How to ignore system log event ID 4658

[Jacky Qin]

Hi,

Too many logs in the operating system result in flooding of agent logs.-----Rule: 204 fired (level 12) -> "Agent event queue is flooded. Check the agent configuration."

I log in to the server and see that the maximum number of event ID generated are: 4658, 4663, 5145, 5156.

I want to make the agent ignore these event IDS by modifying the /var/ossec/etc/shared/default/agent.conf file.

<agent_config  os="Windows">

    <syscheck>

      <disabled>no</disabled>

      <scan_on_start>yes</scan_on_start>    

      <directories check_all="yes" realtime="yes" restrict=".aspx$|.exe$">D:\Program Files (x86)\ccc\ssd\DDSite</directories>

      

    </syscheck>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4658 and EventID != 4663]</query>

  </localfile>

</agent_config>

I confirm that the installation directory file C: \ program files (x86) \ ossec agent \ shared \ agent.conf of the agent has been synchronized.But the agent still has the warning of log flooding.Is this the cause of my configuration error or something else?

Best regards.

Jacky Qin

[Jonathan Martín Valera]

Hello Jacky Qin,

There is indeed a recommended limit of 500 EPS per agent. You may increase it in ossec.conf

<!-- Agent buffer options -->
<client_buffer>
  <disabled>no</disabled>
  <queue_size>5000</queue_size>
  <events_per_second>500</events_per_second>
</client_buffer>

but I'd recommend you to review your configuration, maybe you are monitoring some noisy events.

For your use case, first of all you have to check if this event filtering is actually being carried out.

To check this, follow the next steps:

•  In the manager ossec.conf, enable the option <logall>yes</logall>
• Restart the Manager.
• Wait a few seconds for the manager to start receiving events from the windows agent.
• Run the following command (on manager side) to see the number of events you receive from the same eventID:
  cat /var/ossec/logs/archives/archives.log | egrep -io "eventID.*" | cut -d ":" -f2 | cut -d "," -f1 | sed 's/"//g' | sort | uniq -c |sort -n
  

         For instance:

•   [root@centos7manager vagrant]# cat /var/ossec/logs/archives/archives.log | egrep -io "eventID.*" | cut -d ":" -f2 | cut -d "," -f1 | sed 's/"//g' | sort | uniq -c |sort -n
        4 4656
        7 7036
        8 4985
  
  Note: The first column indicates the number of occurrences and the second the eventID.      
  

Then check if you are receiving any event whose ID corresponds to the ignored ones, in which case, the configuration you have indicated is not being applied.

In the case that your configuration is being applied, you have to see that eventID is more repeated and decide whether to add it to the ignored list or not.

As an aspect to take into account, in the ossec.conf file of the windows agent, the following configuration is added by default:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>

Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
    EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
    EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
    EventID != 5152 and EventID != 5157]</query>
</localfile>

You can check if any of those EventID is causing the agent event queue flooding and add them to your ignore list.

I hope this helps you, and tell me the results :)

Best regards.

[Jacky Qin]

Hi Jonathan Martín Valera,

When I run the following command (on manager side) to see the number of events you receive from the same eventID:

root@ip-10-129-3-46:/var/ossec/logs/archives# cat /var/ossec/logs/archives/archives.log | egrep -io "eventID.*" | cut -d ":" -f2 | cut -d "," -f1 |sed 's/"//g' | sort | uniq -c |sort -n

      2 EventID=10000]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>      </EventTrigger>    </Triggers>    <Principals>      <Principal id=NetworkService>        <UserId>S-1-5-20</UserId>      </Principal>    </Principals>    <Settings>      <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>      <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>      <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>      <AllowHardTerminate>false</AllowHardTerminate>      <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>      <AllowStartOnDemand>true</AllowStartOnDemand>      <Enabled>false</Enabled>      <Hidden>true</Hidden>      <RunOnlyIfIdle>false</RunOnlyIfIdle>      <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>      <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>      <WakeToRun>false</WakeToRun>      <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>      <Priority>7</Priority>      <RestartOnFailure>        <Interval>PT1M</Interval>   <Count>3</Count>      </RestartOnFailure>    </Settings>    <Actions Context=NetworkService>      <ComHandler>        <ClassId>{b1aebb5d-ead9-4476-b375-9c3ed9f32afc}</ClassId>        <Data><![CDATA[network]]></Data>      </ComHandler>    </Actions>  </Task>

