action is required.\r\n\r\n 311459395 KB total disk space.\r\n 42802152 KB in 417959 files.\r\n 319752 KB in 172653 indexes.\r\n 0 KB in bad sectors.\r\n 958499 KB in use by the system.\r\n 65536 KB occupied by the log file.\r\n 267378992 KB available on disk.\r\n\r\n 4096 bytes in each allocation unit.\r\n 77864848 total allocation units on disk.\r\n 66844748 allocation units available on disk.\r\nTotal duration: 4.17 minutes (250635 ms).\r\n\""},"eventdata":{"binary":"00C20C001F030900381A1000000000002C020000322E01000000000000000000","data":" Checking file system on C: The type of the file system is NTFS. Volume label is OSDisk. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... Cleaning up instance tags for file 0x19953. 836096 file records processed. File verification completed. Phase duration (File record verification): 51.94 seconds. 30480 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.10 milliseconds. Stage 2: Examining file name linkage ... 77918 reparse records processed. 1181398 index entries processed. Index verification completed. Phase duration (Index verification): 3.17 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 7.44 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.05 milliseconds. 77918 reparse records processed. Phase duration (Reparse point and Object ID verification): 355.36 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 167.57 milliseconds. 172652 data files processed. Phase duration (Data attribute verification): 0.07 milliseconds. CHKDSK is verifying Usn Journal... 35106392 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 445.86 milliseconds. Windows has scanned the file system and found no problems. No further action is required. 311459395 KB total disk space. 42802152 KB in 417959 files. 319752 KB in 172653 indexes. 0 KB in bad sectors. 958499 KB in use by the system. 65536 KB occupied by the log file. 267378992 KB available on disk. 4096 bytes in each allocation unit. 77864848 total allocation units on disk. 66844748 allocation units available on disk. Total duration: 4.17 minutes (250635 ms)."}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.binary: '00C20C001F030900381A1000000000002C020000322E01000000000000000000'
win.eventdata.data: ' Checking file system on C: The type of the file system is NTFS. Volume label is OSDisk. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... Cleaning up instance tags for file 0x19953. 836096 file records processed. File verification completed. Phase duration (File record verification): 51.94 seconds. 30480 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.10 milliseconds. Stage 2: Examining file name linkage ... 77918 reparse records processed. 1181398 index entries processed. Index verification completed. Phase duration (Index verification): 3.17 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 7.44 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.05 milliseconds. 77918 reparse records processed. Phase duration (Reparse point and Object ID verification): 355.36 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 167.57 milliseconds. 172652 data files processed. Phase duration (Data attribute verification): 0.07 milliseconds. CHKDSK is verifying Usn Journal... 35106392 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 445.86 milliseconds. Windows has scanned the file system and found no problems. No further action is required. 311459395 KB total disk space. 42802152 KB in 417959 files. 319752 KB in 172653 indexes. 0 KB in bad sectors. 958499 KB in use by the system. 65536 KB occupied by the log file. 267378992 KB available on disk. 4096 bytes in each allocation unit. 77864848 total allocation units on disk. 66844748 allocation units available on disk. Total duration: 4.17 minutes (250635 ms).'
win.system.channel: 'Application'
win.system.computer: 'MY-PC'
win.system.eventID: '26212'
win.system.eventRecordID: '974627'
win.eventdata.data: ' Checking file system on C: The type of the file system is NTFS. Volume label is OSDisk. WARNING! /F parameter not specified. Running CHKDSK in read-only mode. Stage 1: Examining basic file system structure ... Cleaning up instance tags for file 0x19953. 836096 file records processed. File verification completed. Phase duration (File record verification): 51.94 seconds. 30480 large file records processed. Phase duration (Orphan file record recovery): 0.00 milliseconds. 0 bad file records processed. Phase duration (Bad file record checking): 0.10 milliseconds. Stage 2: Examining file name linkage ... 77918 reparse records processed. 1181398 index entries processed. Index verification completed. Phase duration (Index verification): 3.17 minutes. 0 unindexed files scanned. Phase duration (Orphan reconnection): 7.44 seconds. 0 unindexed files recovered to lost and found. Phase duration (Orphan recovery to lost and found): 0.05 milliseconds. 77918 reparse records processed. Phase duration (Reparse point and Object ID verification): 355.36 milliseconds. Stage 3: Examining security descriptors ... Security descriptor verification completed. Phase duration (Security descriptor verification): 167.57 milliseconds. 172652 data files processed. Phase duration (Data attribute verification): 0.07 milliseconds. CHKDSK is verifying Usn Journal... 35106392 USN bytes processed. Usn Journal verification completed. Phase duration (USN journal verification): 445.86 milliseconds. Windows has scanned the file system and found no problems. No further action is required. 311459395 KB total disk space. 42802152 KB in 417959 files. 319752 KB in 172653 indexes. 0 KB in bad sectors. 958499 KB in use by the system. 65536 KB occupied by the log file. 267378992 KB available on disk. 4096 bytes in each allocation unit. 77864848 total allocation units on disk. 66844748 allocation units available on disk. Total duration: 4.17 minutes (250635 ms).'
