Agent flooding because of rules 60107, 18108 and 18151
455 views
Skip to first unread message
Esdras Nicolás Rodríguez Lantigua
May 10, 2023, 4:00:24 PM5/10/23
to Wazuh mailing list
Greetings,
I'm facing an issue with my Wazuh manager and agents.
All my agents are alerting about Failed attempt to perform privileged operation when using apps like Chrome or Rochet.Chat Desktop app.
The log I'm receiving says:
Service: Server: Security Service Name: - Process: Process ID: 0x2130 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Service Request Information: Privileges: SeProfileSingleProcessPrivilege
I'm wondering if there is a way to avoid agents sending alerts for the specific rules listed in the title of this conversation since this alerts are causing all my agents to flood and loading my network.
Thanks in advance.
I'm facing an issue with my Wazuh manager and agents.
All my agents are alerting about Failed attempt to perform privileged operation when using apps like Chrome or Rochet.Chat Desktop app.
The log I'm receiving says:
Service: Server: Security Service Name: - Process: Process ID: 0x2130 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Service Request Information: Privileges: SeProfileSingleProcessPrivilege
I'm wondering if there is a way to avoid agents sending alerts for the specific rules listed in the title of this conversation since this alerts are causing all my agents to flood and loading my network.
Thanks in advance.
Emiliano Zorn
May 10, 2023, 6:09:24 PM5/10/23
to Wazuh mailing list
Hello Esdras!
There are two ways to override or mute these alerts.
If you are working with Windows environments, you can do it from the agent configuration, first detecting the event you want to cancel, and then including it in the agent configuration, on the ossec.conf.
For example, this section cancels the sending of alerts related to some EventID:
Find more in this link.
The other way is to lower the level of the alerts mentioned above.
You will have to modify them with the use of overwrite, here is documentation that explains how to do this: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
You will have to modify them with the use of overwrite, here is documentation that explains how to do this: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule
For rules 60107, 18108 and 18151, you should lower the rule level to 0, 1 or 2. Since all rules above level 3 are displayed on the Wazuh-Dashboard.
For example:
Let me know if you have any doubt.
Regards.
Reply all
Reply to author
Forward
0 new messages