      2 EventID=10000]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>      </EventTrigger>    </Triggers>    <Principals>      <Principal id=NetworkService>        <UserId>S-1-5-20</UserId>      </Principal>    </Principals>    <Settings>      <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>      <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>      <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>      <AllowHardTerminate>false</AllowHardTerminate>      <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>      <AllowStartOnDemand>true</AllowStartOnDemand>      <Enabled>true</Enabled>      <Hidden>true</Hidden>      <RunOnlyIfIdle>false</RunOnlyIfIdle>      <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>      <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>      <WakeToRun>false</WakeToRun>      <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>      <Priority>7</Priority>      <RestartOnFailure>        <Interval>PT1M</Interval>  <Count>3</Count>      </RestartOnFailure>    </Settings>    <Actions Context=NetworkService>      <ComHandler>        <ClassId>{b1aebb5d-ead9-4476-b375-9c3ed9f32afc}</ClassId>        <Data><![CDATA[network]]></Data>      </ComHandler>    </Actions>  </Task>

It looks a little different from your display.It looks a little different from your display. I can't see which event IDs have more. My version of wazuh is 3.2.1.

Best regards,

Jacky Qin

在 2020年3月20日星期五 UTC+8上午1:09:05，Jonathan Martín Valera写道：

[Jonathan Martín Valera]

Hello Jacky Qin,

Wow, that wazuh version is a bit old, could you share your file /var/oseec/logs/archives/archives.log please? Let's see the format of the logs, and analyze the number of events of the same ID you receive.

As a suggestion, I recommend that if you can upgrade to the current version (3.11.4) and test if the commented case continues to occur.

You can take a look at this documentation section https://documentation.wazuh.com/3.11/user-manual/agents/remote-upgrading/upgrading-agent.html for the remote agent upgrade (if necessary)

If you have any questions about upgrading wazuh, you can ask without problem.

Looking forward your reply :)

[Jacky Qin]

Hi Jonathan Martín Valera,

My file /var/oseec/logs/archives/archives.log is too large. It's over 2GB. It's hard to share.If I upgrade it, I won't be able to read the previous data.Is there any other way, such as counting the event ID type sent from the agent.

Best regards.

Jacky Qin

[Jonathan Martín Valera]

Hello Jacky Qin,

Okay, let's then analyze a subset of events stored in the manager's archives.log file.

Can you pass me a fragment of the last 10000 events from the archives.log file? You can do this by sharing the file archives_fragment.log generated after executing the following command:

tail -n 10000 /var/ossec/logs/archives/archives.log > archives_fragment.log

Best regards.

[Jacky Qin]

Hi Jonathan Martín Valera,

The archives_fragment.log file is attached.There are still logs with ID 4658 \ 4663 uploaded to manage.

Best regards.

Jacky Qin

[Jonathan Martín Valera]

Hello Jacky Qin,

The settings for ignoring your custom events are not being applied.

I have been analyzing the extract from archives.log that you shared with me and I have obtained the following result:

[root@centos7manager vagrant]# cat archives_fragment.log | egrep -io "AUDIT_SUCCESS.*" | cut -d ":" -f 1 | sed 's/AUDIT_SUCCESS//g; s/(//g; s/)//g' | sort | uniq -c |sort -n
2 4624
2 4634
2 4648
2 4656
2 4672
2 4690
2 4797
4 4611
8 4985
10 18454
15 5154
24 4703
30 4688
36 4660
36 4689
52 521
119 4793
137 4673
1789 5158
3418 4658
3523 4663

As you can see, you are receiving a lot of events whose IDs are 4663, 4658 and 5158. These events are the ones that are flooding the queue of the agent, so you have to decide whether you want to ignore them or not.

Next I refer you to the documentation about these events.

• 4663: An attempt was made to access an object: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663

• 4658: The handle to an object was closed: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4658

• 5158: The Windows Filtering Platform has permitted a bind to a local port: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5158

Once the problem is discovered, we have to debug the centralized configuration that you are applying to the windows agents.

Next I will show an example about the creation of groups, assignment to agents and centralized configuration application:

- Create a group to apply a specific configuration

[root@centos7 vagrant]# /var/ossec/bin/agent_groups -a -g windows -q
Group 'windows' created.

- Check the new created group

[root@centos7 vagrant]# /var/ossec/bin/agent_groups -l
Groups (2):
  default (1)
  windows (0)

- Add the necessary agents to the new group. In this case we will only add one.

First, let's get the id of the agent:

[root@centos7 vagrant]# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: centos7 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: jmv74211-PC, IP: any, Never connected
   ID: 002, Name: windows_3.2.1, IP: any, Active

Add the windows agent to the windows group:

[root@centos7 vagrant]# /var/ossec/bin/agent_groups -a -i 002 -g windows -q
Group 'windows' set to agent '002'.

