Wazuh cannot loging Event ID 4688
Emar Flix
In my agent event viewer there is 4688, in my ossec.conf and agent.conf configured normally but neither wazuh alerts and archives log not logging 4688. But I can get any other ID's from endpoints. Only can't get 4688 from any computer.
Thanks.
Emar Flix
Also there is no archives log about 4688. Do I need any rule to get archive log or agent.config file is enough to get log?
because in group agent config file I wrote EventID=4688 but there is no log in archive logs also.
Hi Emar,
I have noticed that eventID 4688 is matched with rule ID 60100, which is level 0. So that's why it won't show in the dashboard. Therefore, I have created a custom rule that you can place in the custom rule creation path /var/ossec/etc/rules/local_rules.xml.
Make sure to restart the manager after adding the custom rule: systemctl restart wazuh-manager
By default, Wazuh collects and forwards event ID 4688 from the Security event channel to the manager without needing any additional configuration. Other event IDs that are not excluded from the default config will forward to the Wazuh manager.
Please verify that 4688 is configured to be excluded from the Security log collection. If yes, remove 4688 from the Security log collection and restart the agent to apply changes. Then you can simulate 4688 events and check again after applying the custom rule.
Let me know the update on this.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
hasitha.u...@wazuh.com
Could you please share the agent group config to identify any other issues?
Basically, by default, archive logs are disabled. Let me know if you have enabled it.
Steps to enable:
Edit /var/ossec/etc/ossec.conf on the Wazuh server and set the <logall_json> line to yes. This enables logging to archives.json of all events.
<logall_json>yes</logall_json>
Restart the Wazuh manager to make the change effective.
systemctl restart wazuh-manager
Warning Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager: systemctl restart wazuh-manager
According to the Microsoft document, it mentioned that 4688 eventID is from the security channel logs.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688
However, Wazuh ignores eventIDs from the security channel, only these IDs. Other event IDs are forwarded to the manager.
- <localfile>
- <location>Security</location>
- <log_format>eventchannel</log_format>
- <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
- EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
- EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
- EventID != 5152 and EventID != 5157]</query>
- </localfile>
To review further, could you please share the agent.conf file config to understand how you config.
Additionally, please share the ossec.log from one of the agents you have configured to the agent group so I can check any issues in log collection.
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Windows 32-bit: C:\Program Files\ossec-agent\ossec.log
Let me know the update on this, and I can check further.
Emar Flix
Yes, I get archive log from other sources, but 4688 event ID not loging (neither alert nor archives). in ossec.conf there is no ignore like EventID != 4688 and in shared agent conf (agent.conf) I write EventID=4688. And know I see default rules of wazuh says Level=0 for windows security logs which are informational logs. In this situation I can understand why alerts not generaed but what about archives?. And my question is that: are archives have any relation with wazuh rules or they log everythink that write in agent.conf (or ossec.conf)?
thank you.
hasitha.u...@wazuh.com
It’s important to note that archived events and alert rules are independent. Enabling archiving (logall_json) ensures all events (including 4688) are saved, regardless of what rules say.
Conversely, rules only affect alert generation. That is, archives will contain the raw 4688 event if archiving is on, even if you never create a rule for it.
Verify it's available in the Event Viewer.
Therefore, I have tested that Wazuh has a default rule to match the 4688 with ruleID 67027(A process was created), and this is level 3. So it should arrive in the dashboard, and I have successfully.
Could you share the configuration files with me so I can review them further?
If the logs aren't being received by the archives, the issue is likely at the log collection level. Also, you don't need to explicitly configure Event ID 4688 in either agent.conf or ossec.conf. Wazuh can collect that type of log out of the box with its default configuration, so there's no need to add it.
What I'd really like to look at is the actual config to see if anything else might be affecting the log collection. So, could you please share the following files from the agent side?
- agent.conf
- ossec.conf
- ossec.log
That way, I can spot if anything in the configuration is interfering with the logs coming through!
Emar Flix
Yes, I have attached the files.
I identified an issue during testing: when I configure only EventID=4725 in the shared agent.conf, the logs appear correctly in the Wazuh dashboard. Even when I include 4–5 EventIDs with OR operator, all corresponding logs are still collected as expected.
However, when I add many EventIDs using the OR operator, some events (for example, 4726) are missing from the logs.
I hope this observation helps in identifying the root cause of the problem.