Event log cleared alert

[Alex Martin]

Hello,

Another small issue I'm struggling to get working.

I'm trying to get alerts generated whenever an event log is cleared.

The built in rules seem to work for the Application and System logs, but apparently not for the Security log despite the below being present below.

/var/ossec/ruleset/rules/0220-msauth_rules.xml:

  <rule id="18118" level="9">

    <if_sid>18104</if_sid>

    <id>^517$|^1102$</id>

    <description>Windows audit log was cleared.</description>

    <group>logs_cleared,pci_dss_10.6.1,</group>

  </rule>

(have tried commented out if_sid in case)

Both the log_all options are set, and can see the event in the archive log, it appears like below:

{"timestamp":"2017-03-12T22:35:17+0000","rule":{},"agent":{"id":"011","name":"Agent11","ip":"10.0.0.11"},"manager":{"name":"SysLog01.x.y.z"},"dstuser":"(no user)","full_log":"2017 Mar 12 22:35:17 WinEvtLog: Security: INFORMATION(1102): Microsoft-Windows-Eventlog: (no user): no domain: Agent11.x.y.z: The audit log was cleared.  Subject:   Security ID: S-1-5-21-123456789-123456789-123456789-1155   Account Name: TestUser   Domain Name: TestDomain   Logon ID: 0x3CEF5C2","program_name":"WinEvtLog","id":"1102","status":"INFORMATION","data":"Microsoft-Windows-Eventlog","system_name":"Agent11.x.y.z","account_name":"TestUser","logon_id":"","decoder":{"parent":"windows","name":"windows"},"location":"WinEvtLog"}

Just does not appear in the alert logs.
So surely this should work? I'm sure it's something simple, just need a hint in the right direction.

Thanks again,

Alex

[Pedro Sanchez]

Hi Alex,

We typically use "ossec-logtest" tool, located at /var/ossec/bin folder. It will give you a good picture about what is happening with the decoding process. I pasted on that tool your the raw log (full_log):

2017 Mar 12 22:35:17 WinEvtLog: Security: INFORMATION(1102): Microsoft-Windows-Eventlog: (no user): no domain: Agent11.x.y.z: The audit log was cleared.  Subject:   Security ID: S-1-5-21-123456789-123456789-123456789-1155   Account Name: TestUser   Domain Name: TestDomain   Logon ID: 0x3CEF5C2

**Phase 1: Completed pre-decoding.
       full event: '2017 Mar 12 22:35:17 WinEvtLog: Security: INFORMATION(1102): Microsoft-Windows-Eventlog: (no user): no domain: Agent11.x.y.z: The audit log was cleared.  Subject:   Security ID: S-1-5-21-123456789-123456789-123456789-1155   Account Name: TestUser   Domain Name: TestDomain   Logon ID: 0x3CEF5C2'
       hostname: 'ubuntu5'
       program_name: 'WinEvtLog'
       log: 'Security: INFORMATION(1102): Microsoft-Windows-Eventlog: (no user): no domain: Agent11.x.y.z: The audit log was cleared.  Subject:   Security ID: S-1-5-21-123456789-123456789-123456789-1155   Account Name: TestUser   Domain Name: TestDomain   Logon ID: 0x3CEF5C2'
**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'INFORMATION'
       id: '1102'
       extra_data: 'Microsoft-Windows-Eventlog'
       dstuser: '(no user)'
       system_name: 'Agent11.x.y.z'
       account_name: 'TestUser'
       logon_id: ''
**Phase 3: Completed filtering (rules).
       Rule id: '18101'
       Level: '0'
       Description: 'Windows informational event.'

As you can see, there are decoders for that event (decoder: windows), there are also a default rule grouping those events, ID 18101, but it has by default level 0, meaning that no alert will be generated.

You could increase the rule level (not recommended, too noisy) or create another rule based on 18101 (using if_sid) with higher rule level.

Best regards,

Pedro Sanchez.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2ec0d01d-5522-4b53-9e25-e99a0870535d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.