Help me..configure event ID !
699 views
Skip to first unread message
Huy Nguyễn
Jan 16, 2022, 9:55:29 PM1/16/22
to Wazuh mailing list
I want to add a Windows ID, how do I configure it? (example add ID: 4656)
Tks U so much !
Nicolas Oscar Lastra
Jan 17, 2022, 7:27:11 PM1/17/22
to Wazuh mailing list
Hi @ Buinhu...
If you need to go deeper into the options you have to generate rules for windows events. I recommend the following section of the documentation.
On Windows agents, we can find it at C:\Program Files (x86)\ossec-agent\ossec.conf. It is recommended to back up this file before making changes on it. A configuration error may prevent Wazuh services from starting up.
About your case "configure event ID: 4656". You can use the query within Localfile block to choose specific events to be forward.
Below are few examples:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID = 4656</query>
</localfile>
If you need to go deeper into the options you have to generate rules for windows events. I recommend the following section of the documentation.
On Windows agents, we can find it at C:\Program Files (x86)\ossec-agent\ossec.conf. It is recommended to back up this file before making changes on it. A configuration error may prevent Wazuh services from starting up.
About your case "configure event ID: 4656". You can use the query within Localfile block to choose specific events to be forward.
Below are few examples:
<localfile>
I hope I have been helpful. Please do not hesitate to ask any questions you may have.
Best regards,
Nikos
Best regards,
Nikos
Huy Nguyễn
Jan 18, 2022, 4:03:36 AM1/18/22
to Wazuh mailing list
Tks U for...
On wazuh server do i need to configure rule or decoder ???
Vào lúc 07:27:11 UTC+7 ngày Thứ Ba, 18 tháng 1, 2022, nicolas...@wazuh.com đã viết:
Nicolas Oscar Lastra
Jan 18, 2022, 9:50:50 AM1/18/22
to Wazuh mailing list
Hi @ Buinhu...
Checking again, I wanted to rectify the information I sent you about the change.
There is a previous configuration, which is already pre-established by Wazuh as default. That configuration is canceling the reading of the 4656 events.
Disregards the previous change that you sent before, and modifies the default configuration.
I attach the example with the change in the default configuration:
Checking again, I wanted to rectify the information I sent you about the change.
There is a previous configuration, which is already pre-established by Wazuh as default. That configuration is canceling the reading of the 4656 events.
Disregards the previous change that you sent before, and modifies the default configuration.
I attach the example with the change in the default configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and
EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and
EventID != 5157]</query>
EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and
EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and
EventID != 5157]</query>
</localfile>
I hope I have been helpful. Please do not hesitate to ask any questions you may have.
Best regards,
Nikos
Huy Nguyễn
Jan 19, 2022, 2:13:59 AM1/19/22
to Wazuh mailing list
Hi. Nikos..
Thank you for supporting me..
I want to ask: when I add the ID, do I need to configure on the wazuh server?
Or just configure it on the file ossec.conf
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID = 4624 and EventID = 4625 and EventID = 4608 and
EventID = 4609 and EventID = 4720 and EventID = 4722 and EventID = 4732 and
EventID = 4733 and EventID = 4735 and EventID = 4738 and EventID = 4648 and
EventID = 4657 and EventID = 4698 and EventID = 4700 and EventID = 4726]</query>
</localfile>
EventID = 4609 and EventID = 4720 and EventID = 4722 and EventID = 4732 and
EventID = 4733 and EventID = 4735 and EventID = 4738 and EventID = 4648 and
EventID = 4657 and EventID = 4698 and EventID = 4700 and EventID = 4726]</query>
</localfile>
if i add the ID 4656 there will be a warning on the wazuh server ???
( on wazuh server, i want to up level ID 4656 to 7 how can i do that )
Tks U very much !!!
Vào lúc 21:50:50 UTC+7 ngày Thứ Ba, 18 tháng 1, 2022, nicolas...@wazuh.com đã viết:
Reply all
Reply to author
Forward
0 new messages