Monitoring SQL Server Activities (DB Operations) with Wazuh
susikanth T
I hope this message finds you well.
I am currently working on configuring Wazuh to monitor Microsoft SQL Server audit logs, and I need some assistance regarding how to capture specific SQL activities such as:
- Create Database
- Drop Database
- Create Table
- Delete Table
- Insert, Delete, and Modify Records
Here is the configuration I have on the Wazuh agent side for collecting relevant logs:
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG</location>
<log_format>mssql_log</log_format>
<ignore_binaries>yes</ignore_binaries>
</localfile>
<localfile>
<location>C:\Windows\System32\winevt\Logs\Application.evtx</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<log_format>json</log_format>
<location>Security</location>
</localfile>
Questions:
How can I enable SQL Server auditing to track the activities mentioned above and send these logs to Wazuh for analysis?
Which decoders are required in Wazuh to properly parse SQL Server audit logs that capture actions such as database creation, deletion, table operations, and record modifications?
What custom rule configurations in Wazuh would be needed to detect and alert on these SQL activities (e.g., creating or dropping databases, creating or deleting tables, modifying records)?
Additionally, I would appreciate if you could clarify how to enable auditing for application logs to ensure that the SQL Server activities are properly captured.
Thank you in advance for your support and guidance. I look forward to your advice
Thanks,
Susikanth
hasitha.u...@wazuh.com
You can follow this link to enable SQL Server auditing.
https://www.lepide.com/how-to/enable-sql-server-auditing-and-view-audit-logs.html
I will suggest you share some sample logs to assist you in creating decoders and rules.
This link will assist you in enabling the auditing for application logs.
https://www.manageengine.com/products/eventlog/help/get-started/ms-sql-audit-logs.html#:~:text=Enabling%20Audit%20Object&text=Click%20on%20Audits%20node%20in,to%20the%20EventLog%20Analyzer%20Server.
Once you collect logs from <localfile> tag. and you restart the agent logs will forwarded to the Wazuh-mamanager.
You can check the logs by enabling the log_all option as yes in Wazuh manager's ossec.conf file.
you can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
----
<logall>no</logall>
<logall_json>yes</logall_json>
-----
</global>
-----
</ossec_config>
Then restart the manager.
systemctl restart wazuh-manager
And then check if you receive any logs from to archive log
/var/ossec/logs/archives/archives.log
cat /var/ossec/logs/archives/archives.log | grep -i -E "<part of SQL log>"
Remember to disable the archive log, after the testing.
Then you can create decoders and rules based on your logs.
Ref:
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
If you need support in creating decoders and rules from the Wazuh side we can assist you.
Let me know the update on this.
Regards,
Hasitha Upekshitha
susikanth T
<global>
<log_level>3</log_level>
<jsonout_output>yes</jsonout_output>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Enabled audit action type:
Decoder:
<decoder name="mssql_audit">
<type>windows</type>
<program_name>^WinEvtLog</program_name>
<prematch>event_time</prematch>
<order>event_time</order>
<!-- Define regex for the fields based on the log content -->
<regex field_name="audit_schema_version">audit_schema_version\s*:\s*(\d+)</regex>
<regex field_name="event_time">event_time\s*:\s*([^\s]+)</regex>
<regex field_name="sequence_number">sequence_number\s*:\s*(\d+)</regex>
<regex field_name="action_id">action_id\s*:\s*(\w+)</regex>
</decoder>
Rule:
<group name="windows,">
<rule id="100103" level="6">
<if_sid>61070</if_sid>
<field name="win.system.eventid">^33205</field>
<description>MS SQL event</description>
</rule>
<rule id="85012" level="5">
<if_sid>85000</if_sid>
<match>CREATE TABLE</match>
<description>SQL Server CREATE TABLE query executed.</description>
<group>sqlserver_create_table,</group>
</rule>
<!-- Additional rules here -->
</group>
Despite the above configuration, no logs are appearing in the /var/ossec/logs/archives/archives.log on the Wazuh manager running in the Kubernetes cluster and unable to see any security events for MSSQL on the Wazuh dashboard. Please guide me on how to configure the decoder and rules for SQL events."
Susikanth
hasitha.u...@wazuh.com
I suggest you check first logs that are writing presently to the C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG file.
If yes, Please share some sample logs with me to replicate this issue in my end.
If the logs are writing that file and not sending logs to wazuh-manager.
Make sure to restart the wazuh-manager after enabling archives logs in ossec.conf.
systemctl restart wazuh-manager
Even after restart logs not receiving to archives logs, please share the agent's ossec.log.
C:\Program Files (x86)\ossec-agent\ossec.log
Here is my ossec.conf file global section.
You can find the available tags in the global config in this document.
By default there is no <log_level>3</log_level> tag.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
Let me know the update on this.
Regards,
Hasitha Upekshitha
susikanth T
Thanks for your response.
