Documents printer log
488 views
Skip to first unread message
Massimiliano De Falco
Aug 29, 2023, 11:11:23 AM8/29/23
to Wazuh | Mailing List
Good morning to all,
Can you help me to write a local_rule for log all document printed. I need to know the document name and the printer name please.
I have installed the client/endpoint on windows 10 pro and the server in hyper-v virtual machine.
Can you help me to write a local_rule for log all document printed. I need to know the document name and the printer name please.
I await an answer. Thanks.
Message has been deleted
John Soliani
Aug 29, 2023, 12:04:13 PM8/29/23
to Wazuh | Mailing List
Hello Massimiliano,
The Wazuh agent is able to monitor the Windows Event Channel and all the activities in Windows pass through this channel, so we would need to know the eventID that is generated every time you send a document to be printed and with that, you will be able to see the details in the event to trigger the alert in the manager.
The good thing here is that you will not need a decoder, since the Windows Event Channel goes to the manager in a JSON format, it will be decoded automatically on the manager with the stock settings.
I will need to replicate this in my lab to give the details of the configuration, but the general workflow would be the one explained above.
I will send you more details once I finish the lab test.
Regards,
John.-
Message has been deleted
John Soliani
Sep 1, 2023, 9:59:07 AM9/1/23
to Wazuh | Mailing List
Hello Massimiliano,
Here are the guidelines on how to achieve what you need.
Firstly, I googled the eventID in which Microsoft logs the printing event. I found that the event ID is 307 and it is located in the Microsoft-Windows-PrintService/Operational channel, so we need to add this configuration on the agent:
<!-- Logs from PrintService--> <localfile> <location>Microsoft-Windows-PrintService/Operational</location> <log_format>eventchannel</log_format> </localfile>Secondly, since Microsoft doesn’t log these events by default, I had to enable the logging on that channel:
- On the affected Windows system (this could be either the client or server), open Event Viewer by pressing Windows key + R, then type eventvwr.msc and hit the enter key.
- Expand Applications and Services..., then Microsoft, Windows, and finally, PrintService.
- Right-click on the Operational log and select Enable log to start logging print jobs.
This will enable the printing activities logging in the Windows system.
Thirdly, I triggered a print event on the Windows machine to track it down in the Event Viewer to make sure it was generated. I was there! So far, so good!
Fourthly, I checked in the archives (logall_json) on the manager, to see if the event arrived properly. And I found it!
{"timestamp":"2023-08-26T17:13:12.960-0300","agent":{"id":"010","name":"Win10-1","ip":"192.168.11.210"},"manager":{"name":"C7-AIO-444_40"},"id":"1693080792.254161","cluster":{"name":"wazuh","node":"node01"},"full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-PrintService\",\"providerGuid\":\"{747ef6fd-e535-4d16-b510-42c90f6873a1}\",\"eventID\":\"307\",\"version\":\"0\",\"level\":\"4\",\"task\":\"26\",\"opcode\":\"11\",\"keywords\":\"0x4000000000000840\",\"systemTime\":\"2023-09-01T12:43:26.0289992Z\",\"eventRecordID\":\"10\",\"processID\":\"1984\",\"threadID\":\"3940\",\"channel\":\"Microsoft-Windows-PrintService/Operational\",\"computer\":\"Win10-1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"El documento 4, Imprimir documento propiedad de admin en \\\\\\\\WIN10-1 se imprimió en Microsoft Print to PDF mediante el puerto C:\\\\Users\\\\admin\\\\Desktop\\\\dsa.pdf. Tamaño en bytes: 38052. Páginas imprimidas: 1. No se requiere ninguna acción por parte del usuario.