Alert on Specific Event ID
297 views
Skip to first unread message
James Camacho
Mar 30, 2022, 5:43:35 PM3/30/22
to Wazuh mailing list
Hello , trying to get alerts logged to kibana for Event ID 4801 and 4800 . i have created a custom rule in wazuh management -> rules , tested it , but it is not generating alerts / logging it into Kibana.
<group name="windows,windows_security,ipsec,authentication_success">
<rule id="60226" level="3">
<description>workstation locked.</description>
</rule>
<rule id="60227" level="3">
<description>workstation unlocked</description>
</rule>
</group>
<rule id="60226" level="3">
<description>workstation locked.</description>
</rule>
<rule id="60227" level="3">
<description>workstation unlocked</description>
</rule>
</group>
am i missing something ?
Openime Oniagbi
Mar 31, 2022, 3:19:00 AM3/31/22
to Wazuh mailing list
Hi,
Looking at your rules, you have not specified the event ID in any of the rules. You would need to specify the event ID so that wazuh can match that event id to your description. Please see an example here.
You could also achieve the above using a regular expression that looks out for specific strings contained in that log.
Please take a look at our documentation on rules and implement them using my suggestions above.
Let me know if you need more help.
Regards,
Reply all
Reply to author
Forward
0 new messages