Duplicated Security Events (win logon/logoff)

[trent wall]

Hello,

After installing a fresh copy of Wazuh I'm running into some strange things (not really issues), but I have two agents added right now. One is my PC and one is my VM. It looks like under each one of them they are showing thousands of events... There are over 2k windows logon events, and it's been online for 2 days. I've signed in to maybe 5 times? Either way, it appears the events are being duplicated, but I don't want to suppress these events as it's nice to have records of when users sign in/out.

Any help is appreciated!

Thanks,

[Julia Magán Rodríguez]

Hello,

These events are not being duplicated by Wazuh, because if you check the events in EventViewer, you can see that Windows actually logs all these events. For example, in the attached image, you can see all the events generated with a simple logoff and logon:

If you want to continue receiving these alerts, but less frequently, you can create a custom rule using <if_matched_sid> , so that you receive an alert when a previous one has been repeated more times. You can see more information here.

​