win.system.channel: 'Application'
win.system.computer: 'MY-PC'
win.system.eventID: '26212'
win.system.eventRecordID: '974627'
win.system.keywords: '0x80000000000000'
win.system.level: '4'
win.system.message: '"Chkdsk was executed in read-only mode on a volume snapshot.
Checking file system on C:
The type of the file system is NTFS.
Volume label is OSDisk.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
Cleaning up instance tags for file 0x19953.
836096 file records processed.
File verification completed.
Phase duration (File record verification): 51.94 seconds.
30480 large file records processed.
836096 file records processed.
File verification completed.
Phase duration (File record verification): 51.94 seconds.
30480 large file records processed.
Phase duration (Orphan file record recovery): 0.00 milliseconds.
0 bad file records processed.
0 bad file records processed.
Phase duration (Bad file record checking): 0.10 milliseconds.
Stage 2: Examining file name linkage ...
77918 reparse records processed.
1181398 index entries processed.
Index verification completed.
Phase duration (Index verification): 3.17 minutes.
0 unindexed files scanned.
Phase duration (Orphan reconnection): 7.44 seconds.
1181398 index entries processed.
Index verification completed.
Phase duration (Index verification): 3.17 minutes.
0 unindexed files scanned.
Phase duration (Orphan reconnection): 7.44 seconds.
0 unindexed files recovered to lost and found.
Phase duration (Orphan recovery to lost and found): 0.05 milliseconds.
77918 reparse records processed.
Phase duration (Reparse point and Object ID verification): 355.36 milliseconds.
77918 reparse records processed.
Phase duration (Reparse point and Object ID verification): 355.36 milliseconds.
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
Phase duration (Security descriptor verification): 167.57 milliseconds.
172652 data files processed.
Phase duration (Data attribute verification): 0.07 milliseconds.
172652 data files processed.
Phase duration (Data attribute verification): 0.07 milliseconds.
CHKDSK is verifying Usn Journal...
35106392 USN bytes processed.
Usn Journal verification completed.
Phase duration (USN journal verification): 445.86 milliseconds.
Usn Journal verification completed.
Phase duration (USN journal verification): 445.86 milliseconds.
Windows has scanned the file system and found no problems.
No further action is required.
311459395 KB total disk space.
42802152 KB in 417959 files.
319752 KB in 172653 indexes.
0 KB in bad sectors.
958499 KB in use by the system.
42802152 KB in 417959 files.
319752 KB in 172653 indexes.
0 KB in bad sectors.
958499 KB in use by the system.
65536 KB occupied by the log file.
267378992 KB available on disk.
4096 bytes in each allocation unit.
77864848 total allocation units on disk.
66844748 allocation units available on disk.
Total duration: 4.17 minutes (250635 ms).
66844748 allocation units available on disk.
Total duration: 4.17 minutes (250635 ms).
"'
win.system.opcode: '0'
win.system.processID: '0'
win.system.providerName: 'Chkdsk'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2023-09-15T20:20:16.5744189Z'
win.system.task: '0'
win.system.threadID: '0'
win.system.version: '0'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched
*Trying child rules
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 650 - Active Response JSON Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 400 - Rules for Wazuh API events.