Check that the agent is in the new group.

[root@centos7 vagrant]# /var/ossec/bin/agent_groups -l -g windows
1 agent(s) in group 'windows':
  ID: 002  Name: windows_3.2.1.

- Edit the agent.conf file of the newly created group and apply the following settings:

[root@centos7 windows]# vi /var/ossec/etc/shared/windows/agent.conf

<agent_config>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663]</query>
  </localfile>

</agent_config>

- Once the file is saved, we wait about 30 seconds for the configuration to be applied to the agent/s and check the results (Now such events must be ignored).

For more information on the centralized configuration, you can visit this section of the blog https://wazuh.com/blog/agent-groups-and-centralized-configuration/

I hope this information was helpful to you, and I look forward to your response.

Best regards

[Jacky Qin]

Hi Jonathan Martín Valera,

Last night, I reconfigured and restarted the wazuh manager service. Today, I see that it still doesn't work.

root@ip-10-129-3-46:/home/ubuntu# cat /var/ossec/etc/shared/default/agent.conf

<agent_config  os="Windows">

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663]</query>

  </localfile>

</agent_config>

Best regards.

Jacky Qin

[Jonathan Martín Valera]

Hi Jacky Qin,

Indeed, it seems that the configuration of the agent.conf is not correctly applied.

I've been testing it, and I've come to the conclusion that there may be a bug that is causing it to load this default configuration of ossec.conf

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>

</localfile>

The agent.conf should have priority, but it seems that in this case the agent is prioritizing this particular configuration of the ossec.conf

I suggest you do the following test.

Access the ossec.conf files of the windows agents, and remove the following:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>

</localfile>

Once deleted, apply the settings to agent.conf (in the windows group if you followed the comment instructions above)

<agent_config os="windows">

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663]</query>
  </localfile>

</agent_config>

Wait about 30-60 seconds for the configuration to be applied to all the agents, and check if the events indicated in the new configuration are being ignored.

Comments

• If you have followed my previous steps, and assigned the windows group to the windows agents, then you are not correctly configuring the agent.conf file. The correct route would be /var/ossec/etc/shared/windows/agent.conf (not default)

• Wazuh version 3.2.1 is a bit old, my advice is to try to upgrade to the current version 3.12.0.

Please tell me about the test results :)

Best regards.

[Jacky Qin]

Hi Jonathan Martín Valera,

I have hundreds of windows agents here. It's a huge workload to log in and modify the configuration of ossec.conf.I have no way to test.

This may not be a version issue, because I can't ignore the alarms of these event ID in the same test on wazuh v3.9.3.

The configuration of the local ossec.conf file of the agent is as follows. Centralized distribution of configuration will make the local ignore rule of the agent invalid.

  <!-- Agent buffer options -->

  <client_buffer>

    <disabled>no</disabled>

    <queue_size>5000</queue_size>

    <events_per_second>500</events_per_second>

  </client_buffer>

  <!-- Log analysis -->

  <localfile>

    <location>Application</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>C:\Program Files (x86)\ossec-agent\active-response\active-responses.log</location>

    <log_format>syslog</log_format>

  </localfile>

If this is a bug as you said, you can add the current only supported situation in your document https://documentation.wazuh.com/3.x/user-manual/reference/centralized-configuration.html. You cannot issue the < localfile > configuration, which will not take effect. Let more people know about this defect, and consider avoiding this feature when you start to deploy wazuh.

Best regards.

Jacky Qin

[Jonathan Martín Valera]

Hello Jacky Qin,

I have been doing a depth investigation and testing this error.

First of all, I have tested the version that you have commented (3.9.3), and in this case it works correctly.

Specifically, the error was fixed as of version 3.3.0 with this pull request https://github.com/wazuh/wazuh/pull/402.

My recommendation is to upgrade manager and agents at least to version 3.3.0 to solve this bug (preferably to the current version 3.12.0).

As for the comment you have given me about version 3.9.3, it makes me think that you are not applying the centralized configuration correctly.

To quickly check if the agents are getting the configuration from the agent.conf file, you can do the following:

Option A

If you have access to the windows agents hosts, you can compare if the content of the agent's agent.conf is the same as the agent.conf of the group specified in the manager.

In Windows, the agent.conf file is located in the path "C:\Program Files (x86)\ossec-agent\shared\agent.conf"

Option B

In case you cannot access the agent.conf content, you can also check it by comparing the checksum of the merged.mg file. You can do it as follows:

- Get checksum of manager merged.md file

[root@centos7manager vagrant]# md5sum /var/ossec/etc/shared/windows/merged.mg
37a69d12f90b80e47c94263c233bad66  /var/ossec/etc/shared/windows/merged.mg

Note: In this case the windows group is being used, hence the shared/windows path.

- Get checksum of one agent merged.md file

[root@centos7manager agent-info]# cat /var/ossec/queue/agent-info/windows330-any
xxxx [Ver: 6.1.7601] - Wazuh v3.3.0 / c684ba77052d9c8ce210c84a7b9c7f1a
37a69d12f90b80e47c94263c233bad66 merged.mg

#"manager_hostname":centos7manager
#"node_name":node01

Note: In this example we have selected the agent registered with the name "windows330-any ". You can see the checksum of the merged.md file in this line:

37a69d12f90b80e47c94263c233bad66 merged.mg

As you can see, the checksums match, so you can say that the files are synchronized correctly.

I hope this information is helpful to you. I look forward to your response.

Best regards.

[Jacky Qin]

Hi Jonathan Martín Valera,

I'm sorry for the late reply.I'm sure that the manager  centralized configuration has been distributed to the agent. Next, I will submit the evidence to you.

wazuh manager:

root@hids-001a:~# cat /var/ossec/etc/shared/default/agent.conf

<agent_config  os="Windows">

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663]</query>

  </localfile>

</agent_config>

wazuh agent:

Part of the configuration of the ossec.conf file on the agent：

  <!-- Agent buffer options -->

  <client_buffer>

    <disabled>no</disabled>

    <queue_size>5000</queue_size>

    <events_per_second>500</events_per_second>

  </client_buffer>

  <!-- Log analysis -->

  <localfile>

    <location>Application</location>

    <log_format>eventchannel</log_format>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and

      EventID != 5152 and EventID != 5157]</query>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventchannel</log_format>

  </localfile>

  <localfile>

    <location>active-response\active-responses.log</location>

    <log_format>syslog</log_format>

  </localfile>

Version of manager:

root@hids-001a:~# /var/ossec/bin/manage_agents

2020/03/30 10:46:30 manage_agents: WARNING: Detected a deprecated configuration for cluster. Interval option is not longer available.

****************************************

* Wazuh v3.9.3 Agent manager.          *

* The following options are available: *

****************************************

   (A)dd an agent (A).

   (E)xtract key for an agent (E).

   (L)ist already added agents (L).

   (R)emove an agent (R).

   (Q)uit.

Choose your action: A,E,L,R or Q:

Version of agent:

5156 event uploaded by agent to manager:

root@hids-001a:~# grep 5156 /var/ossec/logs/archives/archives.log | grep 10.229.6.60

2020 Mar 30 10:18:18 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:17.356072900Z","eventRecordID":"24776777","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"13821","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:18 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:17.371706700Z","eventRecordID":"24776778","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"3241","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:18 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:17.637387800Z","eventRecordID":"24776779","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"3815","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:18 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:18.215666400Z","eventRecordID":"24776781","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"15537","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:19 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:18.356316800Z","eventRecordID":"24776782","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.131","destPort":"36003","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:19 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:18.356316800Z","eventRecordID":"24776783","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.131","destPort":"36029","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:19 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:18.356316800Z","eventRecordID":"24776784","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.131","destPort":"36095","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:19 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:18.356316800Z","eventRecordID":"24776785","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.131","destPort":"36179","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:19 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:18.356316800Z","eventRecordID":"24776786","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.131","destPort":"36125","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:19 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:18.606376800Z","eventRecordID":"24776787","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"16315","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:19 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:19.262621200Z","eventRecordID":"24776789","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"17789","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:19.559418600Z","eventRecordID":"24776790","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"7773","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:19.856222100Z","eventRecordID":"24776792","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.22","destPort":"52765","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:19.918714400Z","eventRecordID":"24776793","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"19043","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:19.981192200Z","eventRecordID":"24776794","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"8503","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.028058200Z","eventRecordID":"24776795","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"19283","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.074923700Z","eventRecordID":"24776796","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.22","destPort":"53029","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.168655600Z","eventRecordID":"24776797","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"19569","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.184253500Z","eventRecordID":"24776798","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"8955","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.199893800Z","eventRecordID":"24776799","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"9009","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.278008300Z","eventRecordID":"24776800","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.32","destPort":"19785","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.387332500Z","eventRecordID":"24776801","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.131","destPort":"37459","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.387332500Z","eventRecordID":"24776802","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.131","destPort":"37507","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.434214800Z","eventRecordID":"24776803","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"9495","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}