\\\"\"},\"documentPrinted\":{\"param1\":\"4\",\"param2\":\"Imprimir documento\",\"param3\":\"admin\",\"param4\":\"\\\\\\\\\\\\\\\\WIN10-1\",\"param5\":\"Microsoft Print to PDF\",\"param6\":\"C:\\\\\\\\Users\\\\\\\\admin\\\\\\\\Desktop\\\\\\\\dsa.pdf\",\"param7\":\"38052\",\"param8\":\"1\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2023-09-01T12:43:26.0289992Z","eventRecordID":"10","processID":"1984","threadID":"3940","channel":"Microsoft-Windows-PrintService/Operational","computer":"Win10-1","severityValue":"INFORMATION","message":"\"El documento 4, Imprimir documento propiedad de admin en \\\\WIN10-1 se imprimió en Microsoft Print to PDF mediante el puerto C:\\Users\\admin\\Desktop\\dsa.pdf. Tamaño en bytes: 38052. Páginas imprimidas: 1. No se requiere ninguna acción por parte del usuario.\""},"documentPrinted":{"param1":"4","param2":"Imprimir documento","param3":"admin","param4":"\\\\\\\\WIN10-1","param5":"Microsoft Print to PDF","param6":"C:\\\\Users\\\\admin\\\\Desktop\\\\dsa.pdf","param7":"38052","param8":"1"}}},"location":"EventChannel"}We can see that it did not trigger any alert. So we will not see it in the GUI yet. Let’s create a rule to track these actions. Before, let’s see how it reacts to the event. I cleaned the full_log field to make it a valid JSON log, it turned out to be this log:
{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2023-09-01T12:43:26.0289992Z","eventRecordID":"10","processID":"1984","threadID":"3940","channel":"Microsoft-Windows-PrintService/Operational","computer":"Win10-1","severityValue":"INFORMATION","message":"El documento 4, Imprimir documento propiedad de admin en \\\\\\\\WIN10-1 se imprimió en Microsoft Print to PDF mediante el puerto C:\\\\Users\\\\admin\\\\Desktop\\\\dsa.pdf. Tamaño en bytes: 38052. Páginas imprimidas: 1. No se requiere ninguna acción por parte del usuario."},"documentPrinted":{"param1":"4","param2":"Imprimir documento","param3":"admin","param4":"\\\\\\\\\\\\\\\\WIN10-1","param5":"Microsoft Print to PDF","param6":"C:\\\\\\\\Users\\\\\\\\admin\\\\\\\\Desktop\\\\\\\\dsa.pdf","param7":"38052","param8":"1"}}}The logtest tool showed this result when I tested it:
**Phase 1: Completed pre-decoding. **Phase 2: Completed decoding. name: 'json' win.documentPrinted.param1: '4' win.documentPrinted.param2: 'Imprimir documento' win.documentPrinted.param3: 'admin' win.documentPrinted.param4: '\\\\\\\\WIN10-1' win.documentPrinted.param5: 'Microsoft Print to PDF' win.documentPrinted.param6: 'C:\\\\Users\\\\admin\\\\Desktop\\\\dsa.pdf' win.documentPrinted.param7: '38052' win.documentPrinted.param8: '1' win.system.channel: 'Microsoft-Windows-PrintService/Operational' win.system.computer: 'Win10-1' win.system.eventID: '307' win.system.eventRecordID: '10' win.system.keywords: '0x4000000000000840' win.system.level: '4' win.system.message: 'El documento 4, Imprimir documento propiedad de admin en \\\\WIN10-1 se imprimió en Microsoft Print to PDF mediante el puerto C:\\Users\\admin\\Desktop\\dsa.pdf. Tamaño en bytes: 38052. Páginas imprimidas: 1. No se requiere ninguna acción por parte del usuario.' win.system.opcode: '11' win.system.processID: '1984' win.system.providerGuid: '{747ef6fd-e535-4d16-b510-42c90f6873a1}' win.system.providerName: 'Microsoft-Windows-PrintService' win.system.severityValue: 'INFORMATION' win.system.systemTime: '2023-09-01T12:43:26.0289992Z' win.system.task: '26' win.system.threadID: '3940' win.system.version: '0' **Phase 3: Completed filtering (rules). id: '60009' level: '0' description: 'Windows informational event.' groups: '['windows']' firedtimes: '1' mail: 'False'No alert was triggered, as we saw in the archives, the parent rule is a level 0 alert, which makes sense! Now, we can create our custom rule continuing from the ruleID 60009!
Lastly, let’s add this rule in the local_rules.xml file on the manager and restart it to apply the change:
<group name="printing,"> <rule id="160009" level="5"> <if_sid>60009</if_sid> <field name="win.system.eventID">^307$</field> <options>no_full_log</options> <description>A document was printed.</description> </rule> </group>Now, it’s the moment of the truth, let’s print a document and see what happens! I will print any document to the PDF printer I have in my lab machine. (file attached alert-listed)
There it is! Let’s see its content! (file attached alert-details)
We have:
1) agent name
2) Action
3) user name
4) printer name
5) printing destination
6) event-channel name
7) computer name
AND MORE!
