No Geo Location Data for Windows Event Channel

[Bradley King]

Hi everyone would really appreciate some pointers with this.

I've noticed that Windows events that match the EventChannel decoder don't seem to be passing Geo Location information, see an example log below:

 @timestamp         May 24th 2019, 13:21:01.580

t  _id       UUrJ6WoBM1zl5SgvnBW5

t  _index       wazuh-alerts-3.x-2019.05.24

#  _score     - 

t  _type       wazuh

t  agent.id         548

t  agent.ip         HIDDEN

t  agent.labels.is_group_default         true

t  agent.labels.threat_response_enabled         false

t  agent.name         HIDDEN

t  beat.hostname         HIDDEN

t  beat.name         HIDDEN

t  beat.version         5.6.8

t  data.EventChannel.EventData.AuthenticationPackageName         NTLM

?  data.EventChannel.EventData.FailureReason         %%2313

t  data.EventChannel.EventData.IpAddress         -

t  data.EventChannel.EventData.IpPort         -

t  data.EventChannel.EventData.KeyLength         0

t  data.EventChannel.EventData.LmPackageName         -

t  data.EventChannel.EventData.LogonProcessName         NtLmSsp

t  data.EventChannel.EventData.LogonType         3

t  data.EventChannel.EventData.ProcessId         0x0

t  data.EventChannel.EventData.ProcessName         -

?  data.EventChannel.EventData.Status         0xc000006d

?  data.EventChannel.EventData.SubStatus         0xc000006a

t  data.EventChannel.EventData.SubjectDomainName         -

t  data.EventChannel.EventData.SubjectLogonId         0x0

t  data.EventChannel.EventData.SubjectUserName         -

t  data.EventChannel.EventData.SubjectUserSid         S-1-0-0

t  data.EventChannel.EventData.TargetUserName         HIDDEN

t  data.EventChannel.EventData.TargetUserSid         S-1-0-0

t  data.EventChannel.EventData.TransmittedServices         -

t  data.EventChannel.System.Channel         Security

t  data.EventChannel.System.Computer         HIDDEN

t  data.EventChannel.System.EventID         4625

t  data.EventChannel.System.EventRecordID         113434359

t  data.EventChannel.System.Keywords         0x8010000000000000

t  data.EventChannel.System.Level         0

t  data.EventChannel.System.Message         An account failed to log on.

t  data.EventChannel.System.Opcode         0

t  data.EventChannel.System.ProcessID         648

t  data.EventChannel.System.ProviderGuid         {54849625-5478-4994-A5BA-3E3B0328C30D}

t  data.EventChannel.System.ProviderName         Microsoft-Windows-Security-Auditing

t  data.EventChannel.System.SeverityValue         AUDIT_FAILURE

t  data.EventChannel.System.SystemTime         2019-05-24T12:21:00.074272000Z

t  data.EventChannel.System.Task         12544

t  data.EventChannel.System.ThreadID         964

t  data.EventChannel.System.Version         0

t  decoder.name         windows_eventchannel

t  host         HIDDEN

t  id         1558700461.3720120225

t  location         EventChannel

t  manager.name         HIDDEN

t  rule.description         Windows: Logon Failure - UNKNOWN user  or bad password.

#  rule.firedtimes         9,467

t  rule.gdpr         IV_35.7.d, IV_32.2

t  rule.gpg13         7.1

t  rule.groups         windows

t  rule.id         20065

t  rule.info         http://www.ultimatewindowssecurity.com/events/com190.html

#  rule.level         5

 rule.mail         false

t  rule.pci_dss         10.2.4, 10.2.5

t  source         /var/ossec/logs/alerts/alerts.json

t  tags         ossec, THMON-RABMQ-01, beats_input_raw_event, _geoip_lookup_failure

I can see that the tag _geoip_lookup_failure has been added by wazuh?

Any ideas on where to troubleshoot this?

Thanks!

[Cristina Garrido López]

Hi Bradley,

On Windows, the geo location is obtained from a Logstash filter which uses the IP contained in the field win.eventdata.ipAddress of the event, if this field comes empty there is no possibility of geolocalizing it, that is why the tag _geoip_lookup_failure is being added.

Could you tell me which Wazuh version are you using on both manager and agent?

Kind regards,

Cristina