User Information Not Fetching by Wazuh Alerts
69 views
Skip to first unread message
Prajapati Hitesh
Jan 31, 2023, 7:01:29 AM1/31/23
to Wazuh mailing list
Hi,
722
SQL162017
60611
I am not getting user name if any software installed or uninstalled on sever. I am getting alert on email but user name not display. Below alert email is for your reference. Also, i have attached my server log snip in which user name display.
undefined
@timestamp
Jan 31, 2023 @ 15:24:24.072
722
agent.ip
10.1.1.122
SQL162017
data.win.eventdata.binary
7B34303532353244432D414446372D344243382D393546352D4638394445353133444436327D
data.win.eventdata.data
Product: Microsoft SQL Server 2017 Setup (English) -- Removal completed successfully.
data.win.system.channel
Application
data.win.system.computer
data.win.system.eventID
11724
data.win.system.eventRecordID
51969
data.win.system.keywords
0x80000000000000
data.win.system.level
4
data.win.system.message
"Product: Microsoft SQL Server 2017 Setup (English) -- Removal completed successfully."
data.win.system.providerName
MsiInstaller
data.win.system.severityValue
INFORMATION
data.win.system.systemTime
2023-01-31T09:54:24.000000000Z
data.win.system.task
0
windows_eventchannel
id
1675158864.1294764985
input.type
log
location
EventChannel
wazuh01
rule.description
Application Uninstalled Product: Microsoft SQL Server 2017 Setup (English) -- Removal completed successfully.
rule.firedtimes
121
rule.groups
local, syslog, sshd
60611
rule.level
11
rule.mail
true
timestamp
Jan 31, 2023 @ 15:24:24.072
Carlos Dams
Jan 31, 2023, 8:28:03 AM1/31/23
to Wazuh mailing list
Hi Prajapati,
In the meantime, to find that same event quickly on the Windows host where the application was installed or uninstalled you can copy the data.win.eventdata.binary value from the event that you see in Wazuh Dashboard, go to the Application channel of the Event viewer, under Actions on the right side click on "Find…" and enter the information copied, you will be able to locate quickly the events associated with the data.win.eventdata.binary
Thanks for using Wazuh!
This information is not brought to Wazuh with that specific event ID, there is an issue created to address that bug: https://github.com/wazuh/wazuh/issues/4439
In the meantime, to find that same event quickly on the Windows host where the application was installed or uninstalled you can copy the data.win.eventdata.binary value from the event that you see in Wazuh Dashboard, go to the Application channel of the Event viewer, under Actions on the right side click on "Find…" and enter the information copied, you will be able to locate quickly the events associated with the data.win.eventdata.binary
I hope you find this information useful.
Prajapati Hitesh
Jan 31, 2023, 11:21:52 AM1/31/23
to Wazuh mailing list
Hi Carlos,
Yes, I am able to search event on server as you mentioned. Please help how can i resolve user id not found in wazuh mail alert because in your reference link i am not able to found
winevtchannel.c in my wazuh server.
Carlos Dams
Feb 1, 2023, 3:11:30 PM2/1/23
to Wazuh mailing list
Hi Prajapati,
The winevtchannel.c is the decoder used by Wazuh manager for events coming from the Windows event channels, it is integrated in the source code of decoders in Wazuh so you won't be able to edit it as a normal file on the backend.
Prajapati Hitesh
Feb 4, 2023, 7:49:53 AM2/4/23
to Wazuh mailing list
So, can you guide me how to resolve this issue?
Reply all
Reply to author
Forward
0 new messages