Trying rule: 420 - Rules for Wazuh API events.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache: Messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: Messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 44400 - FortiNet Rules.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81641 - Fortigate v6 messages grouped.
Trying rule: 44640 - FortiMail Rules.
Trying rule: 44698 - FortiMail: System Event System log messages.
Trying rule: 44730 - Alert from Forti Authenticator.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 64270 - savscan category
Trying rule: 64274 - Update category
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim: SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 65000 - GCP alert.
Trying rule: 65260 - F5 Networks BigIP events
Trying rule: 65293 - F5 BigIP CEF decoded grouped alerts
Trying rule: 64500 - Palo Alto $(type) event.
Trying rule: 70020 - Sophos XG210 Firewall event
Trying rule: 70000 - FreePBX parent
Trying rule: 91100 - GitHub alert.
Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation.
Trying rule: 88800 - Arbor
Trying rule: 150100 - FireEye
Trying rule: 89200 - Grouping of Huawei USG rules.
Trying rule: 91500 - cisco-ftd rules
Trying rule: 42001 - ESET console logs.
Trying rule: 92501 - Cloudflare WAF rules
Trying rule: 99000 - Amazon Security Lake rules grouped.
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
*Rule 1003 matched
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 91002 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-26855).
Trying rule: 91003 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-27065).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 89101 - Oracle DB alerts.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 87508 - Exim: RCPT rejected. Error: $(error_message).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 1010 - Process segfaulted.
Trying rule: 2501 - syslog: User authentication failure.
Trying rule: 2503 - syslog: Connection blocked by Tcp Wrappers.
Trying rule: 5604 - telnetd: Reverse lookup error (bad hostname config).
Trying rule: 14101 - racoon: VPN authentication failed.
Trying rule: 66001 - Zeek: SSH Connection
Trying rule: 66002 - Zeek: SSL Connection
Trying rule: 66003 - Zeek: DNS Query
Trying rule: 66004 - Zeek: Connection detail
Trying rule: 65601 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65602 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 65607 - (Gitlab) $(message).
Trying rule: 65609 - (Gitlab) $(severity):$(message).
Trying rule: 65611 - (Gitlab) $(severity):$(message).
Trying rule: 65617 - (Gitlab) $(severity): $(message).
Trying rule: 65619 - (Gitlab) $(severity): $(message).
Trying rule: 65622 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65623 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 89600 - $(application) has been granted permission to $(service) at $(time).
Trying rule: 89601 - $(application) has been denied permission to $(service) at $(time).
Trying rule: 89606 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) failed.
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 2945 - rsyslog may be dropping messages due to rate-limiting.
Trying rule: 5553 - PAM misconfiguration.
Trying rule: 5554 - PAM misconfiguration.
Trying rule: 12112 - Zone transfer error.
Trying rule: 51524 - System was rebooted.
Trying rule: 2505 - syslog: Physical root login.
Trying rule: 2506 - syslog: Pop3 Authentication passed.
Trying rule: 5903 - Group (or user) deleted from the system.
Trying rule: 5555 - PAM: User changed password.
Trying rule: 13112 - Samba: Segfault in gvfs-smb.
Trying rule: 51531 - User account deleted.
Trying rule: 52000 - Apparmor messages grouped.
Trying rule: 44691 - FortiMail: DNS query event.
Trying rule: 44707 - FortiMail: IMAP-related events.
Trying rule: 44708 - FortiMail: POP3-related events.
Trying rule: 44717 - FortiMail: Event Webmail log messages.
Trying rule: 24000 - osquery message
Trying rule: 17000 - Kaspersky Endpoint Security - Task $(TaskName) changed to state $(TaskState)
Trying rule: 87801 - Azure: Log analytics
Trying rule: 87802 - Azure: AD $(activity)
Trying rule: 87803 - Azure: Storage
Trying rule: 87804 - Azure: Storage
Trying rule: 61053 - Event created in the application log.
Trying rule: 65600 - (Gitlab) $(method) request completed succesfully.
Trying rule: 65603 - (Gitlab) User $(new_user) was created.
Trying rule: 65604 - (Gitlab) $(project_autor) created a new project.
Trying rule: 65605 - (Gitlab) User $(removed_user) was removed.
