Windows Authentication failure don´t show logged on security events on wazuh
1,058 views
Skip to first unread message
Jonathan Nuñez
Mar 16, 2020, 5:09:13 PM3/16/20
to Wazuh mailing list
Hello Guys,
My WAZUH versions:
Version v3.11.3 Wazuh Manager and AGENT, this is my configuration on my AGENT:
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157 and EventID != 4625 and EventID != 4688 and EventID != 4611]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
My problem is trying to attempt many failures credentials on windows to registry the event, but this events don't show on security events in wazuh dashboard.
Another config on AGENT same issue.
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
Thanks for your help.
Jonathan.
My WAZUH versions:
Version v3.11.3 Wazuh Manager and AGENT, this is my configuration on my AGENT:
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157 and EventID != 4625 and EventID != 4688 and EventID != 4611]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
My problem is trying to attempt many failures credentials on windows to registry the event, but this events don't show on security events in wazuh dashboard.
Another config on AGENT same issue.
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
Thanks for your help.
Jonathan.
Antonio PV
Mar 17, 2020, 9:52:58 AM3/17/20
to Wazuh mailing list
Hi Jonathan,
Just to get sure I understand, you mean there are no alerts when a remote connection is established or a physical connection logging?
Can you please send the EventID that you are seeing in those connections and the Windows version you are working with?
You can check the EventID in the Event-Viewer of Windows, `Windows Logs` -> `Security`.
I am working on this problem and I will get back to you as soon as possible.
Jonathan Nuñez
Mar 17, 2020, 5:40:21 PM3/17/20
to Wazuh mailing list
Hello Antonio,
Detect the fault, the policies to record the events were not enabled.
Regrads,
Jonathan.
Muhammad Noraiz
Nov 7, 2022, 3:14:04 PM11/7/22
to Wazuh mailing list
Facing same problem wazuh agent running on Win10 logging and sending all authentication_success attempts but don't showing invalid_logins and failure_authentication attempts/events on security event tab in wazuh dashboard
Muhammad Noraiz
Nov 7, 2022, 3:17:26 PM11/7/22
to Wazuh mailing list
@Jonathan Nuñez what solution have you found ? Would you please like to share ? I am new in SIEM tech
Mefisto Evil
May 2, 2023, 4:05:25 AM5/2/23
to Wazuh mailing list
hello i have the same problem. events with id 4625 doesnt show up in security events although in windows logs a can see them. what should i do? @
@Jonathan Nuñez said something about policies but i dont get it what i should enable?
вторник, 8 ноября 2022 г. в 01:17:26 UTC+5, Muhammad Noraiz:
Reply all
Reply to author
Forward
0 new messages