Surpress Windows Logons with LogonType 3
141 views
Skip to first unread message
Marco Kling
Oct 30, 2022, 6:09:17 AM10/30/22
to Wazuh mailing list
Hello@ all,
i had my first contact with wazuh and i'm really impressed from this piece of Software .. :-)
Now i have my first challenge:
Our printserver is flooding wazuh with Windows LogonTyp 3 alerts. Now i'd like to supress these alerts on agent side. I habe created agent.conf with a config to overwrite the ossec.conf on agent side.
In agent.conf i have testet the following config:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157 and (EventID = 4624 and (EventData/Data[@Name='LogonType'] != 3))]</query>
</localfile>
But this isn't work. I tried some more variants, but i have no luck...
Please give me a little hint... How must i create the config on agent side, so that i supress the LogonType 3...
Many thanks for any hints...
Greetings
Marco
Octavio Valle López
Oct 31, 2022, 12:10:14 AM10/31/22
to Wazuh mailing list
Hi Marco, I hope you are well!
It's great to have you here, Wazuh is an amazing product.
In order to do what you need, apply the following configuration with these specific suppressions!
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList\>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*\</Select\>
\<Suppress Path="Security"\>*[System[(EventID=5145)]] or *[System[(EventID=5156)]] or *[System[(EventID=5447)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4656)]] or *[System[(EventID=4658)]] or *[System[(EventID=4663)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4660)]] or *[System[(EventID=4670)]] or *[System[(EventID=4690)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4703)]] or *[System[(EventID=4907)]] or *[System[(EventID=5152)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=5157)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data ='3')]]\</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
It's great to have you here, Wazuh is an amazing product.
In order to do what you need, apply the following configuration with these specific suppressions!
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>
\<Query Id="0" Path="Security"\>
\<Select Path="Security"\>*\</Select\>
\<Suppress Path="Security"\>*[System[(EventID=5145)]] or *[System[(EventID=5156)]] or *[System[(EventID=5447)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4656)]] or *[System[(EventID=4658)]] or *[System[(EventID=4663)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4660)]] or *[System[(EventID=4670)]] or *[System[(EventID=4690)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4703)]] or *[System[(EventID=4907)]] or *[System[(EventID=5152)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=5157)]]\</Suppress\>
\<Suppress Path="Security"\>*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data ='3')]]\</Suppress\>
\</Query\>
\</QueryList\>
</query>
</localfile>
Reply all
Reply to author
Forward
0 new messages