Event Log Service Shutdown(Event ID 1100) not present in Wazuh logs
47 views
Skip to first unread message
Alen Mustafic
Sep 9, 2025, 8:03:45 AMSep 9
to Wazuh | Mailing List
As the subject says, I am testing on my workstation stopping Event Log service and although this event is present locally in Security audit logs, I cant find the same log being forwarded to Wazuh. This should be s serious security concern.
Any suggestions?
Any suggestions?
Franco Giovanolli
Sep 9, 2025, 10:45:33 AMSep 9
to Wazuh | Mailing List
Hi Alen,
Thanks for bringing this up — you're right, stopping the Event Log service is definitely something worth keeping an eye on.
If you’re seeing the event locally and other audit logs are reaching the manager, one possibility is that the event is being collected but there’s no rule matching it — so no alert is generated.
To confirm that, you can temporarily enable the `archives.log` on the manager. That way, you can check if the raw log is arriving. If it’s there, then it’s just a matter of writing a custom rule to alert on it.
Let us know if this helps.
Cheers,
Franco
Thanks for bringing this up — you're right, stopping the Event Log service is definitely something worth keeping an eye on.
If you’re seeing the event locally and other audit logs are reaching the manager, one possibility is that the event is being collected but there’s no rule matching it — so no alert is generated.
To confirm that, you can temporarily enable the `archives.log` on the manager. That way, you can check if the raw log is arriving. If it’s there, then it’s just a matter of writing a custom rule to alert on it.
Let us know if this helps.
Cheers,
Franco
Alen Mustafic
Sep 10, 2025, 10:01:09 AMSep 10
to Wazuh | Mailing List
Hi Franco,
Tnx for response. I enabled archives.log and archives.json but eventID 1100 is not present in raw logs. Seems like Wazuh agent is not able to forward this event because od Event Log Service being down.
Tnx for response. I enabled archives.log and archives.json but eventID 1100 is not present in raw logs. Seems like Wazuh agent is not able to forward this event because od Event Log Service being down.
Franco Giovanolli
Sep 16, 2025, 5:56:57 AMSep 16
to Wazuh | Mailing List
Hi Alen,
Regards,
Franco.
Sorry for the delay in my response.
I’ll reach out to the team in charge of the agent to check on this case. As soon as I have an answer, I’ll get back to you.
Regards,
Franco.
Franco Giovanolli
Oct 15, 2025, 2:01:08 PM (4 days ago) Oct 15
to Wazuh | Mailing List
Hi Alen,
Sorry for the delay. The development team has reported the following:
This case may be related to the Windows Logging API (the one used by the Agent).
It’s quite possible that the fact the Logging service has stopped is preventing the log from being transmitted to the Agent.
The Agent doesn’t have any functionality to notify that it has been disconnected from the Logging service (Eventchannel); it simply attempts to reconnect.
Let me know if this helps.
Regards,
Franco
Sorry for the delay. The development team has reported the following:
This case may be related to the Windows Logging API (the one used by the Agent).
It’s quite possible that the fact the Logging service has stopped is preventing the log from being transmitted to the Agent.
The Agent doesn’t have any functionality to notify that it has been disconnected from the Logging service (Eventchannel); it simply attempts to reconnect.
Let me know if this helps.
Regards,
Franco
Reply all
Reply to author
Forward
0 new messages