Trying rule: 65606 - (Gitlab) Project $(project_removed) was removed.
Trying rule: 65608 - (Gitlab) $(message).
Trying rule: 65610 - (Gitlab) $(severity):$(message).
Trying rule: 65612 - (Gitlab) $(severity):changed $(change) from $(from) to $(to).
Trying rule: 65613 - Group of gitlab_sidekiq.
Trying rule: 65616 - (Gitlab) $(severity): $(message).
Trying rule: 65618 - (Gitlab) $(severity): $(message).
Trying rule: 65620 - (Gitlab) graphql_query_string: $(query_string).
Trying rule: 65621 - (Gitlab) $(method) request completed succesfully.
Trying rule: 150150 - FireEye NX: Silverfish
Trying rule: 89100 - OracleDB transaction.
Trying rule: 89602 - Screen unlocked with userID:$(userID).
Trying rule: 89603 - Screen locked with userID:$(userID).
Trying rule: 89604 - User logoff.
Trying rule: 89605 - User login.
Trying rule: 89607 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) succeeded.
Trying rule: 89608 - Session $(sessionId) has been created.
Trying rule: 89609 - Session $(sessionId) has been destroyed.
Trying rule: 1001 - File missing. Root access unrestricted.
Trying rule: 1002 - Unknown problem somewhere in the system.
*Rule 1002 matched
*Trying child rules
Trying rule: 1009 - Ignoring known false positives on rule 1002.
Trying rule: 2942 - Uninteresting gnome error.
Trying rule: 3752 - ignore
Trying rule: 100002 - Chkdsk event 26212 detected
Trying rule: 51533 - dhclient receive_packet failed.
Trying rule: 51535 - SIOCDIFADDR failed
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched
*Trying child rules
Trying rule: 600 - Active Response Messages Grouped
Trying rule: 650 - Active Response JSON Messages Grouped
Trying rule: 200 - Grouping of wazuh rules.
Trying rule: 400 - Rules for Wazuh API events.
Trying rule: 420 - Rules for Wazuh API events.
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages.
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5905 - useradd failed.
Trying rule: 5400 - Initial group for sudo messages.
Trying rule: 9100 - PPTPD messages grouped.
Trying rule: 9200 - Squid syslog messages grouped.
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 2940 - NetworkManager grouping.
Trying rule: 2943 - nouveau driver grouping.
Trying rule: 2962 - Perdition custom app group.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3395 - Grouping of the postfix warning rules.
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4700 - Grouping of Cisco IOS rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5556 - unix_chkpwd grouping.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 6200 - Asterisk messages grouped.
Trying rule: 6300 - Grouping for the MS-DHCP ipv4 rules.
Trying rule: 6350 - Grouping for the MS-DHCP ipv6 rules.
Trying rule: 7200 - Arpwatch messages grouped.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 7600 - Grouping of Trend OSCE rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages grouped.
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9700 - Dovecot Messages Grouped.
Trying rule: 9770 - dovecot-info grouping.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11310 - Rule grouping for pure ftpd transfers.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 13106 - Grouping for the nmbd rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 30100 - Apache: Messages grouped.
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 40700 - Systemd rules
Trying rule: 40900 - firewalld grouping
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 51000 - Grouping for dropbear rules.
Trying rule: 51500 - Grouping of bsd_kernel alerts
Trying rule: 51521 - Grouping for groupdel rules.
Trying rule: 51523 - No core dumps.
Trying rule: 51525 - ftp-proxy cannot connect to a server.
Trying rule: 51526 - Hard drive is dying.
Trying rule: 51527 - CARP master to backup.
Trying rule: 51528 - Duplicate IPv6 address.
Trying rule: 51529 - Could not load a firmware.
Trying rule: 51530 - hotplugd could not open a file.
Trying rule: 51532 - Bad ntp peer.
Trying rule: 51550 - doas grouping
Trying rule: 52500 - Clamd messages grouped.
Trying rule: 52501 - ClamAV: database update
Trying rule: 53500 - OpenSMTPd grouping.
Trying rule: 500000 - Unbound grouping.
Trying rule: 80000 - Puppet Master messages grouped.
Trying rule: 80001 - Puppet Agent messages grouped.