You can now use those fields to track specific activities if you need to.
Hope this was helpful.
John.-
Nugroho Adisaputra
Jan 9, 2024, 7:03:49 AM1/9/24
to Wazuh | Mailing List
Hi, sorry to step in.
I have done the same thing except create the custom rule, the log well received on Wazuh server both in json log or non json. When I try the ruleset test the phase 3 didn't showed up.
here my log sample :
__________________________
{"timestamp":"2024-01-09T12:33:35.832+0700","agent":{"id":"013","name":"WS099054","ip":"192.168.99.54"},"manager":{"name":"SE100167"},"id":"1704778415.1530418597","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-PrintService\",\"providerGuid\":\"{747ef6fd-e535-4d16-b510-42c90f6873a1}\",\"eventID\":\"307\",\"version\":\"0\",\"level\":\"4\",\"task\":\"26\",\"opcode\":\"11\",\"keywords\":\"0x4000000000000840\",\"systemTime\":\"2024-01-09T05:32:25.4561683Z\",\"eventRecordID\":\"7364\",\"processID\":\"3768\",\"threadID\":\"9620\",\"channel\":\"Microsoft-Windows-PrintService/Operational\",\"computer\":\"WS099054.byl01-pbtgroup.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Document 13, penawaran001.pdf owned by goscan1 on \\\\\\\\WS099054 was printed on Microsoft Print to PDF through port D:\\\\Nugroho\\\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\\\"\"},\"documentPrinted\":{\"param1\":\"13\",\"param2\":\"penawaran001.pdf\",\"param3\":\"goscan1\",\"param4\":\"\\\\\\\\\\\\\\\\WS099054\",\"param5\":\"Microsoft Print to PDF\",\"param6\":\"D:\\\\\\\\Nugroho\\\\\\\\penawaran.pdf\",\"param7\":\"271651\",\"param8\":\"1\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}},"location":"EventChannel"}
__________________________
here the output of ruleset test :
__________________________
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-01-09T12:33:35.832+0700","agent":{"id":"013","name":"WS099054","ip":"192.168.99.54"},"manager":{"name":"SE100167"},"id":"1704778415.1530418597","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-PrintService\",\"providerGuid\":\"{747ef6fd-e535-4d16-b510-42c90f6873a1}\",\"eventID\":\"307\",\"version\":\"0\",\"level\":\"4\",\"task\":\"26\",\"opcode\":\"11\",\"keywords\":\"0x4000000000000840\",\"systemTime\":\"2024-01-09T05:32:25.4561683Z\",\"eventRecordID\":\"7364\",\"processID\":\"3768\",\"threadID\":\"9620\",\"channel\":\"Microsoft-Windows-PrintService/Operational\",\"computer\":\"WS099054.byl01-pbtgroup.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Document 13, penawaran001.pdf owned by goscan1 on \\\\\\\\WS099054 was printed on Microsoft Print to PDF through port D:\\\\Nugroho\\\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\\\"\"},\"documentPrinted\":{\"param1\":\"13\",\"param2\":\"penawaran001.pdf\",\"param3\":\"goscan1\",\"param4\":\"\\\\\\\\\\\\\\\\WS099054\",\"param5\":\"Microsoft Print to PDF\",\"param6\":\"D:\\\\\\\\Nugroho\\\\\\\\penawaran.pdf\",\"param7\":\"271651\",\"param8\":\"1\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}},"location":"EventChannel"}'
full event: '{"timestamp":"2024-01-09T12:33:35.832+0700","agent":{"id":"013","name":"WS099054","ip":"192.168.99.54"},"manager":{"name":"SE100167"},"id":"1704778415.1530418597","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-PrintService\",\"providerGuid\":\"{747ef6fd-e535-4d16-b510-42c90f6873a1}\",\"eventID\":\"307\",\"version\":\"0\",\"level\":\"4\",\"task\":\"26\",\"opcode\":\"11\",\"keywords\":\"0x4000000000000840\",\"systemTime\":\"2024-01-09T05:32:25.4561683Z\",\"eventRecordID\":\"7364\",\"processID\":\"3768\",\"threadID\":\"9620\",\"channel\":\"Microsoft-Windows-PrintService/Operational\",\"computer\":\"WS099054.byl01-pbtgroup.