2020 Mar 30 10:18:20 (HWN-APP-060A) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"5156","version":"1","level":"0","task":"12810","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-03-30T02:18:20.590404500Z","eventRecordID":"24776804","processID":"4","threadID":"7600","channel":"Security","computer":"HWN-APP-060A.k3c.local","severityValue":"AUDIT_SUCCESS","message":"Windows 筛选平台已允许连接。"},"eventdata":{"processID":"4","application":"System","direction":"%%14592","sourceAddress":"10.229.6.60","sourcePort":"80","destAddress":"10.229.8.31","destPort":"9805","protocol":"6","filterRTID":"0","layerName":"%%14610","layerRTID":"44","remoteUserID":"S-1-0-0","remoteMachineID":"S-1-0-0"}}}
............
...........
.........

The above information can show my opinion that there is the same bug as 3.2.1 in wazuh version 3.9.3.

Best regards.

Jacky Qin

[Jonathan Martín Valera]

Hi Jacky Qin,

In this case, you are showing me that it does work. I explain:

In your ossec.conf file you have the following:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
    EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
    EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
    EventID != 5152 and EventID != 5157]</query>
</localfile>

(As you can see event 5156 is ignored)

In your agent.conf file you have the following:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663]</query>
</localfile>

(As you can see event 5156 is not ignored)

As a final result, you are getting 5156 id alerts. The reason is that the configuration of the agent.conf file takes precedence over the ossec.conf, so the final result you would have is the following

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663]</query>
</localfile>

In this resulting configuration, event 5156 is not being ignored, so events of this type WILL be generated.

In case you wanted to ignore event 5156, you would have to add it to the ignore list in the agent.conf file (on manager side).

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>

  <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663 and EventID != 5156]</query>
</localfile>

The problem found in version 3.2.1 (and fixed in 3.3.0), is that the resulting configuration prioritized ossec.conf instead of agent.conf.

I hope this has resolved your doubts :)

Best regards.

[Jacky Qin]

Hi Jonathan Martín Valera,

I changed the configuration of the agent.conf file to this:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
    EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
    EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
    EventID != 5152 and EventID != 5157]</query>
</localfile>

It works.5156 events can be ignored.

When I look at the description document of the precedence configuration, my understanding is that it will match the configuration of osec.conf + agent.conf together in the same place.

In the example:<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and    EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and    EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and    EventID != 5152 and EventID != 5157]</query> + <query>Event/System[EventID != 5158 and EventID != 4658 and EventID != 4663]</query>

It turns out that your explanation is correct and my understanding is wrong.

In version 3.2.1, we plan to upgrade later to solve this bug. 

Thank you for your help.

Best regards.

Jacky Qin

[Jonathan Martín Valera]

Hello Jacky Qin,

Yes, I can understand that what you read in the documentation could confuse you. so I have opened an issue in wazuh-documentation https://github.com/wazuh/wazuh-documentation/issues/2350 to try to explain it better.

In the case mentioned in the documentation, the settings for agent.conf and ossec.conf are merged because it is a list and its elements can be mixed.

In this use case, the value of the <query> tag cannot be merged, so its value is directly overridden, an example of this:

ossec.conf

<sca>
  <enabled>yes</enabled>
</sca>

agent.conf

<sca>
  <enabled>no</enabled>
</sca>

Result

<sca>
  <enabled>no</enabled>
</sca>

However, there are cases in which the configuration can be added as:

ossec.conf

<sca>

<policies>
  <policy>system_audit_rcl.yml</policy>
  <policy>system_audit_ssh.yml</policy>
  <policy>system_audit_pw.yml</policy>
</policies>

</sca>

agent.conf

<sca>
<policies>
   <policy>cis_debian_linux_rcl.yml</policy>
 </policies>
 </sca>

Result

 <sca>
 <policies>
   <policy>cis_debian_linux_rcl.yml</policy>
   <policy>system_audit_rcl.yml</policy>
   <policy>system_audit_ssh.yml</policy>
   <policy>system_audit_pw.yml</policy>
 </policies>
 </sca>

 I hope this helps you :)

 Best regards.

[Jacky Qin]

Hi Jonathan Martín Valera,

That's exactly what I want to say.Thank you very much for helping me very much.

Best regards.

Jacky Qin

在 2020年3月31日星期二 UTC+8下午5:13:19，Jonathan Martín Valera写道：