Trying rule: 80100 - Netscaler messages grouped.
Trying rule: 80200 - AWS alert.
Trying rule: 80500 - Serv-u messages grouped.
Trying rule: 80700 - Audit: Messages grouped.
Trying rule: 81100 - USB messages grouped.
Trying rule: 81300 - Redis messages grouped.
Trying rule: 81400 - OpenSCAP messages grouped.
Trying rule: 44400 - FortiNet Rules.
Trying rule: 81600 - Fortigate v3 messages grouped.
Trying rule: 81601 - Fortigate v4 messages grouped.
Trying rule: 81602 - Fortigate v5 messages grouped.
Trying rule: 81641 - Fortigate v6 messages grouped.
Trying rule: 44640 - FortiMail Rules.
Trying rule: 44698 - FortiMail: System Event System log messages.
Trying rule: 44730 - Alert from Forti Authenticator.
Trying rule: 81700 - HP 5500 EI messages grouped.
Trying rule: 81800 - OpenVPN messages grouped.
Trying rule: 81900 - RSA Authentication Manager messages grouped.
Trying rule: 82000 - Imperva messages grouped.
Trying rule: 82100 - Sophos alerts.
Trying rule: 64270 - savscan category
Trying rule: 64274 - Update category
Trying rule: 82200 - FreeIPA syslog.
Trying rule: 82400 - Cisco eStreamer messages grouped.
Trying rule: 85000 - SQL Server messages.
Trying rule: 85500 - Identity Guard Log.
Trying rule: 85750 - MongoDB messages
Trying rule: 86000 - Docker messages
Trying rule: 86250 - Jenkins messages
Trying rule: 86800 - VShell message grouped.
Trying rule: 86600 - Suricata messages.
Trying rule: 86900 - Qualysguard messages grouped.
Trying rule: 87000 - Cylance events messages grouped.
Trying rule: 87050 - Cylance threats messages grouped.
Trying rule: 87100 - VirusTotal integration messages.
Trying rule: 87200 - pvedaemon messages grouped.
Trying rule: 87300 - ownCloud messages grouped.
Trying rule: 87310 - ownCloud messages grouped.
Trying rule: 22401 - Vuls integration event.
Trying rule: 87402 - CIS-CAT events.
Trying rule: 87403 - Old CIS-CAT events.
Trying rule: 87500 - Exim: SMTP Messages Grouped.
Trying rule: 87501 - dovecot messages grouped.
Trying rule: 23501 - $(vulnerability.cve) affects $(vulnerability.package.name)
Trying rule: 87600 - OpenVAS (gsad) messages grouped.
Trying rule: 87608 - OpenVAS (openvasmd) messages grouped.
Trying rule: 88000 - Percona Server audit events grouped.
Trying rule: 89050 - McAfee AUDIT Plugin for MySQL events grouped.
Trying rule: 88100 - MariaDB group messages.
Trying rule: 87700 - pfSense firewall rules grouped.
Trying rule: 87900 - Docker alerts: $(docker.Type)
Trying rule: 64000 - Grouping of cisco-ASA rules
Trying rule: 65500 - Mcafee EPO2
Trying rule: 88200 - NextCloud messages grouped.
Trying rule: 88201 - NextCloud messages grouped.
Trying rule: 67100 - Junos IDS
Trying rule: 67102 - Junos RT Flow
Trying rule: 64200 - PANDA Antivirus event.
Trying rule: 64220 - Checkpoint events.
Trying rule: 65000 - GCP alert.
Trying rule: 65260 - F5 Networks BigIP events
Trying rule: 65293 - F5 BigIP CEF decoded grouped alerts
Trying rule: 64500 - Palo Alto $(type) event.
Trying rule: 70020 - Sophos XG210 Firewall event
Trying rule: 70000 - FreePBX parent
Trying rule: 91100 - GitHub alert.
Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation.
Trying rule: 88800 - Arbor
Trying rule: 150100 - FireEye
Trying rule: 89200 - Grouping of Huawei USG rules.
Trying rule: 91500 - cisco-ftd rules
Trying rule: 42001 - ESET console logs.
Trying rule: 92501 - Cloudflare WAF rules
Trying rule: 99000 - Amazon Security Lake rules grouped.
