wazuh agent logs setup
144 views
Skip to first unread message
Jeffrey
Jun 26, 2023, 5:36:54 AM6/26/23
to Wazuh mailing list
Hi everyone!
I am trying to restrict the logs that are sent to my wazuh server. What I did is to send only logs that are of severity 4 and below to my server by editing the config file of the wazuh agent.I do not see any errors in the wazuh agent logs however, I am unable to capture event log 6006 and 6005 for the start up and shutdown of the desktop that are installed with the agents.Is my config correct? Query Id is 0, 1, 2?
I am trying to restrict the logs that are sent to my wazuh server. What I did is to send only logs that are of severity 4 and below to my server by editing the config file of the wazuh agent.I do not see any errors in the wazuh agent logs however, I am unable to capture event log 6006 and 6005 for the start up and shutdown of the desktop that are installed with the agents.Is my config correct? Query Id is 0, 1, 2?
Selu López
Jun 26, 2023, 8:37:12 AM6/26/23
to Wazuh mailing list
Hello Jeffrey,
I have tried to get logs in the manager for Windows events 6005 and 6006 from the agent, with the default settings. However, I have not succeeded. I have asked the threat intel team if they can provide us with more information that I am not considering until now.
If this is not possible, we may need to open an issue to further investigate this use case and develop a fix if necessary. I will keep you posted with any news.
If this is not possible, we may need to open an issue to further investigate this use case and develop a fix if necessary. I will keep you posted with any news.
Regards!
Selu López
Jun 27, 2023, 4:21:04 AM6/27/23
to Wazuh mailing list
Hello again Jeffrey,
You should add the only-future-events option (value: no) inside the localfile of system in order to catch events 6005 and 6006. It would look like this:
<localfile> <location>System</location> <log_format>eventchannel</log_format> <only-future-events>no</only-future-events> <query> \<QueryList\> \<Query Id="0" Path="System"\> \<Select Path="System"\>*[System[(Level<=4)]]\</Select\> \</Query\> \</QueryList\> </query> </localfile>After saving the configuration and restarting the windows agent, you should start seeing events with those IDs in your manager’s archives.log every time the agent restarts.
Reply all
Reply to author
Forward
0 new messages