Wazuh email from agent
Neil Govender
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID = 4624]</query>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/Security[EventID = 4624]</query>
</localfile>
Juan Carlos Rodríguez
Hi Neil,
I don’t think you need to create a custom rule for this since Wazuh implements it natively. In your case, you are looking for rules 18107 or 20007, which are found in /var/ossec/ruleset/rules/0220-msauth_rules.xml and are as follows.
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
<rule id="20007" level="3">
<if_sid>20004</if_sid>
<field name="EventChannel.System.EventID">^528$|^540$|^673$|^4624$|^4769$</field>
<description>Windows Logon Success</description>
<options>no_full_log</options>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
If in spite of this you still want a custom rule to change, for example, the level of the alert, I’ll explain a little the process to create and test them:
Copy the original rule and paste the code into /var/ossec/etc/rules/local_rules.xml, modify the level value, and add overwrite="yes" to indicate that this rule is overwriting an already defined rule. e.g: :
<rule id="18107" level="10" overwrite="yes">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>
Then, to test it run the tool var/ossec/bin/ossec-logtest and paste a proper windows event log.
In our documentation, you can find more information: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html and https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
On the other hand, I see that you have tried to edit the configuration of the manager, and this is not really so. To collect, for example, Windows events from an agent, you need to edit the ossec.conf of the Windows agent. In addition, the default configuration of a Windows agent is already configured to collect these events. You can find in the ossec.conf this code:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]</query>
</localfile>
Therefore, everything is natively configured to generate these alerts, and then I show you an alert generated by this rule:
{"timestamp":"2019-02-21T11:33:42.456+0000","rule":{"level":3,"description":"Windows Logon Success","id":"20007","firedtimes":10,"mail":false,"groups":["windows","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"]},"agent":{"id":"002","name":"windows"},"manager":{"name":"master"},"id":"1550748822.16228431","cluster":{"name":"wazuh","node":"node01"},"decoder":{"name":"windows_eventchannel"},"data":{"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","EventID":"4624","Version":"2","Level":"0","Task":"12544","Opcode":"0","Keywords":"0x8020000000000000","SystemTime":"2019-02-21T11:33:41.705610500Z","EventRecordID":"35382","ProcessID":"764","ThreadID":"3804","Channel":"Security","Computer":"DESKTOP-GDPBOU6","SeverityValue":"AUDIT_SUCCESS","Message":"Se inició sesión correctamente en una cuenta."},"EventData":{"SubjectUserSid":"S-1-5-18","SubjectUserName":"DESKTOP-GDPBOU6$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-18","TargetUserName":"SYSTEM","TargetDomainName":"NT AUTHORITY","TargetLogonId":"0x3e7","LogonType":"5","LogonProcessName":"Advapi","AuthenticationPackageName":"Negotiate","LogonGuid":"{00000000-0000-0000-0000-000000000000}","KeyLength":"0","ProcessId":"0x2ec","ProcessName":"C:\\Windows\\System32\\services.exe","ImpersonationLevel":"%%1833","VirtualAccount":"%%1843","TargetLinkedLogonId":"0x0","ElevatedToken":"%%1842"}}},"location":"EventChannel"}
Check your settings again and let us know the results.
Regards,
Juan Carlos
On Thursday, February 21, 2019 at 9:46:25 AM UTC+1, Neil Govender wrote:
Good dayOK. I am new to Wazuh. Recntly installed and configured.The default configuration seems to be working fine. i receive alerts.As a test I tried to initiate the following:To get an alert for Windows logon from my Domain controller.The event ID is 4624.1) Firstly I tried adding a rule to local_rules.xml as below:
<rule id="18107" level="10" overwrite="yes">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^47690.13370746295685287lt;/id>
<description>Windows Logon Success.</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
</rule>