Ignore specific Installed service events

74 views
Skip to first unread message

Andrea Consadori

unread,
Apr 26, 2021, 5:11:44 AM4/26/21
to Wazuh mailing list
Hello,
i've veeam backup that every night install VeamVssSupport service in order to allow granular recovery,
how i can lower rule level for a specific service name?

i was thinking something like this:
<group name="LowerAlarms">
  <rule id="61138" level="5" overwrite="yes">
 <if_sid>61100</if_sid>
 <field name="win.system.eventID">^7045$</field>
 <field name="serviceName">VeeamVssSupport</field>
 <description>Silence Veeam guest service</description>
</rule>
</group>

can work al will suppress also all other installed service alarms?

Alfonso Ruiz-Bravo

unread,
Apr 26, 2021, 6:39:12 AM4/26/21
to Wazuh mailing list
Hello Andrea,

If you add this rule you will overwrite this one: 


Therefore, rule 61138 will only be activated if the serviceName is VeeamVssSupport, and will not be valid for everything else, which is not desirable behavior. What you want is to make this rule trigger a lower level alert in case the alert refers to  VeeamVssSupport, rigth?

If this is what you want, I propose the following solution. Create a rule that inherits from rule 61138 and that has a lower alert level in case the service is  VeeamVssSupport. For example, you can add the following rule to your local rules::

  <rule id="100005" level="0">
    <if_sid>61138</if_sid>
    <field name="serviceName">VeeamVssSupport</field>
    <description>Silence Veeam guest service</description
    <options>no_full_log</options>
    <options>no_email_alert</options>
  </rule>

In this way, any Windows event with the ID 7045 will trigger the rule 61138, but in addition, if this event also has the service name VeeamVssSupport, it will trigger the rule 100005 (Rule 100005 would be a local rule that is a child of rule 61138), which, as it has alert level 0, will not generate an alert. If you wish, you can change the rule level to generate lower level alerts, you can change the rule ID (to avoid conflicts, give it a number starting from 100001), you can change the rule description, etc...

I hope this information will help you manage your problem. Do not hesitate to consult any problem you may have.

Best regards,

Alfonso Ruiz - Bravo

Reply all
Reply to author
Forward
0 new messages