Multiple Windows error application events
155 views
Skip to first unread message
Mehmet Özdaman
Nov 8, 2024, 3:39:27 AM11/8/24
to Wazuh | Mailing List
Hello everyone
Unfortunately, I could not solve the following problems. (Multiple Windows error application events). This problem occurs when two users conflict at the same time, and since it is level 10, it causes concern every time. What kind of configuration should be done to overcome this problem? I would be happy if you help. Kind regards.
rule.description
Multiple Windows error application events.
data.win.system.message
"SQL Server cannot accept new connections, because it is shutting down. The connection has been closed. [CLIENT:xxxxxxxxxx)
Data.win.system.message
"There was a memory allocation failure during connection establishment. Reduce nonessential memory load, or increase system memory. The connection has been closed. [CLIENT:xxxxxxx)
data.win.system.message
"Error: 17300, Severity: 16, State: 1. (Params:). The error is printed in terse mode because there was error during formatting. Tracing, ETW, notifications etc are skipped."
data.win.system.message
"SQL Server failed with error code 0xc0000000 to spawn a thread to process a new login or connection. Check the SQL Server error log and the Windows event logs for information about possible related problems. [CLIENT: xxxxxxxxxx]"
data.win.system.message
"An account failed to log on.
rule.description
Multiple Windows error application events.
rule.firedtimes
50
rule.frequency
8
rule.groups
windows, windows_application
rule.id
61061
rule.level
10
decoder.name
windows_eventchannel
location
EventChannel
Unfortunately, I could not solve the following problems. (Multiple Windows error application events). This problem occurs when two users conflict at the same time, and since it is level 10, it causes concern every time. What kind of configuration should be done to overcome this problem? I would be happy if you help. Kind regards.
rule.description
Multiple Windows error application events.
data.win.system.message
"SQL Server cannot accept new connections, because it is shutting down. The connection has been closed. [CLIENT:xxxxxxxxxx)
Data.win.system.message
"There was a memory allocation failure during connection establishment. Reduce nonessential memory load, or increase system memory. The connection has been closed. [CLIENT:xxxxxxx)
data.win.system.message
"Error: 17300, Severity: 16, State: 1. (Params:). The error is printed in terse mode because there was error during formatting. Tracing, ETW, notifications etc are skipped."
data.win.system.message
"SQL Server failed with error code 0xc0000000 to spawn a thread to process a new login or connection. Check the SQL Server error log and the Windows event logs for information about possible related problems. [CLIENT: xxxxxxxxxx]"
data.win.system.message
"An account failed to log on.
rule.description
Multiple Windows error application events.
rule.firedtimes
50
rule.frequency
8
rule.groups
windows, windows_application
rule.id
61061
rule.level
10
decoder.name
windows_eventchannel
location
EventChannel
hasitha.u...@wazuh.com
Nov 8, 2024, 4:30:53 AM11/8/24
to Wazuh | Mailing List
Hi Mehmet,
By default, the Wazuh Manager ignores alerts below level 3, as these are considered basic rules. Therefore, if you have a known issue and want to prevent it from appearing on the dashboard, you can set its alert level to 0. This will ensure it is ignored by Wazuh and not displayed on the dashboard.
Here is how you can do it.
First copy the existing rule and paste it into the local_rules.xml file to customized existing rule and add the overwrite option.
For example:
nano /var/ossec/etc/rules/local_rules.xml
<group name="windows,windows_application,">
<rule id="61061" level="0" frequency="$MS_FREQ" timeframe="240" overwrite="yes">
<if_matched_sid>60602</if_matched_sid>
<options>no_full_log</options>
<description>Multiple Windows error application events.</description>
</rule>
</group>
Make sure to restart the Wazuh manager to apply changes.
systemctl restart wazuh-manager
Regards,
Hasitha Upekshitha
To ignore this alert, set its rule level to 0. However, since it's an existing rule, you’ll need to copy it to a custom rules file before making modifications.
Here is how you can do it.
First copy the existing rule and paste it into the local_rules.xml file to customized existing rule and add the overwrite option.
For example:
nano /var/ossec/etc/rules/local_rules.xml
<group name="windows,windows_application,">
<rule id="61061" level="0" frequency="$MS_FREQ" timeframe="240" overwrite="yes">
<if_matched_sid>60602</if_matched_sid>
<options>no_full_log</options>
<description>Multiple Windows error application events.</description>
</rule>
</group>
Make sure to restart the Wazuh manager to apply changes.
systemctl restart wazuh-manager
Let me know if this helps.
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages