How to collect SEP logs?
Jacky Qin
Eva Lopez
Hello Jacky Qin,
it isn’t blocked. It necessary rules which match SEP log to show alerts in Kibana.
You can follow our documentation to create rules and decoders for it: Custom rules and decoders
If you need help, you can provide us information about what files (or Windows channel) where SEP writes its logs, and SEP logs examples. We will help you.
Best regards,
Eva
Jacky Qin
This is an example of Symantec's log in Windows.I don't know how to write new rules according to it. Please help me. Thank you.
Security Risk Found!PUA.Keygen.KMS in File: C:\Users\Administrator\Desktop\KMSAuto_Net_99down.com (1)\KMSAuto_Net_99down.com\KMSAuto Net.exe by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was quarantined successfully.Best regards
在 2019年9月12日星期四 UTC+8下午6:43:22,Eva Lopez写道:
Eva Lopez
Hi!
Apologies for the late response.
There are two ways to monitor the Windows channel. You can use Eventlog or Eventchannel.
By default, Wazuh monitory Application file using Eventchannel. If you open Agent configuration (ossec.conf) you can see follow block in the file:
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
Windows agent processes these events and sends manager logs, then the manager adds logs to Analysisd queue to check if it matches rules.
I need that you activate logall option to know which logs are added to Analysisd queue.
Could you modify logall option from no to yes (it’s in manager ossec.conf) and restart Wazuh manager?
It create /var/ossec/logs/archives/archives.log file. Wazuh manager will write all log witch receive here.
Then generate SEP event in the agent connected to the manager and you can see in archive.log the SEP logs which are processed by Analysisd.
could you send us these logs to create new rules?
Regards,
Eva
Jacky Qin
2019 Sep 29 09:05:30 (WIN-B8O4FUQ4SSA) 172.20.102.103->WinEvtLog 2019 Sep 29 17:05:30 WinEvtLog: Application: ERROR(51): Symantec AntiVirus: (no user): no domain: WIN-B8O4FUQ4SSA: Security Risk Found!Hacktool in File: C:\Users\Administrator\Desktop\ppxshell\ppxshell.gif2398662.asp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.Best regards
在 2019年9月18日星期三 UTC+8下午6:05:15,Eva Lopez写道:
Eva Lopez
Hi Jacky,
Exists some rules and decoders for Sysmantec products. They can be found in ruleset/rules/0120-sysmantec-av_rules.xml, ruleset/rules/0125-sysmantec-ws_rules.xml and ruleset/decoders/0330-sysmantec_decoders.xml files. But you need create new rules for events you are interested.
All SEP logs match one of following rules:
<rule id="7300" level="0">
<decoded_as>symantec-av</decoded_as>
<description>Grouping of Symantec AV rules.</description>
</rule>
<rule id="7301" level="0">
<category>windows</category>
<extra_data>^Symantec AntiVirus</extra_data>
<description>Grouping of Symantec AV rules from eventlog.</description>
</rule>
I searched information about SEP logs and I have found following page:
Symantec Endpoint Protection 12.1.x event log entries
You can create rules child of these with the the above link help. A example could be following:
<rule id="999775" level="3">
<if_sid>7300, 7301</if_sid>
<id>^7$</id>
<description>Definition file loaded</description>
</rule>
<rule id="999776" level="3">
<if_sid>7300, 7301</if_sid>
<id>^12$</id>
<description>Configuration changed</description>
</rule>
<rule id="999777" level="3">
<if_sid>7300, 7301</if_sid>
<id>^13$</id>
<description>Symantec AntiVirus Shutdown</description>
</rule>
<rule id="999778" level="3">
<if_sid>7300, 7301</if_sid>
<id>^14$</id>
<description>Symantec AntiVirus Startup</description>
</rule>
To test your rules you can use ossec-logtest. It’s useful tool to testing and verificaion of rules.
For example, the Logtest output when the input is the log you sent is:
root@lopezziur:/var/ossecbin/ossec-logtestml
2019/09/30 11:45:35 ossec-testrule: INFO: Started (pid: 6538).
ossec-testrule: Type one log per line.
2019 Sep 29 17:05:30 WinEvtLog: Application: ERROR(51): Symantec AntiVirus: (no user): no domain: WIN-B8O4FUQ4SSA: Security Risk Found!Hacktool in File: C:\Users\Administrator\Desktop\ppxshell\ppxshell.gif2398662.asp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.
**Phase 1: Completed pre-decoding.
full event: '2019 Sep 29 17:05:30 WinEvtLog: Application: ERROR(51): Symantec AntiVirus: (no user): no domain: WIN-B8O4FUQ4SSA: Security Risk Found!Hacktool in File: C:\Users\Administrator\Desktop\ppxshell\ppxshell.gif2398662.asp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.'
timestamp: '2019 Sep 29 17:05:30'
hostname: 'lopezziur'
program_name: 'WinEvtLog'
log: 'Application: ERROR(51): Symantec AntiVirus: (no user): no domain: WIN-B8O4FUQ4SSA: Security Risk Found!Hacktool in File: C:\Users\Administrator\Desktop\ppxshell\ppxshell.gif2398662.asp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Application'
status: 'ERROR'
id: '51'
extra_data: 'Symantec AntiVirus'
dstuser: '(no user)'
system_name: 'WIN-B8O4FUQ4SSA'
**Phase 3: Completed filtering (rules).
Rule id: '7301'
Level: '0'
Description: 'Grouping of Symantec AV rules from eventlog.'
You note that the log processing has three phases:
- First phase divide log in timestamp, hostname, program_name and log.
- Second phase correspond to decoders matching.
- Third phase is the rules matching.
I hope it helps you. You can find more information about Ruleset in our documentation
Best regards,
Eva
Schil tech
Schil tech
Thanks a lot.