I think I got it working; it may not be the correct way.. I removed Rule ID 19000 Added <id>^5142$|^5143$|^5144$|^5145$</id> to Rule 18104 and gave Rule 18104 Level 2 and it seems to work now.. If continues to work correctly, I thank you for your help..
Old Rules: <rule id="19000" level="2"> <if_sid>18100</if_sid> <id>^5142$|^5143$|^5144$|^5145$</id> <status>^AUDIT_SUCCESS|^success</status> <description>Windows audit success event.</description> </rule> <rule id="18104" level="0"> <if_sid>18100</if_sid> <status>^AUDIT_SUCCESS|^success</status> <description>Windows audit success event.</description> </rule> New Rule: <rule id="18104" level="2"> <if_sid>18100</if_sid> <id>^5142$|^5143$|^5144$|^5145$</id> <status>^AUDIT_SUCCESS|^success</status> <description>Windows audit success event.</description> </rule> On Tuesday, October 28, 2014 9:34:59 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Oct 27, 2014 at 8:34 PM, Brian <ke...@myschatz.net <javascript:>> > wrote: > > From what I can tell, and I am doing this correctly. here is the log for > > event ID 5145. . I did run ./ossec-logtest , I placed " > > WinEvtLog: Security: AUDIT_SUCCESS(5145)" and it took me to Rule 18100 > and > > not 19000. > > below I have my log, rules and logtest > > > > Log: > > > > 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 > 14:17:07 > > WinEvtLog: Security: AUDIT_SUCCESS(5145): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 > > User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f > %%1538 > > %%1541 > > %%4416 > > %%4417 > > %%4418 > > %%4419 > > %%4420 > > %%4423 > > %%4424 > > > > I don't know enough about the Windows stuff to know why all of these > are being presented on their own lines and whatnot. > Running everything up until the first newline through ossec-logtest > gives me the following output (Removing everything between the > beginning of the line and 2014 because that should be an OSSEC header > added to the archives.log entries): > > [root@localhost ddp]# cat /tmp/xxx > 2014 Oct 27 14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145): > Microsoft-Windows-Security-Auditing: (no user): no domain: > WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 > User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f > %%1538 > [root@localhost ddp]# cat /tmp/xxx | /var/ossec/bin/ossec-logtest > 2014/10/28 09:30:41 ossec-testrule: INFO: Reading local decoder file. > 2014/10/28 09:30:41 ossec-testrule: INFO: Started (pid: 6981). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: '2014 Oct 27 14:17:07 WinEvtLog: Security: > AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): > no domain: WinClient.Domain.Local: > S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a > File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538' > hostname: 'localhost' > program_name: '(null)' > log: '2014 Oct 27 14:17:07 WinEvtLog: Security: > AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): > no domain: WinClient.Domain.Local: > S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a > File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '5145' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'WinClient.Domain.Local' > > **Phase 3: Completed filtering (rules). > Rule id: '18104' > Level: '0' > Description: 'Windows audit success event.' > > So the id is decoded. And this rule successfully captures that log > message: > <rule id="300001" level="6"> > <if_sid>18104</if_sid> > <id>^5142$|^5143$|^5144$|^5145$</id> > <status>^AUDIT_SUCCESS|^success</status> > <description>Windows audit success event.</description> > </rule> > > > > 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 > 14:17:07 > > WinEvtLog: Security: AUDIT_SUCCESS(5145): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 > > User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\Objects > > \??\C:\import\DFSRoot\Objects \ 0x100081 %%1541 > > %%4416 > > %%4423 > > %%1541: %%1801 D:(A;;0x1200a9;;;WD) > > %%4416: %%1801 D:(A;;0x1200a9;;;WD) > > %%4423: %%1801 D:(A;;0x1200a9;;;WD) > > > > > > > > Rules: > > > > <group name="windows,"> > > > > <rule id="18100" level="0"> > > <category>windows</category> > > <description>Group of windows rules.</description> > > </rule> > > > > <rule id="18101" level="0"> > > <if_sid>18100</if_sid> > > <status>^INFORMATION</status> > > <description>Windows informational event.</description> > > </rule> > > > > <rule id="18102" level="0"> > > <if_sid>18100</if_sid> > > <status>^WARNING</status> > > <description>Windows warning event.</description> > > </rule> > > > > <rule id="18103" level="5"> > > <if_sid>18100</if_sid> > > <status>^ERROR</status> > > <description>Windows error event.</description> > > <group>system_error,</group> > > </rule> > > > > <rule id="19000" level="6"> > > <if_sid>18100</if_sid> > > <id>^5142$|^5143$|^5144$|^5145$</id> > > <status>^AUDIT_SUCCESS|^success</status> > > <description>Windows audit success event.</description> > > </rule> > > > > <rule id="18104" level="0"> > > <if_sid>18100</if_sid> > > <status>^AUDIT_SUCCESS|^success</status> > > <description>Windows audit success event.</description> > > </rule> > > > > > > > > Logtest: > > > > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest > > 2014/10/27 19:15:53 ossec-testrule: INFO: Reading local decoder file. > > 2014/10/27 19:15:53 ossec-testrule: INFO: Started (pid: 16744). > > ossec-testrule: Type one log per line. > > > > WinEvtLog: Security: AUDIT_SUCCESS(5145) > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)' > > hostname: 'OSSECServer' > > program_name: '(null)' > > log: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)' > > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '18100' > > Level: '0' > > Description: 'Group of windows rules.' > > > > > > > > On Monday, October 27, 2014 3:09:44 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Mon, Oct 27, 2014 at 3:03 PM, Brian <ke...