I have checked the logs to the ERRORLOG file located at:
1) C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG
Here are some sample logs from the file:
2024-12-10 18:07:20.51 Logon Login succeeded for user 'NT SERVICE\SQLTELEMETRY'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2024-12-10 18:10:24.71 Logon Login succeeded for user 'NT Service\SQLIaaSExtensionQuery'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2024-12-10 18:11:00.53 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:12:42.07 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:12:43.03 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:14:44.47 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:16:16.36 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:16:16.42 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:17:20.81 Logon Login succeeded for user 'NT SERVICE\SQLTELEMETRY'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2024-12-10 18:18:20.52 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:20:50.13 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:23:46.39 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:25:40.53 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:27:20.92 Logon Login succeeded for user 'NT SERVICE\SQLTELEMETRY'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2024-12-10 18:28:39.38 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:30:16.09 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:30:55.35 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:31:50.25 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:32:38.94 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:33:00.54 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:33:56.13 Logon Login succeeded for user 'demo'. Connection made using SQL Server authentication. [CLIENT: 10.6.4.222]
2024-12-10 18:37:21.04 Logon Login succeeded for user 'NT SERVICE\SQLTELEMETRY'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2) As mentioned, I added the following global configuration in the ossec.conf file to enable archive logging:
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
After applying these changes, I also restarted the wazuh-manager service .However, even after the restart, the logs are not being received in the archive logs. Here are the sample logs from the agent’s ossec.log located at:
3) C:\Program Files (x86)\ossec-agent\ossec.log
2024/12/10 18:47:55 rootcheck: INFO: Started (pid: 4896).
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (4102): Connected to the server ([192.168.128.103]:1514/tcp).
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 sca: INFO: Module started.
2024/12/10 18:47:55 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2019.yml'
2024/12/10 18:47:55 sca: INFO: Starting Security Configuration Assessment scan.
2024/12/10 18:47:55 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2019.yml'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-modulesd:syscollector: INFO: Module started.
2024/12/10 18:47:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2024/12/10 18:47:55 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2024/12/10 18:47:55 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2024/12/10 18:47:55 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2024/12/10 18:47:55 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2024/12/10 18:47:55 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2024/12/10 18:47:55 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2024/12/10 18:47:55 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2024/12/10 18:47:55 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2024/12/10 18:47:55 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
2024/12/10 18:47:55 wazuh-agent: INFO: Started (pid: 4896).
2024/12/10 18:47:55 rootcheck: INFO: Starting rootcheck scan.
2024/12/10 18:47:55 wazuh-agent: INFO: (6000): Starting daemon...
2024/12/10 18:47:55 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2024/12/10 18:47:55 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2024/12/10 18:47:55 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Datacenter [Ver: 10.0.17763.5696] - Wazuh v4.7.5).
2024/12/10 18:47:55 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2024/12/10 18:47:55 wazuh-agent: INFO: (1950): Analyzing file: 'C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG'.
2024/12/10 18:47:55 wazuh-agent: INFO: (1951): Analyzing event log: 'C:\Windows\System32\winevt\Logs\Application.evtx'.
2024/12/10 18:47:56 wazuh-agent: WARNING: (1958): Log file 'Security' is duplicated.
2024/12/10 18:47:56 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2024/12/10 18:47:56 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2024/12/10 18:47:56 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2024/12/10 18:47:56 wazuh-agent: INFO: Started (pid: 4896).
2024/12/10 18:47:58 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2019.yml'
2024/12/10 18:47:58 sca: INFO: Security Configuration Assessment scan finished. Duration: 3 seconds.
2024/12/10 18:48:00 rootcheck: INFO: Ending rootcheck scan.
2024/12/10 18:48:06 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2024/12/10 18:48:06 wazuh-agent: INFO: FIM sync module started.
2024/12/10 18:48:06 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
I look forward to your advice
Thanks,
Susikanth
hasitha.u...@wazuh.com
Here are the default Windows logs monitoring config. It's already there after you install the agent. No need to add them again.
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
I have noticed this error Log file 'Security' is duplicated. Make sure to remove duplicate monitoring config.
Once you replace your log collection config with this restart the Wazuh manager to apply changes.
<location>C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG</location>
<ignore_binaries>yes</ignore_binaries>
</localfile>
You can restart the Wazuh service by running this command on Powershell.
Restart-Service -Name wazuh
I have tested that it's working fine from my end.
Let me know if this works for you.
Hasitha Upekshitha
susikanth T
I hope you're doing well.
I have removed the duplicate security configurations, and as a result, there are no longer any duplicate error messages in the ossec.logs.
I have a query regarding the capture of specific SQL security events on the Wazuh dashboard. Specifically, I would like to capture the following SQL activities:
- Create Database
- Drop Database
- Create Table
- Drop Table
- Insert, Delete, and Modify Records
We are currently capturing SQL login and failed activity, and we would like to capture the above SQL events in a similar manner.
Could you kindly guide me on how to configure any decoder or rule for SQL Activity?
Thank you for your assistance.
Thanks,
Susikanth
hasitha.u...@wazuh.com
Make sure that those logs are written to the ERRORLOG if yes, and not received to the Wazuh dashboard, Then Please share those logs.
Then I able to assist you in creating custom decoders and rules.
Before creating you can check those logs with wazuh-logtest in the Wazuh-manager.
/var/ossec/bin/wazuh-logtest
You need to copy your log and paste it there.
Let me know if any decoder and rules match those logs but not showing in the dashboard. If that case please share the screenshot as well.
If those logs do not take any decoder and rules you can create them by following these documents.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Regards,
Hasitha Upekshitha