Wazuh cannot loging Event ID 4688
25 views
Skip to first unread message
Emar Flix
Mar 14, 2026, 4:24:10 PM (2 days ago) Mar 14
to wa...@googlegroups.com
Hello,
In my agent event viewer there is 4688, in my ossec.conf and agent.conf configured normally but neither wazuh alerts and archives log not logging 4688. But I can get any other ID's from endpoints. Only can't get 4688 from any computer.
Thanks.
In my agent event viewer there is 4688, in my ossec.conf and agent.conf configured normally but neither wazuh alerts and archives log not logging 4688. But I can get any other ID's from endpoints. Only can't get 4688 from any computer.
Thanks.
Message has been deleted
hasitha.u...@wazuh.com
12:46 AM (7 hours ago) 12:46 AM
to Wazuh | Mailing List
Hi Emar,
I have noticed that eventID 4688 is matched with rule ID 60100, which is level 0. So that's why it won't show in the dashboard. Therefore, I have created a custom rule that you can place in the custom rule creation path /var/ossec/etc/rules/local_rules.xml.
Please verify that 4688 is configured to be excluded from the Security log collection. If yes, remove 4688 from the Security log collection and restart the agent to apply changes. Then you can simulate 4688 events and check again after applying the custom rule.
Let me know the update on this.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I have noticed that eventID 4688 is matched with rule ID 60100, which is level 0. So that's why it won't show in the dashboard. Therefore, I have created a custom rule that you can place in the custom rule creation path /var/ossec/etc/rules/local_rules.xml.
- <group name="custom_windows,">
- <rule id="400100" level="3">
- <if_sid>60100</if_sid>
- <field name="win.system.eventID">^4688$</field>
- <description>New process has been created.</description>
- </rule>
- </group>
Make sure to restart the manager after adding the custom rule: systemctl restart wazuh-manager
By default, Wazuh collects and forwards event ID 4688 from the Security event channel to the manager without needing any additional configuration. Other event IDs that are not excluded from the default config will forward to the Wazuh manager.
- <localfile>
- <location>Security</location>
- <log_format>eventchannel</log_format>
- <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
- EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
- EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
- EventID != 5152 and EventID != 5157]</query>
- </localfile>
Please verify that 4688 is configured to be excluded from the Security log collection. If yes, remove 4688 from the Security log collection and restart the agent to apply changes. Then you can simulate 4688 events and check again after applying the custom rule.
Let me know the update on this.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Emar Flix
3:08 AM (4 hours ago) 3:08 AM
to Wazuh | Mailing List
Hi, Hasitha.
Also there is no archives log about 4688. Do I need any rule to get archive log or agent.config file is enough to get log?
because in group agent config file I wrote EventID=4688 but there is no log in archive logs also.
Also there is no archives log about 4688. Do I need any rule to get archive log or agent.config file is enough to get log?
because in group agent config file I wrote EventID=4688 but there is no log in archive logs also.
hasitha.u...@wazuh.com yazdı, 16 mart 2026, bazar ertəsi, 08:46:43 UTC+4:
hasitha.u...@wazuh.com
3:52 AM (4 hours ago) 3:52 AM
to Wazuh | Mailing List
Hi Emar,
Could you please share the agent group config to identify any other issues?
Basically, by default, archive logs are disabled. Let me know if you have enabled it.
Steps to enable:
Edit /var/ossec/etc/ossec.conf on the Wazuh server and set the <logall_json> line to yes. This enables logging to archives.json of all events.
<logall_json>yes</logall_json>
Restart the Wazuh manager to make the change effective.
systemctl restart wazuh-manager
Warning Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager: systemctl restart wazuh-manager
According to the Microsoft document, it mentioned that 4688 eventID is from the security channel logs.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688
However, Wazuh ignores eventIDs from the security channel, only these IDs. Other event IDs are forwarded to the manager.
From the default log collection, it should send the 4688 events to the Wazuh manager.
To review further, could you please share the agent.conf file config to understand how you config.
Additionally, please share the ossec.log from one of the agents you have configured to the agent group so I can check any issues in log collection.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Let me know the update on this, and I can check further.
Could you please share the agent group config to identify any other issues?
Basically, by default, archive logs are disabled. Let me know if you have enabled it.
Steps to enable:
Edit /var/ossec/etc/ossec.conf on the Wazuh server and set the <logall_json> line to yes. This enables logging to archives.json of all events.
<logall_json>yes</logall_json>
Restart the Wazuh manager to make the change effective.
systemctl restart wazuh-manager
Warning Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager: systemctl restart wazuh-manager
According to the Microsoft document, it mentioned that 4688 eventID is from the security channel logs.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688
However, Wazuh ignores eventIDs from the security channel, only these IDs. Other event IDs are forwarded to the manager.
- <localfile>
- <location>Security</location>
- <log_format>eventchannel</log_format>
- <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
- EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
- EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
- EventID != 5152 and EventID != 5157]</query>
- </localfile>
To review further, could you please share the agent.conf file config to understand how you config.
Additionally, please share the ossec.log from one of the agents you have configured to the agent group so I can check any issues in log collection.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Let me know the update on this, and I can check further.
Reply all
Reply to author
Forward
0 new messages