Windows event log filtering: data.win.eventdata.objectName

224 views
Skip to first unread message

Ethan Thompson

unread,
Mar 30, 2023, 4:39:13 AM3/30/23
to Wazuh mailing list
Hi Team

I tried filtering by the objectName value of the "data.win.eventdata.objectName" field in the Windows event log, but it is not applied.

1. The approximate log is as follows.
data.win.eventdata.objectServer: SC Manager
data.win.eventdata.objectType: SERVICE OBJECT
data.win.eventdata.objectName: LSM
data.win.system.channel: Security
data.win.system.eventID: 4656

2. agent.conf settings: EventID works normally, but objectName doesn't work.
   <localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/System[EventID != 5158 and EventID != 4957 and EventID != 5152 and
       EventID != 5157 and EventID != 5031 and EventID != 1001]</query>
   </localfile>

   <localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/EventData/Data[@Name="objectName"] != LSM</query>
   </localfile>

Gastón Palomeque

unread,
Mar 30, 2023, 2:20:22 PM3/30/23
to Wazuh mailing list
Hello Ethan,

Thanks for using Wazuh!

When filtering string logs, the value being compared to must be enclosed in single or double quotes. In this case, LSM should be "LSM".

Please let us know if you need any further assistance.

Best regards,

Gastón Palomeque

Ethan Thompson

unread,
Mar 31, 2023, 12:59:07 AM3/31/23
to Wazuh mailing list
Hello  Gastón

Thank you so much for your help.
However, the test results do not work as expected.

Best regards,
Ethan Thompson

## test 1 ##
1. Only "system", "application" channel names are detected.
  - data.win.system.channel: System, data.win.system.channel: Application
2. The entire "security" channel is not detected.

   <localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/System[EventID != 5158 and EventID != 4957 and EventID != 5152 and
       EventID != 5157 and EventID != 5031 and EventID != 1001]</query>
   </localfile>

   <localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/EventData/Data[@Name="objectName"] != "LSM"</query>
   </localfile>

## test 2 ##
1. Same as the result of "test 1"

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5158 and EventID != 4957 and EventID != 5152 and
      EventID != 5157 and EventID != 5031] and
      Event/EventData/Data[@Name="ObjectName"] != "LSM"</query>
  </localfile>

## test 3 ##
1. In addition to "System" and "Application", some logs in the "Security" channel are also detected.
2. However, common event IDs of "secure" channels such as 4724 and 4734 are not being detected.

   <localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/System[EventID != 5158 and EventID != 4957 and EventID != 5152 and
       EventID != 5157 and EventID != 5031 and EventID != 1001]</query>
   </localfile>

   <localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/EventData/Data[@Name="objectServer"] != "SC Manager"</query>
   </localfile>

2023년 3월 31일 금요일 오전 3시 20분 22초 UTC+9에 Gastón Palomeque님이 작성:

Gastón Palomeque

unread,
Mar 31, 2023, 8:53:46 AM3/31/23
to Wazuh mailing list
Hello Ethan,

Windows event logs default settings capture "system" and "application" channels, that is why they are detected.

Regarding the "security" channel, could you try the following body and see if it captures the logs?


<localfile>
     <location>Security</location>
     <log_format>eventchannel</log_format>
     <query>Event/System[EventID != 5158 and EventID != 4957 and EventID != 5152 and
       EventID != 5157 and EventID != 5031 and EventID != 1001]</query>
</localfile>

I look forward to hearing about the result so we can proceed with the solution.

Best regards,

Gastón Palomeque

Ethan Thompson

unread,
Mar 31, 2023, 9:39:31 AM3/31/23
to Wazuh mailing list
Hello Gastón,

Thank you for your interest.

Originally, I used it with exception handling set to "Event ID" only, as shown below.
So, in the situation where I configured only "event id" tag in agent.conf file, it is ok.

That is, in the case where only the "event id" tag is set alone,
Event id 5158, 4957, 5152, 5157, 5031, 1001 are normally exceptions.

Best regards,
Ethan Thompson
2023년 3월 31일 금요일 오후 9시 53분 46초 UTC+9에 Gastón Palomeque님이 작성:

Ethan Thompson

unread,
Apr 2, 2023, 9:37:21 PM4/2/23
to Wazuh mailing list
Hello Gastón,

This is normal in the situations below.
1001 is the application channel.

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5158 and EventID != 4957 and EventID != 5152 and
      EventID != 5157 and EventID != 5031]</query>
  </localfile>

  <localfile>
    <location>Application</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 1001]</query>
  </localfile>

Best regards,
Ethan Thompson
2023년 3월 31일 금요일 오후 10시 39분 31초 UTC+9에 Ethan Thompson님이 작성:

Gastón Palomeque

unread,
Apr 3, 2023, 8:25:01 AM4/3/23
to Ethan Thompson, Wazuh mailing list
Hello Ethan,

According to what you showed me, it seems that the issue lies in the fact that you were using more than one <localfile> for a single channel.

In order to solve this, build a query for both event IDs and "data.win.eventdata.objectName" in the same body. For example:

<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
      \<QueryList\>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*\</Select\>
\<Suppress Path="Security"\>*[System[(EventID != 5158 and EventID != 4957)]] and *[EventData[Data[@Name='objectName'] and (Data != 'LSM')]]\</Suppress\>
\</Query\>
\</QueryList\>
</query>
  </localfile>
Here is a guide that builds a query for a similar scenario https://medium.com/@karkoubelwali/filter-windows-events-with-xpath-queries-in-wazuh-6a05dbccbca6.

Please let me know if this solved your issue.

Best regards,

Gastón Palomeque

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/eim4kPd66wE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0cc558e2-8511-410d-a902-4e67424a8fe5n%40googlegroups.com.


--
WazuhGastón Palomeque
Software Engineer
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
0 new messages