Rule id 18130 stopped working suddenly instead of 60122
103 views
Skip to first unread message
riiky devils
Sep 8, 2021, 11:50:12 PM9/8/21
to Wazuh mailing list
Hello Team,
I'm currently faced the issue rule id 18130 for secuity log failed logon stopped working and not generating alert from 3 days ago.
but after I checked there was a failed logon log with rule id 60122 which same function of rule id 18130 and generated the alert in last 24 hours
There is ossec.conf that included eventlog from localfile
The main reason i need eventlog because I need an active response rule to block the attempt srcip which can't be done with an eventchannel that doesn't have a srcip field
How can i trace this issue?
Thank You,
I'm currently faced the issue rule id 18130 for secuity log failed logon stopped working and not generating alert from 3 days ago.
but after I checked there was a failed logon log with rule id 60122 which same function of rule id 18130 and generated the alert in last 24 hours
There is ossec.conf that included eventlog from localfile
The main reason i need eventlog because I need an active response rule to block the attempt srcip which can't be done with an eventchannel that doesn't have a srcip field
How can i trace this issue?
Thank You,
riiky devils
Sep 9, 2021, 12:00:25 AM9/9/21
to Wazuh mailing list
Currenly i'm using wazuh manager 4.2.0 and agent version various from 4.1.0 to 4.2.0
Thank You,
Thank You,
Julia Magan Rodriguez
Sep 9, 2021, 4:11:21 AM9/9/21
to Wazuh mailing list
Hello,
This problem is because you have defined both, eventchannel and eventlog. When you have defined both, eventlog would be ignored and rules will be fired with the events from eventchannel.
riiky devils
Sep 9, 2021, 7:38:33 AM9/9/21
to Wazuh mailing list
Hi Julia,
Thanks for your response. But this is strange issue for me because previously i'm already using defined both eventchannel and eventlog together and no issue until 3 days ago.
then the question is how to make the active response route-null.exe and netsh.exe on windows work while the srcip field is not available on the eventchannel (data source ip is in the data.win.eventdata.ipAddress field)?
Thank You,
Thanks for your response. But this is strange issue for me because previously i'm already using defined both eventchannel and eventlog together and no issue until 3 days ago.
then the question is how to make the active response route-null.exe and netsh.exe on windows work while the srcip field is not available on the eventchannel (data source ip is in the data.win.eventdata.ipAddress field)?
Thank You,
Julia Magan Rodriguez
Sep 10, 2021, 5:35:54 AM9/10/21
to Wazuh mailing list
Hello,
netsh.exe and route-null.exe keep expecting srcip information, but they aren’t able to read it from events coming from eventchannel. There is an issue opened to solve this, you can track it here. Until it is solved, you’ll need to use eventlog if you want to trigger those active responses.
Reply all
Reply to author
Forward
0 new messages