Strange event formatting being reported on windows agents (but not all the time)

[Nathaniel]

Hi

Below is an alert I got from our file server running Wazuh 3.11. I get these from time to time. It's quite odd in that the windows event it captured wasn't the correct windows event source data:

Received From: (filesrv1) 10.10.10.4->WinEvtLog

Rule: 18154 fired (level 9) -> "Multiple Windows error events."

User: (no user)

Portion of the log(s):

 

2020 Feb 26 22:07:06 WinEvtLog: c:\program files\7-zip\7z.dll: ERROR(1023): Perflib: (no user): no domain: filesrv1.local: WDSTFTP 4

type: c:\program files\7-zip\7z.dll

2020 Feb 26 22:07:06 WinEvtLog: c:\program files\7-zip\7z.dll: ERROR(1023): Perflib: (no user): no domain: filesrv1.local: WDSServer 4

2020 Feb 26 22:07:06 WinEvtLog: c:\program files\7-zip\7z.dll: ERROR(1023): Perflib: (no user): no domain: filesrv1.local: WDSMC 4

2020 Feb 26 22:07:06 WinEvtLog: c:\program files\7-zip\7z.dll: ERROR(1023): Perflib: (no user): no domain: filesrv1.local: SMTPSVC 4

2020 Feb 26 22:07:06 WinEvtLog: c:\program files\7-zip\7z.dll: ERROR(1023): Perflib: (no user): no domain: filesrv1.local: Perf_TmcmPerfMon 4

2020 Feb 26 22:07:06 WinEvtLog: c:\program files\7-zip\7z.dll: ERROR(1023): Perflib: (no user): no domain: filesrv1.local: NTFSDRV 4 

Just using the first event in the alert (ending in WDSTFTP 4) the actual event as recorded by the Application event log you will note it doesn't have anything about 7 zip in it:

Log Name:      Application

Source:        Microsoft-Windows-Perflib

Date:          2/26/2020 10:07:06 PM

Event ID:      1023

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      filesrv1.local

Description:

Windows cannot load the extensible counter DLL WDSServer. The first four bytes (DWORD) of the Data section contains the Windows error code.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Perflib" Guid="{13B197BD-7CEE-4B4E-8DD0-59314CE374CE}" EventSourceName="Perflib" />

    <EventID Qualifiers="49152">1023</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2020-02-27T03:07:06.000000000Z" />

    <EventRecordID>4587458</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>Application</Channel>

    <Computer>filesrv1.local</Computer>

    <Security />

  </System>

  <UserData>

    <EventXML xmlns="Perflib">

      <param1>WDSServer</param1>

      <binaryDataSize>4</binaryDataSize>

      <binaryData>7E000000</binaryData>

    </EventXML>

  </UserData>

</Event>

filesrv1's  ossec.conf is the default options:

  <!-- Log analysis -->

  <localfile>

    <location>Application</location>

    <log_format>eventchannel</log_format>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and

      EventID != 5152 and EventID != 5157]</query>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventchannel</log_format>

  </localfile>

  <localfile>

    <location>active-response\active-responses.log</location>

    <log_format>syslog</log_format>

  </localfile>

and it's shared output is:

<!-- Source file: default/agent.conf -->

  <agent_config>

    <client_buffer>

      <!-- Agent buffer options -->

      <disable>no</disable>

      <queue_size>15000</queue_size>

      <events_per_second>750</events_per_second>

    </client_buffer>

    <sca>

      <enabled>yes</enabled>

      <scan_on_start>yes</scan_on_start>

      <interval>12h</interval>

      <skip_nfs>yes</skip_nfs>

    </sca>

  </agent_config>

<!-- Source file: windows-sql-servers/agent.conf -->

<agent_config>

  <!-- Shared agent configuration here -->

</agent_config>

<!-- Source file: windows-servers/agent.conf -->

  <agent_config>

    <active-response>

      <disabled>no</disabled>

    </active-response>

    <localfile>

      <location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>

      <log_format>eventchannel</log_format>

    </localfile>

    <localfile>

      <location>C:\Windows\System32\LogFiles\SMTPSVC1\ex%y%m%d.log</location>

      <log_format>iis</log_format>

    </localfile>

    <localfile>

      <location>C:\Windows\SoftwareDistribution\ReportingEvents.log</location>

      <log_format>syslog</log_format>

    </localfile>

    <localfile>

      <location>Microsoft-Windows-Sysmon/Operational</location>

      <log_format>eventchannel</log_format>

    </localfile>

    <localfile>

      <location>Microsoft-Windows-PrintService/Operational</location>

      <log_format>eventchannel</log_format>

    </localfile>

    <localfile>

      <location>File Replication Service</location>

      <log_format>eventlog</log_format>

    </localfile>

    <localfile>

      <location>Windows PowerShell</location>

      <log_format>eventlog</log_format>

    </localfile>

    <rootcheck>

      <system_audit>./shared/cis_win2012r2_memberL1_rcl.txt</system_audit>

      <system_audit>./shared/cis_win2016_memberL1_rcl.txt</system_audit>

    </rootcheck>

    <syscheck>

      <disabled>no</disabled>

      <frequency>86400</frequency>

      <scan_on_start>yes</scan_on_start>

      <auto_ignore>no</auto_ignore>

      <alert_new_files>yes</alert_new_files>

      <directories check_all="yes" recursion_level="3">C:\Program Files</directories>

      <directories check_all="yes" recursion_level="3">C:\Program Files (x86)</directories>

