WEF Agent and forwarded Events

[Retro Is Best]

Good afternoon all,

I currently have WEF (Windows Event Forwarder) setup which collects events from clients, these are standard windows events but I also forward all sysmon events.

The wazuh agent on this WEF server forwards all the normal events  but none of the sysmon forwarded events.

In my agent log file im seeing lots of repeated

wazuh-agent: ERROR: Could not EvtFormatMessage() with flags (1) which returned (15029)

Which im guessing is the agent not knowing how to handle the sysmon events that live in the forwardedevents channel?

my agent ossec.conf contains a local block 

  <localfile>
    <location>forwardedevents</location>
    <log_format>eventchannel</log_format>
  </localfile>

What do I need to do to parse these sysmon events that exist in my "Forwarded Events" channel?

Thanks for the help!

[Marcos Darío Buslaiman]

Hi 
Thanks for using Wazuh!,
I would like to get more information about your agent just to focus the where could be the root of this issue, could you please share the following:

• Which version of Wazuh manager and agent are you running?
• And the config file "ossec.conf2 of the agent (please, take into account removing all sensitive data)
• The agent log with the error "ossec.log" in order to identify more details about this error.
• And an example (Details --> XML view) of one of the sysmon event that you have but is not sending to your Wazuh Manager.

According to the error, as you mentioned, seems that is a problem with the log format or location of the events.
As is described in this blog the configuration to monitor sysmon events should be the following:

<localfile>

<location>Microsoft-Windows-Sysmon/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

This document is described different ways to collect Windows logs. 

Regards
Marcos

[Retro Is Best]

Hi Marcos,

Thanks for the reply,

Wazuh Manager version = 4.4.3

Wazuh agent installed on Server 2019 version = 4.4.3

Thanks for the links unfortunatley as its a Channel called "Forwarded Events" which forwards both windows and sysmon events im unsure how to parse these correctly.

Thanks

[Marcos Darío Buslaiman]

According to your configuration file, you have configured the "Forwarded Events" format with "eventlog"
<localfile> <location>forwardedevents</location> <log_format>eventlog</log_format> </localfile> Try to change the log_format to:

<localfile> <location>forwardedevents</location> <log_format> eventchannel</log_format> </localfile>

And restart the agent.

Also I will try to replicate this scenario of Sysmon from  "Forwarded Events"

Regards.
Marcos

[Retro Is Best]

Apologies
I think I gave you an old config ... It is currently set as eventchannel (I tried eventlog out of desperation)

The event still does not show

Thanks

[Retro Is Best]

Good morning Marcos,

I believe I have found the issue to my problem when forwarding windows events containing sysmon monitored events.

My sysmon client was very old (9.1.0) 

Updated (14.16.0.0) and deployed to a few test machines - these test machines have now appeared in wazuh discover with the correct events!

I will monitor it further and deploy to the remaining clients - im guessing the format of the sysmon event had changed since the older version and the ossec rules did not like this old format.

Thanks

[Marcos Darío Buslaiman]

Hi Mrbristol,
I'm glad that you were able to solve it and that you shared the solution.
Do not hesitate to contact us again if you have any other questions.

Regards
Marcos