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Document 13, penawaran001.pdf owned by goscan1 on \\\\\\\\WS099054 was printed on Microsoft Print to PDF through port D:\\\\Nugroho\\\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\\\"\"},\"documentPrinted\":{\"param1\":\"13\",\"param2\":\"penawaran001.pdf\",\"param3\":\"goscan1\",\"param4\":\"\\\\\\\\\\\\\\\\WS099054\",\"param5\":\"Microsoft Print to PDF\",\"param6\":\"D:\\\\\\\\Nugroho\\\\\\\\penawaran.pdf\",\"param7\":\"271651\",\"param8\":\"1\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}},"location":"EventChannel"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '013'
agent.ip: '192.168.99.54'
agent.name: 'WS099054'
data.win.documentPrinted.param1: '13'
data.win.documentPrinted.param2: 'penawaran001.pdf'
data.win.documentPrinted.param3: 'goscan1'
data.win.documentPrinted.param4: '\\\\WS099054'
data.win.documentPrinted.param5: 'Microsoft Print to PDF'
data.win.documentPrinted.param6: 'D:\\Nugroho\\penawaran.pdf'
data.win.documentPrinted.param7: '271651'
data.win.documentPrinted.param8: '1'
data.win.system.channel: 'Microsoft-Windows-PrintService/Operational'
data.win.system.computer: 'WS099054.byl01-pbtgroup.com'
data.win.system.eventID: '307'
data.win.system.eventRecordID: '7364'
data.win.system.keywords: '0x4000000000000840'
data.win.system.level: '4'
data.win.system.message: '"Document 13, penawaran001.pdf owned by goscan1 on \\WS099054 was printed on Microsoft Print to PDF through port D:\Nugroho\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required."'
data.win.system.opcode: '11'
data.win.system.processID: '3768'
data.win.system.providerGuid: '{747ef6fd-e535-4d16-b510-42c90f6873a1}'
data.win.system.providerName: 'Microsoft-Windows-PrintService'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2024-01-09T05:32:25.4561683Z'
data.win.system.task: '26'
data.win.system.threadID: '9620'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}}'
id: '1704778415.1530418597'
location: 'EventChannel'
manager.name: 'SE100167'
timestamp: '2024-01-09T12:33:35.832+0700'
agent.ip: '192.168.99.54'
agent.name: 'WS099054'
data.win.documentPrinted.param1: '13'
data.win.documentPrinted.param2: 'penawaran001.pdf'
data.win.documentPrinted.param3: 'goscan1'
data.win.documentPrinted.param4: '\\\\WS099054'
data.win.documentPrinted.param5: 'Microsoft Print to PDF'
data.win.documentPrinted.param6: 'D:\\Nugroho\\penawaran.pdf'
data.win.documentPrinted.param7: '271651'
data.win.documentPrinted.param8: '1'
data.win.system.channel: 'Microsoft-Windows-PrintService/Operational'
data.win.system.computer: 'WS099054.byl01-pbtgroup.com'
data.win.system.eventID: '307'
data.win.system.eventRecordID: '7364'
data.win.system.keywords: '0x4000000000000840'
data.win.system.level: '4'
data.win.system.message: '"Document 13, penawaran001.pdf owned by goscan1 on \\WS099054 was printed on Microsoft Print to PDF through port D:\Nugroho\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required."'
data.win.system.opcode: '11'
data.win.system.processID: '3768'
data.win.system.providerGuid: '{747ef6fd-e535-4d16-b510-42c90f6873a1}'
data.win.system.providerName: 'Microsoft-Windows-PrintService'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2024-01-09T05:32:25.4561683Z'
data.win.system.task: '26'
data.win.system.threadID: '9620'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}}'
id: '1704778415.1530418597'
location: 'EventChannel'
manager.name: 'SE100167'
timestamp: '2024-01-09T12:33:35.832+0700'
__________________________
Then I try to create the custom rule.
