Server Shutdown / Reboot event
143 views
Skip to first unread message
chachab
Aug 26, 2022, 10:05:25 AM8/26/22
to Wazuh mailing list
Hello Team,
Help me with this question and a way to do it.
I want to get an event for any server when it's shutdown/reboot.
I want to get an event for any server when it's shutdown/reboot.
I know from the windows can be found under System Event Logs, with ID 1074.
But, I tried to check on the Wazuh(Kibana) I can't find that event ID
But, I tried to check on the Wazuh(Kibana) I can't find that event ID
Roman Luna
Aug 26, 2022, 4:18:00 PM8/26/22
to Wazuh mailing list
Hi chachab,
What version of manager do you have installed?
With an agent installed in a windows machine, the agent picks up events from the eventchannel. If you see the events in the event viewer from Windows, and the agent is online and running, you should be able to see the event in Kibana.
Moreover, in the ossec.conf check that in the local file you don't have the event id ignored, here is an example of the default configuration in v4.3.5:
```
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
```
The != means that that event id is being ignored by the wazuh agent.
Let me know of this so I can further help here,
Regards,
Roman Luna.
Reply all
Reply to author
Forward
0 new messages