      <directories check_all="yes">C:\Windows\Temp</directories>

      <ignore type="sregex">.eml$|.log$|.tmp|.txt$|.log.|.upd|TEMP|cache|media|history|bdsettings.xml</ignore>

    </syscheck>

  </agent_config>

Is this a bug due to wazuh agent/server grouping alerts? kabana shows the data correctly:

{ "_index": "wazuh-alerts-3.x-2020.02.27", "_type": "_doc", "_id": "F5echHABrF5PPlLJuemR", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "agent": { "ip": "10.10.10.4", "name": "filesrv1", "id": "038" }, "manager": { "name": "wazuh-server.local" }, "data": { "win": { "system": { "eventID": "1023", "eventSourceName": "Perflib", "keywords": "0x80000000000000", "providerGuid": "{13B197BD-7CEE-4B4E-8DD0-59314CE374CE}", "level": "2", "channel": "Application", "opcode": "0", "message": "\"Windows cannot load the extensible counter DLL NTFSDRV. The first four bytes (DWORD) of the Data section contains the Windows error code.\"", "version": "0", "systemTime": "2020-02-27T03:07:06.000000000Z", "eventRecordID": "4587454", "threadID": "0", "computer": "filesrv1.local", "task": "0", "processID": "0", "severityValue": "ERROR", "providerName": "Microsoft-Windows-Perflib" }, "eventXML": { "binaryData": "7E000000", "binaryDataSize": "4", "param1": "NTFSDRV" } } }, "rule": { "firedtimes": 1, "mail": false, "level": 1, "description": "Windows Application error event - Performance Monitors missing entry-point DllRegisterServer.", "groups": [ "system_error" ], "id": "100293", "gpg13": [ "4.3" ], "gdpr": [ "IV_35.7.d" ] }, "location": "EventChannel", "decoder": { "name": "windows_eventchannel" }, "id": "1582772826.1227466819", "timestamp": "2020-02-26T22:07:06.385-0500" }, "fields": { "timestamp": [ "2020-02-27T03:07:06.385Z" ] }, "highlight": { "manager.name": [ "@kibana-highl...@wazuh-server.local@/kibana-highlighted-field@" ], "agent.name": [ "@kibana-highlighted-field@filesrv1@/kibana-highlighted-field@" ] }, "sort": [ 1582772826385 ] }

However some of the events right afterwards show the data.type being the path to 7zip I outlined earlier:

{ "_index": "wazuh-alerts-3.x-2020.02.27", "_type": "_doc", "_id": "HpechHABrF5PPlLJuemR", "_version": 1, "_score": null, "_source": { "predecoder": { "program_name": "WinEvtLog", "timestamp": "2020 Feb 26 22:07:06" }, "input": { "type": "log" }, "agent": { "ip": "10.10.10.4", "name": "filesrv1", "id": "038" }, "data": { "extra_data": "Perflib", "dstuser": "(no user)", "system_name": "filesrv1.local", "id": "1023", "type": "c:\\program files\\7-zip\\7z.dll", <---- "status": "ERROR" }, "manager": { "name": "wazuh-server.local" }, "rule": { "firedtimes": 2, "mail": false, "level": 8, "description": "Windows error event.", "groups": [ "windows", "system_error" ], "id": "18103" }, "location": "WinEvtLog", "id": "1582772827.1227467909", "decoder": { "parent": "windows", "name": "windows" }, "full_log": "2020 Feb 26 22:07:06 WinEvtLog: c:\\program files\\7-zip\\7z.dll: ERROR(1023): Perflib: (no user): no domain: filesrv1.local: NTFSDRV 4 ", "timestamp": "2020-02-26T22:07:07.088-0500" }, "fields": { "timestamp": [ "2020-02-27T03:07:07.088Z" ] }, "highlight": { "manager.name": [ "@kibana-highl...@wazuh-server.local@/kibana-highlighted-field@" ], "agent.name": [ "@kibana-highlighted-field@filesrv1@/kibana-highlighted-field@" ] }, "sort": [ 1582772827088 ] }

I believe the syscheck started and while checking was processing other events and got messed up.

Is there anything in my configurations that could be miss-configured to resolve this?

Thanks!

[Eva Lopez]

Hello Nathaniel,

I don’t think there is an issue in the subsystem of agents grouping. The bug seems to be in log collection in Eventlog format.

Maybe you are receiving alerts duplicated because Wazuh are processing the Windows event 1023 two times. This event is collected when monitoring channels File Replication Service in Eventlog format and Application in Evenchannel format.

The event collected by eventchannel format generate the correct alert.

I am going to open the Github issue to reports the bug in Eventlog alerts. I recommend using Eventchannel if these alerts are annoying.

Also, I attach our documentation where you can read more about collect Windows event.
How to collect Windows logs

I hope it helps you.

Best regards,
Eva

​