>From what I can tell, and I am doing this correctly. here is the log for
event ID 5145. . I did run ./ossec-logtest , I placed "
WinEvtLog: Security: AUDIT_SUCCESS(5145)" and it took me to Rule 18100 and
not 19000.
below I have my log, rules and logtest
Log:
2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27
14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707
User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538
%%1541
%%4416
%%4417
%%4418
%%4419
%%4420
%%4423
%%4424
2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27
14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707
User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\Objects
\??\C:\import\DFSRoot\Objects \ 0x100081 %%1541
%%4416
%%4423
%%1541: %%1801 D:(A;;0x1200a9;;;WD)
%%4416: %%1801 D:(A;;0x1200a9;;;WD)
%%4423: %%1801 D:(A;;0x1200a9;;;WD)
Rules:
<group name="windows,">
<rule id="18100" level="0">
<category>windows</category>
<description>Group of windows rules.</description>
</rule>
<rule id="18101" level="0">
<if_sid>18100</if_sid>
<status>^INFORMATION</status>
<description>Windows informational event.</description>
</rule>
<rule id="18102" level="0">
<if_sid>18100</if_sid>
<status>^WARNING</status>
<description>Windows warning event.</description>
</rule>
<rule id="18103" level="5">
<if_sid>18100</if_sid>
<status>^ERROR</status>
<description>Windows error event.</description>
<group>system_error,</group>
</rule>
<rule id="19000" level="6">
<if_sid>18100</if_sid>
<id>^5142$|^5143$|^5144$|^5145$</id>
<status>^AUDIT_SUCCESS|^success</status>
<description>Windows audit success event.</description>
</rule>
<rule id="18104" level="0">
<if_sid>18100</if_sid>
<status>^AUDIT_SUCCESS|^success</status>
<description>Windows audit success event.</description>
</rule>
Logtest:
ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest
2014/10/27 19:15:53 ossec-testrule: INFO: Reading local decoder file.
2014/10/27 19:15:53 ossec-testrule: INFO: Started (pid: 16744).
ossec-testrule: Type one log per line.
WinEvtLog: Security: AUDIT_SUCCESS(5145)
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)'
hostname: 'OSSECServer'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)'
**Phase 2: Completed decoding.
decoder: 'windows'
**Phase 3: Completed filtering (rules).
Rule id: '18100'
Level: '0'
Description: 'Group of windows rules.'
On Monday, October 27, 2014 3:09:44 PM UTC-4, dan (ddpbsd) wrote:
>
> On Mon, Oct 27, 2014 at 3:03 PM, Brian <[email protected] <javascript:>>
> wrote:
> > I'm not sure if I am running it correctly..
> > I get the following, it doesn't show anything... in the ossec.conf
> > file, I placed <logall>yes</logall> in the global section and
> restarted.
> > I got no errors when restarting.
> >
> > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest
> > /var/ossec/logs/archives/archives.log
> > 2014/10/27 13:59:38 ossec-testrule: INFO: Reading local decoder file.
> > 2014/10/27 13:59:38 ossec-testrule: INFO: Started (pid: 15224).
> > ossec-testrule: Type one log per line.
> >
>
> The archives.log file is just a text log file. You'll need to find the
> entries you are interested in, copy them out of the file, and paste
> them into the ossec-logtest program.
>
> Windows is odd (why does it put so many spaces in odd places?), so
> copying archives.log to another location, then deleting all of the
> lines you are not interested in might be the best solution.
>
>
> As a shortcut while testing, I frequently save the log message to a
> file, then run:
>
> cat LOGMESSAGEFILE | /var/ossec/bin/ossec-logtest
>
> >
> > On Monday, October 27, 2014 2:05:27 PM UTC-4, dan (ddpbsd) wrote:
> >>
> >> On Mon, Oct 27, 2014 at 2:01 PM, Brian <[email protected]> wrote:
> >> > Thank you for your Reply: Looks like the & was a TypeO. I fixed
> that
> >> > and
> >> > now looks like: <id>^5142$|^5143$|^5144$|^5145$</id>
> >> > So, i turned on debugging on the client side, and I get the
> following
> >> > shown
> >> > below.. When I run : tail -f /var/ossec/logs/alerts/alerts.log
> >> > on the server side, I don't see anything coming in. The windows
> client
> >> > is a
> >> > Windows 2012 server.
> >> >
> >> >
> >> > Debug:
> >> >
> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to
> >> > server.
> >> >
> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server:
> '2014
> >> > Oct
> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145):
> >> > Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> > FileServer.Domain.Local:
> S-1-5-21-3748380571-1685127485-3479259990-18013
> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ \ 0x100080
> %%1541
> >> >
> >> > %%4423
> >> >
> >> > - '
> >> >
> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to
> >> > server.
> >> >
> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server:
> '2014
> >> > Oct
> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145):
> >> > Microsoft-Windows-Security-Auditing: (no user): no domain:
> >> > FileServer.Domain.Local:
> S-1-5-21-3748380571-1685127485-3479259990-18013
> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ Program Files
> >> > (x86)\ossec-agent 0x100081 %%1541
> >> >
> >> > %%4416
> >> >
> >> > %%4423
> >> >
> >> >
> >>
> >> Did you turn on the log all option on the manager? If you run the log
> >> messages from the archives.log through ossec-logtest, what happens?
> >>
> >> >
> >> > On Monday, October 27, 2014 11:42:37 AM UTC-4, dan (ddpbsd) wrote:
> >> >>
> >> >> On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs <
> [email protected]>
> >> >> wrote:
> >> >> > Is the ampersand correctly used at the end of 5142? For other IDs
> >> >> > there
> >> >> > are
> >> >> > $ sign used.
> >> >> >
> >> >>
> >> >> Nope, I'm not sure what they were attempting with that.
> >> >>
> >> >> > Ivars
> >> >> >
> >> >> > On Mon, Oct 27, 2014 at 1:51 PM, Brian <[email protected]>
> wrote:
> >> >> >>
> >> >> >> Hello, I am hopping someone may be able to help..
> >> >> >> I want to capture Windows Event ID's 5142 5143 5144 5145. I
> >> >> >> found
> >> >> >> this
> >> >> >> discussion on how to add it to your ossec.conf file.
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec
>
> >> >> >>
> >> >> >> However, the events aren't showing up in ossec. Would this be
> the
> >> >> >> correct
> >> >> >> way in configuring OSSEC to capture specific Windows Event ID's
> ?
> >> >> >>
> >> >> >> I added the following to my ossec,conf file, above 18104 as the
> >> >> >> above
> >> >> >> article suggested. and then restarted ossec..
> >> >> >>
> >> >> >> <rule id="19000" level="6">
> >> >> >> <if_sid>18100</if_sid>
> >> >> >> <id>^5142&|^5143$|^5144$|^5145$</id>
> >> >> >> <status>^AUDIT_SUCCESS|^success</status>
> >> >> >> <description>Windows audit success event.</description>
> >> >> >> </rule>
> >> >> >>
> >> >> >> Thank you for your help.
> >> >> >>
> >> >> >> --
> >> >> >>
> >> >> >> ---
> >> >> >> You received this message because you are subscribed to the
> Google
> >> >> >> Groups
> >> >> >> "ossec-list" group.
> >> >> >> To unsubscribe from this group and stop receiving emails from it,
> >> >> >> send
> >> >> >> an
> >> >> >> email to [email protected].
> >> >> >> For more options, visit https://groups.google.com/d/optout.
> >> >> >
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/d/optout.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