@myschatz.net> wrote: > >> > I'm not sure if I am running it correctly.. > >> > I get the following, it doesn't show anything... in the > ossec.conf > >> > file, I placed <logall>yes</logall> in the global section and > >> > restarted. > >> > I got no errors when restarting. > >> > > >> > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest > >> > /var/ossec/logs/archives/archives.log > >> > 2014/10/27 13:59:38 ossec-testrule: INFO: Reading local decoder file. > >> > 2014/10/27 13:59:38 ossec-testrule: INFO: Started (pid: 15224). > >> > ossec-testrule: Type one log per line. > >> > > >> > >> The archives.log file is just a text log file. You'll need to find the > >> entries you are interested in, copy them out of the file, and paste > >> them into the ossec-logtest program. > >> > >> Windows is odd (why does it put so many spaces in odd places?), so > >> copying archives.log to another location, then deleting all of the > >> lines you are not interested in might be the best solution. > >> > >> > >> As a shortcut while testing, I frequently save the log message to a > >> file, then run: > >> > >> cat LOGMESSAGEFILE | /var/ossec/bin/ossec-logtest > >> > >> > > >> > On Monday, October 27, 2014 2:05:27 PM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Oct 27, 2014 at 2:01 PM, Brian <ke...@myschatz.net> wrote: > >> >> > Thank you for your Reply: Looks like the & was a TypeO. I > fixed > >> >> > that > >> >> > and > >> >> > now looks like: <id>^5142$|^5143$|^5144$|^5145$</id> > >> >> > So, i turned on debugging on the client side, and I get the > >> >> > following > >> >> > shown > >> >> > below.. When I run : tail -f /var/ossec/logs/alerts/alerts.log > >> >> > on the server side, I don't see anything coming in. The windows > >> >> > client > >> >> > is a > >> >> > Windows 2012 server. > >> >> > > >> >> > > >> >> > Debug: > >> >> > > >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message > to > >> >> > server. > >> >> > > >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: > >> >> > '2014 > >> >> > Oct > >> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): > >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> > FileServer.Domain.Local: > >> >> > S-1-5-21-3748380571-1685127485-3479259990-18013 > >> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ \ 0x100080 > >> >> > %%1541 > >> >> > > >> >> > %%4423 > >> >> > > >> >> > - ' > >> >> > > >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message > to > >> >> > server. > >> >> > > >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: > >> >> > '2014 > >> >> > Oct > >> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): > >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > >> >> > FileServer.Domain.Local: > >> >> > S-1-5-21-3748380571-1685127485-3479259990-18013 > >> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ Program Files > >> >> > (x86)\ossec-agent 0x100081 %%1541 > >> >> > > >> >> > %%4416 > >> >> > > >> >> > %%4423 > >> >> > > >> >> > > >> >> > >> >> Did you turn on the log all option on the manager? If you run the > log > >> >> messages from the archives.log through ossec-logtest, what happens? > >> >> > >> >> > > >> >> > On Monday, October 27, 2014 11:42:37 AM UTC-4, dan (ddpbsd) wrote: > >> >> >> > >> >> >> On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs > >> >> >> <i.gri...@gmail.com> > >> >> >> wrote: > >> >> >> > Is the ampersand correctly used at the end of 5142? For other > IDs > >> >> >> > there > >> >> >> > are > >> >> >> > $ sign used. > >> >> >> > > >> >> >> > >> >> >> Nope, I'm not sure what they were attempting with that. > >> >> >> > >> >> >> > Ivars > >> >> >> > > >> >> >> > On Mon, Oct 27, 2014 at 1:51 PM, Brian <ke...@myschatz.net> > wrote: > >> >> >> >> > >> >> >> >> Hello, I am hopping someone may be able to help.. > >> >> >> >> I want to capture Windows Event ID's 5142 5143 5144 5145. > I > >> >> >> >> found > >> >> >> >> this > >> >> >> >> discussion on how to add it to your ossec.conf file. > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec > > >> >> >> >> > >> >> >> >> However, the events aren't showing up in ossec. Would this be > >> >> >> >> the > >> >> >> >> correct > >> >> >> >> way in configuring OSSEC to capture specific Windows Event > ID's > >> >> >> >> ? > >> >> >> >> > >> >> >> >> I added the following to my ossec,conf file, above 18104 as > the > >> >> >> >> above > >> >> >> >> article suggested. and then restarted ossec.. > >> >> >> >> > >> >> >> >> <rule id="19000" level="6"> > >> >> >> >> <if_sid>18100</if_sid> > >> >> >> >> <id>^5142&|^5143$|^5144$|^5145$</id> > >> >> >> >> <status>^AUDIT_SUCCESS|^success</status> > >> >> >> >> <description>Windows audit success event.</description> > >> >> >> >> </rule> > >> >> >> >> > >> >> >> >> Thank you for your help. > >> >> >> >> > >> >> >> >> -- > >> >> >> >> > >> >> >> >> --- > >> >> >> >> You received this message because you are subscribed to the > >> >> >> >> Google > >> >> >> >> Groups > >> >> >> >> "ossec-list" group. > >> >> >> >> To unsubscribe from this group and stop receiving emails from > it, > >> >> >> >> send > >> >> >> >> an > >> >> >> >> email to ossec-list+...@googlegroups.com. > >> >> >> >> For more options, visit https://groups.google.com/d/optout. > >> >> >> > > >> >> >> > > >> >> >> > -- > >> >> >> > > >> >> >> > --- > >> >> >> > You received this message because you are subscribed to the > Google > >> >> >> > Groups > >> >> >> > "ossec-list" group. > >> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >> >> >> > send > >> >> >> > an > >> >> >> > email to ossec-list+...@googlegroups.com. > >> >> >> > For more options, visit https://groups.google.com/d/optout. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.