and here my custom rule :
__________________________
<group name="windows, event logs">
<rule id="100140" level="0">
<decoded_as>json</decoded_as>
<field name="data.win.system.channel">^Microsoft-Windows-PrintService/Operational$</field>
<field name="data.win.system.eventID">^307$</field>
<description>Windows printing log</description>
</rule>
<rule id="100141" level="10">
<if_sid>100140</if_sid>
<description>Windows printing log details</description>
</group>
<rule id="100140" level="0">
<decoded_as>json</decoded_as>
<field name="data.win.system.channel">^Microsoft-Windows-PrintService/Operational$</field>
<field name="data.win.system.eventID">^307$</field>
<description>Windows printing log</description>
</rule>
<rule id="100141" level="10">
<if_sid>100140</if_sid>
<description>Windows printing log details</description>
</group>
_____________________________
Then test again on the ruleset test, and the result as below :
_____________________________
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-01-09T12:33:35.832+0700","agent":{"id":"013","name":"WS099054","ip":"192.168.99.54"},"manager":{"name":"SE100167"},"id":"1704778415.1530418597","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-PrintService\",\"providerGuid\":\"{747ef6fd-e535-4d16-b510-42c90f6873a1}\",\"eventID\":\"307\",\"version\":\"0\",\"level\":\"4\",\"task\":\"26\",\"opcode\":\"11\",\"keywords\":\"0x4000000000000840\",\"systemTime\":\"2024-01-09T05:32:25.4561683Z\",\"eventRecordID\":\"7364\",\"processID\":\"3768\",\"threadID\":\"9620\",\"channel\":\"Microsoft-Windows-PrintService/Operational\",\"computer\":\"WS099054.byl01-pbtgroup.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Document 13, penawaran001.pdf owned by goscan1 on \\\\\\\\WS099054 was printed on Microsoft Print to PDF through port D:\\\\Nugroho\\\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\\\"\"},\"documentPrinted\":{\"param1\":\"13\",\"param2\":\"penawaran001.pdf\",\"param3\":\"goscan1\",\"param4\":\"\\\\\\\\\\\\\\\\WS099054\",\"param5\":\"Microsoft Print to PDF\",\"param6\":\"D:\\\\\\\\Nugroho\\\\\\\\penawaran.pdf\",\"param7\":\"271651\",\"param8\":\"1\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}},"location":"EventChannel"}'
full event: '{"timestamp":"2024-01-09T12:33:35.832+0700","agent":{"id":"013","name":"WS099054","ip":"192.168.99.54"},"manager":{"name":"SE100167"},"id":"1704778415.1530418597","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-PrintService\",\"providerGuid\":\"{747ef6fd-e535-4d16-b510-42c90f6873a1}\",\"eventID\":\"307\",\"version\":\"0\",\"level\":\"4\",\"task\":\"26\",\"opcode\":\"11\",\"keywords\":\"0x4000000000000840\",\"systemTime\":\"2024-01-09T05:32:25.4561683Z\",\"eventRecordID\":\"7364\",\"processID\":\"3768\",\"threadID\":\"9620\",\"channel\":\"Microsoft-Windows-PrintService/Operational\",\"computer\":\"WS099054.byl01-pbtgroup.com\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Document 13, penawaran001.pdf owned by goscan1 on \\\\\\\\WS099054 was printed on Microsoft Print to PDF through port D:\\\\Nugroho\\\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\\\"\"},\"documentPrinted\":{\"param1\":\"13\",\"param2\":\"penawaran001.pdf\",\"param3\":\"goscan1\",\"param4\":\"\\\\\\\\\\\\\\\\WS099054\",\"param5\":\"Microsoft Print to PDF\",\"param6\":\"D:\\\\\\\\Nugroho\\\\\\\\penawaran.pdf\",\"param7\":\"271651\",\"param8\":\"1\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}},"location":"EventChannel"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '013'
agent.ip: '192.168.99.54'
agent.name: 'WS099054'
data.win.documentPrinted.param1: '13'
data.win.documentPrinted.param2: 'penawaran001.pdf'
data.win.documentPrinted.param3: 'goscan1'
data.win.documentPrinted.param4: '\\\\WS099054'
data.win.documentPrinted.param5: 'Microsoft Print to PDF'
data.win.documentPrinted.param6: 'D:\\Nugroho\\penawaran.pdf'
data.win.documentPrinted.param7: '271651'
data.win.documentPrinted.param8: '1'
data.win.system.channel: 'Microsoft-Windows-PrintService/Operational'
data.win.system.computer: 'WS099054.byl01-pbtgroup.com'
data.win.system.eventID: '307'
data.win.system.eventRecordID: '7364'
data.win.system.keywords: '0x4000000000000840'
data.win.system.level: '4'
data.win.system.message: '"Document 13, penawaran001.pdf owned by goscan1 on \\WS099054 was printed on Microsoft Print to PDF through port D:\Nugroho\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required."'
