On Tue, Oct 28, 2014 at 10:39 AM, Brian <ke...@myschatz.net> wrote: > I think I got it working; it may not be the correct way.. > I removed Rule ID 19000 > Added <id>^5142$|^5143$|^5144$|^5145$</id> > to Rule 18104 > and gave Rule 18104 Level 2 > and it seems to work now.. If continues to work correctly, I thank you > for your help.. > > Old Rules: > <rule id="19000" level="2">
Be careful using these ID ranges. New rules could always be added using those IDs, and that would cause issues. > <if_sid>18100</if_sid> > <id>^5142$|^5143$|^5144$|^5145$</id> > <status>^AUDIT_SUCCESS|^success</status> > <description>Windows audit success event.</description> > </rule> > > <rule id="18104" level="0"> > <if_sid>18100</if_sid> > <status>^AUDIT_SUCCESS|^success</status> > <description>Windows audit success event.</description> > </rule> > > New Rule: > > <rule id="18104" level="2"> > <if_sid>18100</if_sid> > <id>^5142$|^5143$|^5144$|^5145$</id> > <status>^AUDIT_SUCCESS|^success</status> > <description>Windows audit success event.</description> > </rule> > > > > > > > On Tuesday, October 28, 2014 9:34:59 AM UTC-4, dan (ddpbsd) wrote: >> >> On Mon, Oct 27, 2014 at 8:34 PM, Brian <ke...@myschatz.net> wrote: >> > From what I can tell, and I am doing this correctly. here is the log for >> > event ID 5145. . I did run ./ossec-logtest , I placed " >> > WinEvtLog: Security: AUDIT_SUCCESS(5145)" and it took me to Rule 18100 >> > and >> > not 19000. >> > below I have my log, rules and logtest >> > >> > Log: >> > >> > 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 >> > 14:17:07 >> > WinEvtLog: Security: AUDIT_SUCCESS(5145): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: >> > WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 >> > User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f >> > %%1538 >> > %%1541 >> > %%4416 >> > %%4417 >> > %%4418 >> > %%4419 >> > %%4420 >> > %%4423 >> > %%4424 >> > >> >> I don't know enough about the Windows stuff to know why all of these >> are being presented on their own lines and whatnot. >> Running everything up until the first newline through ossec-logtest >> gives me the following output (Removing everything between the >> beginning of the line and 2014 because that should be an OSSEC header >> added to the archives.log entries): >> >> [root@localhost ddp]# cat /tmp/xxx >> 2014 Oct 27 14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 >> User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f >> %%1538 >> [root@localhost ddp]# cat /tmp/xxx | /var/ossec/bin/ossec-logtest >> 2014/10/28 09:30:41 ossec-testrule: INFO: Reading local decoder file. >> 2014/10/28 09:30:41 ossec-testrule: INFO: Started (pid: 6981). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2014 Oct 27 14:17:07 WinEvtLog: Security: >> AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): >> no domain: WinClient.Domain.Local: >> S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a >> File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538' >> hostname: 'localhost' >> program_name: '(null)' >> log: '2014 Oct 27 14:17:07 WinEvtLog: Security: >> AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): >> no domain: WinClient.Domain.Local: >> S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a >> File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_SUCCESS' >> id: '5145' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'WinClient.Domain.Local' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18104' >> Level: '0' >> Description: 'Windows audit success event.' >> >> So the id is decoded. And this rule successfully captures that log >> message: >> <rule id="300001" level="6"> >> <if_sid>18104</if_sid> >> <id>^5142$|^5143$|^5144$|^5145$</id> >> <status>^AUDIT_SUCCESS|^success</status> >> <description>Windows audit success event.</description> >> </rule> >> >> >> > 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 >> > 14:17:07 >> > WinEvtLog: Security: AUDIT_SUCCESS(5145): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: >> > WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707 >> > User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\Objects >> > \??\C:\import\DFSRoot\Objects \ 0x100081 %%1541 >> > %%4416 >> > %%4423 >> > %%1541: %%1801 D:(A;;0x1200a9;;;WD) >> > %%4416: %%1801 D:(A;;0x1200a9;;;WD) >> > %%4423: %%1801 D:(A;;0x1200a9;;;WD) >> > >> > >> > >> > Rules: >> > >> > <group name="windows,"> >> > >> > <rule id="18100" level="0"> >> > <category>windows</category> >> > <description>Group of windows rules.</description> >> > </rule> >> > >> > <rule id="18101" level="0"> >> > <if_sid>18100</if_sid> >> > <status>^INFORMATION</status> >> > <description>Windows informational event.</description> >> > </rule> >> > >> > <rule id="18102" level="0"> >> > <if_sid>18100</if_sid> >> > <status>^WARNING</status> >> > <description>Windows warning event.</description> >> > </rule> >> > >> > <rule id="18103" level="5"> >> > <if_sid>18100</if_sid> >> > <status>^ERROR</status> >> > <description>Windows error event.</description> >> > <group>system_error,</group> >> > </rule> >> > >> > <rule id="19000" level="6"> >> > <if_sid>18100</if_sid> >> > <id>^5142$|^5143$|^5144$|^5145$</id> >> > <status>^AUDIT_SUCCESS|^success</status> >> > <description>Windows audit success event.</description> >> > </rule> >> > >> > <rule id="18104" level="0"> >> > <if_sid>18100</if_sid> >> > <status>^AUDIT_SUCCESS|^success</status> >> > <description>Windows audit success event.