wazuh-agent error 15022
65 views
Skip to first unread message
Christopher Hunt
Sep 27, 2023, 2:02:13 PMSep 27
to Wazuh | Mailing List
Can anyone help me figure out:
2023/09/27 10:11:37 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-DNSServer/Analytical'.
2023/09/27 10:11:37 wazuh-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Analytical) which returned (15022)
2023/09/27 10:11:37 wazuh-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Analytical) which returned (15022)
Other event channels are working. Config is like:
<localfile>
<location>Microsoft-Windows-DNSServer/Analytical</location>
<log_format>eventchannel</log_format>
</localfile>
<location>Microsoft-Windows-DNSServer/Analytical</location>
<log_format>eventchannel</log_format>
</localfile>
TIA
Chris
Sebastian Falcone
Sep 27, 2023, 2:16:33 PMSep 27
to Wazuh | Mailing List
Hello Chris, how are you doing?
Let me investigate a bit, I will be back with an update
Let me investigate a bit, I will be back with an update
Sebastian Falcone
Sep 27, 2023, 2:21:26 PMSep 27
to Wazuh | Mailing List
Let's be sure that Microsoft-Windows-DNSServer/Analytical is an available channel. For that execute:
> Get-WinEvent -ListLog *
We should see something like this:
LogMode MaximumSizeInBytes RecordCount LogName ------- ------------------ ----------- ------- Circular 20971520 59847 Application Circular 20000000 29339 Microsoft-Windows-Store/Operational Circular 20971520 21903 Security Circular 4194304 10098 Microsoft-Windows-GroupPolicy/Operational Circular 5242880 9568 Microsoft-Windows-StateRepository/Operational Circular 15728640 7066 Windows PowerShell Circular 5242880 4644 Microsoft-Windows-AppXDeploymentServer/Operational Circular 8388608 4114 Microsoft-Windows-SmbClient/Connectivity Circular 1052672 2843 Microsoft-Windows-EapHost/Operational Circular 1052672 2496 Microsoft-Client-Licensing-Platform/Admin
> Get-WinEvent -ListLog *
We should see something like this:
LogMode MaximumSizeInBytes RecordCount LogName ------- ------------------ ----------- ------- Circular 20971520 59847 Application Circular 20000000 29339 Microsoft-Windows-Store/Operational Circular 20971520 21903 Security Circular 4194304 10098 Microsoft-Windows-GroupPolicy/Operational Circular 5242880 9568 Microsoft-Windows-StateRepository/Operational Circular 15728640 7066 Windows PowerShell Circular 5242880 4644 Microsoft-Windows-AppXDeploymentServer/Operational Circular 8388608 4114 Microsoft-Windows-SmbClient/Connectivity Circular 1052672 2843 Microsoft-Windows-EapHost/Operational Circular 1052672 2496 Microsoft-Client-Licensing-Platform/Admin
Christopher Hunt
Sep 27, 2023, 2:48:32 PMSep 27
to Wazuh | Mailing List
NOTE: it requires the "-force" switch to show Debug and Analytical logs.
LogMode MaximumSizeInBytes RecordCount LogName
------- ------------------ ----------- -------
PS C:\Windows\system32> Get-WinEvent -ListLog *DNS* -force
LogMode MaximumSizeInBytes RecordCount LogName
------- ------------------ ----------- -------
Circular 104857600 89106 DNS Server
Circular 1052672 Microsoft-Windows-DNS-Client/Operational
Circular 1073741824 Microsoft-Windows-DNSServer/Analytical
Circular 104857600 136080 Microsoft-Windows-DNSServer/Audit
Circular 1052672 Microsoft-Windows-DNS-Client/Operational
Circular 1073741824 Microsoft-Windows-DNSServer/Analytical
Circular 104857600 136080 Microsoft-Windows-DNSServer/Audit
Christopher Hunt
Sep 27, 2023, 2:57:55 PMSep 27
to Wazuh | Mailing List
If i disable the Analytic log i can see events in the event viewer and fetch data with Get-WinEvent:
Get-WinEvent -logname Microsoft-Windows-DNSServer/Analytical -Oldest
9/27/2023 11:35:40 AM 261 Information RECURSE_RESPONSE_IN: TCP=0; Source=x.x.x.x; InterfaceIP=0.0.0...
9/27/2023 11:35:40 AM 257 Information RESPONSE_SUCCESS: TCP=0; InterfaceIP=x.x.x.x; Destination=...
9/27/2023 11:35:40 AM 257 Information RESPONSE_SUCCESS: TCP=0; InterfaceIP=x.x.x.x; Destination=...
9/27/2023 11:35:40 AM 257 Information RESPONSE_SUCCESS: TCP=0; InterfaceIP=x.x.x.x; Destination=...
9/27/2023 11:35:40 AM 257 Information RESPONSE_SUCCESS: TCP=0; InterfaceIP=x.x.x.x; Destination=...
Also, i am using a centralized config FWIW. ossec.log:
2023/09/27 11:39:08 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Standard [Ver: ...] - Wazuh v4.5.0).
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2023/09/27 11:39:08 wazuh-agent: WARNING: (1958): Log file 'C:\LOGS\dnslog.txt' is duplicated.
2023/09/27 11:39:08 wazuh-agent: WARNING: (1958): Log file 'Security' is duplicated.
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-DNSServer/Operational'.
2023/09/27 11:39:08 wazuh-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Operational) which returned (15007)
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2023/09/27 11:39:08 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'C:\LOGS\dnslog.txt'.
2023/09/27 11:39:09 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2023/09/27 11:39:09 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-DNSServer/Analytical'.
2023/09/27 11:39:09 wazuh-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Analytical) which returned (15022)
2023/09/27 11:39:09 wazuh-agent: INFO: Started (pid: 488).
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2023/09/27 11:39:08 wazuh-agent: WARNING: (1958): Log file 'C:\LOGS\dnslog.txt' is duplicated.
2023/09/27 11:39:08 wazuh-agent: WARNING: (1958): Log file 'Security' is duplicated.
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-DNSServer/Operational'.
2023/09/27 11:39:08 wazuh-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Operational) which returned (15007)
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2023/09/27 11:39:08 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2023/09/27 11:39:08 wazuh-agent: INFO: (1951): Analyzing event log: 'C:\LOGS\dnslog.txt'.
2023/09/27 11:39:09 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2023/09/27 11:39:09 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-DNSServer/Analytical'.
2023/09/27 11:39:09 wazuh-agent: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Analytical) which returned (15022)
2023/09/27 11:39:09 wazuh-agent: INFO: Started (pid: 488).
On Wednesday, September 27, 2023 at 11:21:26 AM UTC-7 Sebastian Falcone wrote:
Christopher Hunt
Sep 29, 2023, 10:16:56 AMSep 29
to Wazuh | Mailing List
so
Microsoft-Windows-DNSServer/Analytical does appear to be an available channel, but I'm still getting error
15022. I have rebooted the server. Any ideas what that error message means or where it comes from?
Sebastian Falcone
Oct 3, 2023, 2:00:22 PMOct 3
to Wazuh | Mailing List
Hello Christopher, really sorry for the delay
The error 15022 means there is something wrong with one of your subscriptions in the log forwarder, this causes the Log Forwarder Service to not start
I've found a blog that seems to achieve a solution to this problem
The error 15022 means there is something wrong with one of your subscriptions in the log forwarder, this causes the Log Forwarder Service to not start
I've found a blog that seems to achieve a solution to this problem
Reply all
Reply to author
Forward
0 new messages