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
*Rule 1003 matched
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV (Solaris).
Trying rule: 91002 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-26855).
Trying rule: 91003 - MS Exchange - Possible ProxyLogon vulnerability exploitation (CVE-2021-27065).
Trying rule: 2301 - xinetd: Excessive number connections to a service.
Trying rule: 2502 - syslog: User missed the password more than one time
Trying rule: 2504 - syslog: Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking.
Trying rule: 5901 - New group added to the system.
Trying rule: 5902 - New user added to the system.
Trying rule: 5904 - Information from the user was changed.
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 18128 - Windows: Group account added/changed/deleted.
Trying rule: 1007 - File system full.
Trying rule: 5134 - RNGD failure
Trying rule: 89101 - Oracle DB alerts.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 87508 - Exim: RCPT rejected. Error: $(error_message).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 1008 - Process exiting (killed).
Trying rule: 1010 - Process segfaulted.
Trying rule: 2501 - syslog: User authentication failure.
Trying rule: 2503 - syslog: Connection blocked by Tcp Wrappers.
Trying rule: 5604 - telnetd: Reverse lookup error (bad hostname config).
Trying rule: 14101 - racoon: VPN authentication failed.
Trying rule: 66001 - Zeek: SSH Connection
Trying rule: 66002 - Zeek: SSL Connection
Trying rule: 66003 - Zeek: DNS Query
Trying rule: 66004 - Zeek: Connection detail
Trying rule: 65601 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65602 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 65607 - (Gitlab) $(message).
Trying rule: 65609 - (Gitlab) $(severity):$(message).
Trying rule: 65611 - (Gitlab) $(severity):$(message).
Trying rule: 65617 - (Gitlab) $(severity): $(message).
Trying rule: 65619 - (Gitlab) $(severity): $(message).
Trying rule: 65622 - (Gitlab) ERROR: couldn't complete $(method) request.
Trying rule: 65623 - (Gitlab) REDIRECTION: The $(method) request has more than one possible response.
Trying rule: 89600 - $(application) has been granted permission to $(service) at $(time).
Trying rule: 89601 - $(application) has been denied permission to $(service) at $(time).
Trying rule: 89606 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) failed.
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 2945 - rsyslog may be dropping messages due to rate-limiting.
Trying rule: 5553 - PAM misconfiguration.
Trying rule: 5554 - PAM misconfiguration.
Trying rule: 12112 - Zone transfer error.
Trying rule: 51524 - System was rebooted.
Trying rule: 2505 - syslog: Physical root login.
Trying rule: 2506 - syslog: Pop3 Authentication passed.
Trying rule: 5903 - Group (or user) deleted from the system.
Trying rule: 5555 - PAM: User changed password.
Trying rule: 13112 - Samba: Segfault in gvfs-smb.
Trying rule: 51531 - User account deleted.
Trying rule: 52000 - Apparmor messages grouped.
Trying rule: 44691 - FortiMail: DNS query event.
Trying rule: 44707 - FortiMail: IMAP-related events.
Trying rule: 44708 - FortiMail: POP3-related events.
Trying rule: 44717 - FortiMail: Event Webmail log messages.
Trying rule: 24000 - osquery message
Trying rule: 17000 - Kaspersky Endpoint Security - Task $(TaskName) changed to state $(TaskState)
Trying rule: 87801 - Azure: Log analytics
Trying rule: 87802 - Azure: AD $(activity)
Trying rule: 87803 - Azure: Storage
Trying rule: 87804 - Azure: Storage
Trying rule: 61053 - Event created in the application log.
Trying rule: 65600 - (Gitlab) $(method) request completed succesfully.
Trying rule: 65603 - (Gitlab) User $(new_user) was created.
Trying rule: 65604 - (Gitlab) $(project_autor) created a new project.
Trying rule: 65605 - (Gitlab) User $(removed_user) was removed.
Trying rule: 65606 - (Gitlab) Project $(project_removed) was removed.
Trying rule: 65608 - (Gitlab) $(message).
Trying rule: 65610 - (Gitlab) $(severity):$(message).
Trying rule: 65612 - (Gitlab) $(severity):changed $(change) from $(from) to $(to).