data.win.system.opcode: '11'
data.win.system.processID: '3768'
data.win.system.providerGuid: '{747ef6fd-e535-4d16-b510-42c90f6873a1}'
data.win.system.providerName: 'Microsoft-Windows-PrintService'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2024-01-09T05:32:25.4561683Z'
data.win.system.task: '26'
data.win.system.threadID: '9620'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}}'
id: '1704778415.1530418597'
location: 'EventChannel'
manager.name: 'SE100167'
timestamp: '2024-01-09T12:33:35.832+0700'
agent.ip: '192.168.99.54'
agent.name: 'WS099054'
data.win.documentPrinted.param1: '13'
data.win.documentPrinted.param2: 'penawaran001.pdf'
data.win.documentPrinted.param3: 'goscan1'
data.win.documentPrinted.param4: '\\\\WS099054'
data.win.documentPrinted.param5: 'Microsoft Print to PDF'
data.win.documentPrinted.param6: 'D:\\Nugroho\\penawaran.pdf'
data.win.documentPrinted.param7: '271651'
data.win.documentPrinted.param8: '1'
data.win.system.channel: 'Microsoft-Windows-PrintService/Operational'
data.win.system.computer: 'WS099054.byl01-pbtgroup.com'
data.win.system.eventID: '307'
data.win.system.eventRecordID: '7364'
data.win.system.keywords: '0x4000000000000840'
data.win.system.level: '4'
data.win.system.message: '"Document 13, penawaran001.pdf owned by goscan1 on \\WS099054 was printed on Microsoft Print to PDF through port D:\Nugroho\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required."'
data.win.system.opcode: '11'
data.win.system.processID: '3768'
data.win.system.providerGuid: '{747ef6fd-e535-4d16-b510-42c90f6873a1}'
data.win.system.providerName: 'Microsoft-Windows-PrintService'
data.win.system.severityValue: 'INFORMATION'
data.win.system.systemTime: '2024-01-09T05:32:25.4561683Z'
data.win.system.task: '26'
data.win.system.threadID: '9620'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-PrintService","providerGuid":"{747ef6fd-e535-4d16-b510-42c90f6873a1}","eventID":"307","version":"0","level":"4","task":"26","opcode":"11","keywords":"0x4000000000000840","systemTime":"2024-01-09T05:32:25.4561683Z","eventRecordID":"7364","processID":"3768","threadID":"9620","channel":"Microsoft-Windows-PrintService/Operational","computer":"WS099054.byl01-pbtgroup.com","severityValue":"INFORMATION","message":"\"Document 13, penawaran001.pdf owned by goscan1 on \\\\WS099054 was printed on Microsoft Print to PDF through port D:\\Nugroho\\penawaran.pdf. Size in bytes: 271651. Pages printed: 1. No user action is required.\""},"documentPrinted":{"param1":"13","param2":"penawaran001.pdf","param3":"goscan1","param4":"\\\\\\\\WS099054","param5":"Microsoft Print to PDF","param6":"D:\\\\Nugroho\\\\penawaran.pdf","param7":"271651","param8":"1"}}}'
id: '1704778415.1530418597'
location: 'EventChannel'
manager.name: 'SE100167'
timestamp: '2024-01-09T12:33:35.832+0700'
**Phase 3: Completed filtering (rules).
id: '100141'
level: '10'
description: 'Windows printing log details'
groups: '["windows"," event logs"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
level: '10'
description: 'Windows printing log details'
groups: '["windows"," event logs"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
___________________________
It seem that the rule is working well, but the event/alert didn't showed up on the dashboard. What should i check?
Thanks
Message has been deleted
Nugroho Adisaputra
May 13, 2024, 8:07:45 AM5/13/24
to Mustiff Martinez, Wazuh | Mailing List
Then what I do is little bit risky, i modify the default rule file with rule id 60009, change the rule level to 10.
Thanks for the response.
On 10/05/24 21.03, Mustiff Martinez
wrote:
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/zUAe2529fnU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ff9753eb-e0d1-457a-a558-592e5622807en%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages