Forwarded Windows Event log monitoring
1,129 views
Skip to first unread message
Jake Peltz
Oct 18, 2022, 3:56:07 PM10/18/22
to Wazuh mailing list
We're using log forwarding subscriptions sending the forwarded logs to an internal syslog server and then sending that output to Wazuh because we would like to avoid installing agents on all servers. Are there any decoders that will work with window event logs in syslog format? I can see the syslog data in archives.log when I enable logall in ossec.conf but Wazuh doesn't recognize it as a Windows event log so doesn't know what to do with it. I've started building my own custom decoders but it seems like I'd need a child decoder for pretty much every event ID I'm interested in which is not ideal.
Using the agent on the server with the log forwarding subscriptions seems like a better option so I added a local file section in the client ossec.conf
<localfile>
<location>Forwarded Events</location>
<log_format>eventchannel</log_format>
</localfile>
<location>Forwarded Events</location>
<log_format>eventchannel</log_format>
</localfile>
to try and capture the 'Forwarded Events' log but I'm getting the following error in the client ossec.log
Any advice would be appreciated.
thanks
Mauricio Ruben Santillan
Oct 18, 2022, 5:19:15 PM10/18/22
to Wazuh mailing list
Hello!
For starters, thanks for using Wazuh!
Now about your doubts here. Unfortunately, the ruleset included in Wazuh for Windows events will only work if the events are collected by the Wazuh Agent. You would need to change the entire Windows ruleset for it to work, and it will be easier to just install an agent on such Windows endpoint or to create [custom decoders and rules](https://documentation.wazuh.com/current/user-manual/ruleset/custom.html) for your syslog events.
Now if you were to use a Wazuh Agent to collect these events, you would need to set the correct `location` to your `localfile` module.
To get the correct location, you need to go to the Windows Event viewer, search for the event you're attempting to ingest, open it and check its `Details` in `XML view`. There the field `channel` contains the location you need to set.
For example, in order to fetch events with eventID = 4798, I would need to set a `localfile` module with "Security" as location:
This is just an example (The "Security" channel is monitored by default by the Wazuh Agent with a query, along with "Application" and "System" channels).
You can check the Windows channels and provides that Wazuh currently has rules for here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#available-channels-and-providers
In case of adding a channel not listed there, you will surely need to create some custom rule for your events.
I hope this helps! Let me know how it goes!
For starters, thanks for using Wazuh!
Now about your doubts here. Unfortunately, the ruleset included in Wazuh for Windows events will only work if the events are collected by the Wazuh Agent. You would need to change the entire Windows ruleset for it to work, and it will be easier to just install an agent on such Windows endpoint or to create [custom decoders and rules](https://documentation.wazuh.com/current/user-manual/ruleset/custom.html) for your syslog events.
Now if you were to use a Wazuh Agent to collect these events, you would need to set the correct `location` to your `localfile` module.
To get the correct location, you need to go to the Windows Event viewer, search for the event you're attempting to ingest, open it and check its `Details` in `XML view`. There the field `channel` contains the location you need to set.
For example, in order to fetch events with eventID = 4798, I would need to set a `localfile` module with "Security" as location:
This is just an example (The "Security" channel is monitored by default by the Wazuh Agent with a query, along with "Application" and "System" channels).
You can check the Windows channels and provides that Wazuh currently has rules for here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#available-channels-and-providers
In case of adding a channel not listed there, you will surely need to create some custom rule for your events.
I hope this helps! Let me know how it goes!
Reply all
Reply to author
Forward
0 new messages