Trying rule: 65613 - Group of gitlab_sidekiq.
Trying rule: 65616 - (Gitlab) $(severity): $(message).
Trying rule: 65618 - (Gitlab) $(severity): $(message).
Trying rule: 65620 - (Gitlab) graphql_query_string: $(query_string).
Trying rule: 65621 - (Gitlab) $(method) request completed succesfully.
Trying rule: 150150 - FireEye NX: Silverfish
Trying rule: 89100 - OracleDB transaction.
Trying rule: 89602 - Screen unlocked with userID:$(userID).
Trying rule: 89603 - Screen locked with userID:$(userID).
Trying rule: 89604 - User logoff.
Trying rule: 89605 - User login.
Trying rule: 89607 - Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) succeeded.
Trying rule: 89608 - Session $(sessionId) has been created.
Trying rule: 89609 - Session $(sessionId) has been destroyed.
Trying rule: 1001 - File missing. Root access unrestricted.
Trying rule: 1002 - Unknown problem somewhere in the system.
*Rule 1002 matched
*Trying child rules
Trying rule: 1009 - Ignoring known false positives on rule 1002.
Trying rule: 2942 - Uninteresting gnome error.
Trying rule: 3752 - ignore
Trying rule: 100002 - Chkdsk event 26212 detected
Trying rule: 51533 - dhclient receive_packet failed.
Trying rule: 51535 - SIOCDIFADDR failed
**Phase 3: Completed filtering (rules).
id: '1002'
level: '2'
description: 'Unknown problem somewhere in the system.'
groups: '['syslog', 'errors']'
firedtimes: '1'
gpg13: '['4.3']'
mail: 'False'
**Alert to be generated.
Secure moi
Sep 24, 2023, 7:22:37 AM9/24/23
to Wazuh | Mailing List
Still stuck on this...
<match>$BAD_WORDS</match>
<description>Unknown problem somewhere in the system.</description>
<group>gpg13_4.3,</group>
</rule>
<field name="win.system.eventID">^26212$</field>
As best I can tell, there is a default rule "1002" in /var/ossec/ruleset/rules/0020-syslog_rules.xml that gets triggered by the checkdisk log data. The default 1002 rule is
<rule id="1002" level="2">
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<description>Unknown problem somewhere in the system.</description>
<group>gpg13_4.3,</group>
</rule>
When I run a wazuh-logtest against a check disk log (example sent in earlier post), it passes all three phases. If I try the overwrite="yes" option pasting the default 1002 rule into local_rule.xml the same rule test fails and does not get through phase 2 or phase 3.
So I'm back to trying to trigger my custom rule off of rule 1002. My current attempt is (including what I think is setting up an "OR" condition)
<group name="local,syslog,sshd,syslog,errors,">
<rule id="100009" level="12">
<if_sid>1002</if_sid>
So I'm back to trying to trigger my custom rule off of rule 1002. My current attempt is (including what I think is setting up an "OR" condition)
<group name="local,syslog,sshd,syslog,errors,">
<rule id="100009" level="12">
<if_sid>1002</if_sid>
<field name="win.system.eventID">^26212$</field>
<options>no_full_log</options>
<options>alert_by_email</options>
<description>chkdskmach1.</description>
</rule>
<rule id="100010" level="12">
<if_sid>1002</if_sid>
<match>KB in bad sectors.</match>
<description>Text "0 KB in bad sectors" matched</description>
<options>alert_by_email</options>
<description> chkdskmach2.</description>
</rule>
</group>
I'm getting checkdisk log data in my archives.log but not in alerts.log and alerts.json. Is this bug? I would guess no, but am stumped what I'm doing wrong.
<options>alert_by_email</options>
<description>chkdskmach1.</description>
</rule>
<rule id="100010" level="12">
<if_sid>1002</if_sid>
<match>KB in bad sectors.</match>
<description>Text "0 KB in bad sectors" matched</description>
<options>alert_by_email</options>
<description> chkdskmach2.</description>
</rule>
</group>
I'm getting checkdisk log data in my archives.log but not in alerts.log and alerts.json. Is this bug? I would guess no, but am stumped what I'm doing wrong.
Reply all
Reply to author
Forward
0 new messages