</description> >> > </rule> >> > >> > >> > >> > Logtest: >> > >> > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest >> > 2014/10/27 19:15:53 ossec-testrule: INFO: Reading local decoder file. >> > 2014/10/27 19:15:53 ossec-testrule: INFO: Started (pid: 16744). >> > ossec-testrule: Type one log per line. >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(5145) >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)' >> > hostname: 'OSSECServer' >> > program_name: '(null)' >> > log: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'windows' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '18100' >> > Level: '0' >> > Description: 'Group of windows rules.' >> > >> > >> > >> > On Monday, October 27, 2014 3:09:44 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Mon, Oct 27, 2014 at 3:03 PM, Brian <ke...@myschatz.net> wrote: >> >> > I'm not sure if I am running it correctly.. >> >> > I get the following, it doesn't show anything... in the >> >> > ossec.conf >> >> > file, I placed <logall>yes</logall> in the global section and >> >> > restarted. >> >> > I got no errors when restarting. >> >> > >> >> > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest >> >> > /var/ossec/logs/archives/archives.log >> >> > 2014/10/27 13:59:38 ossec-testrule: INFO: Reading local decoder file. >> >> > 2014/10/27 13:59:38 ossec-testrule: INFO: Started (pid: 15224). >> >> > ossec-testrule: Type one log per line. >> >> > >> >> >> >> The archives.log file is just a text log file. You'll need to find the >> >> entries you are interested in, copy them out of the file, and paste >> >> them into the ossec-logtest program. >> >> >> >> Windows is odd (why does it put so many spaces in odd places?), so >> >> copying archives.log to another location, then deleting all of the >> >> lines you are not interested in might be the best solution. >> >> >> >> >> >> As a shortcut while testing, I frequently save the log message to a >> >> file, then run: >> >> >> >> cat LOGMESSAGEFILE | /var/ossec/bin/ossec-logtest >> >> >> >> > >> >> > On Monday, October 27, 2014 2:05:27 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> >> >> On Mon, Oct 27, 2014 at 2:01 PM, Brian <ke...@myschatz.net> wrote: >> >> >> > Thank you for your Reply: Looks like the & was a TypeO. I >> >> >> > fixed >> >> >> > that >> >> >> > and >> >> >> > now looks like: <id>^5142$|^5143$|^5144$|^5145$</id> >> >> >> > So, i turned on debugging on the client side, and I get the >> >> >> > following >> >> >> > shown >> >> >> > below.. When I run : tail -f /var/ossec/logs/alerts/alerts.log >> >> >> > on the server side, I don't see anything coming in. The windows >> >> >> > client >> >> >> > is a >> >> >> > Windows 2012 server. >> >> >> > >> >> >> > >> >> >> > Debug: >> >> >> > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message >> >> >> > to >> >> >> > server. >> >> >> > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: >> >> >> > '2014 >> >> >> > Oct >> >> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: >> >> >> > FileServer.Domain.Local: >> >> >> > S-1-5-21-3748380571-1685127485-3479259990-18013 >> >> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ \ 0x100080 >> >> >> > %%1541 >> >> >> > >> >> >> > %%4423 >> >> >> > >> >> >> > - ' >> >> >> > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message >> >> >> > to >> >> >> > server. >> >> >> > >> >> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: >> >> >> > '2014 >> >> >> > Oct >> >> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): >> >> >> > Microsoft-Windows-Security-Auditing: (no user): no domain: >> >> >> > FileServer.Domain.Local: >> >> >> > S-1-5-21-3748380571-1685127485-3479259990-18013 >> >> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ Program Files >> >> >> > (x86)\ossec-agent 0x100081 %%1541 >> >> >> > >> >> >> > %%4416 >> >> >> > >> >> >> > %%4423 >> >> >> > >> >> >> > >> >> >> >> >> >> Did you turn on the log all option on the manager? If you run the >> >> >> log >> >> >> messages from the archives.log through ossec-logtest, what happens? >> >> >> >> >> >> > >> >> >> > On Monday, October 27, 2014 11:42:37 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs >> >> >> >> <i.gri...@gmail.com> >> >> >> >> wrote: >> >> >> >> > Is the ampersand correctly used at the end of 5142? For other >> >> >> >> > IDs >> >> >> >> > there >> >> >> >> > are >> >> >> >> > $ sign used. >> >> >> >> > >> >> >> >> >> >> >> >> Nope, I'm not sure what they were attempting with that. >> >> >> >> >> >> >> >> > Ivars >> >> >> >> > >> >> >> >> > On Mon, Oct 27, 2014 at 1:51 PM, Brian <ke...@myschatz.net> >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> Hello, I am hopping someone may be able to help.. >> >> >> >> >> I want to capture Windows Event ID's 5142 5143 5144 5145. >> >> >> >> >> I >> >> >> >> >> found >> >> >> >> >> this >> >> >> >> >> discussion on how to add it to your ossec.conf file. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec >> >> >> >> >> >> >> >> >> >> However, the events aren't showing up in ossec. Would this be >> >> >> >> >> the >> >> >> >> >> correct >> >> >> >> >> way in configuring OSSEC to capture specific Windows Event >> >> >> >> >> ID's >> >> >> >> >> ? >> >> >> >> >> >> >> >> >> >> I added the following to my ossec,conf file, above 18104 as >> >> >> >> >> the >> >> >> >> >> above >> >> >> >> >> article suggested. and then restarted ossec.. >> >> >> >> >> >> >> >> >> >> <rule id="19000" level="6"> >> >> >> >> >> <if_sid>18100</if_sid> >> >> >> >> >> <id>^5142&|^5143$|^5144$|^5145$</id> >> >> >> >> >> <status>^AUDIT_SUCCESS|^success</status> >> >> >> >> >> <description>Windows audit success event.</description> >> >> >> >> >> </rule> >> >> >> >> >> >> >> >> >> >> Thank you for your help. >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> >> >> --- >> >> >> >> >> You received this message because you are subscribed to the >> >> >> >> >> Google >> >> >> >> >> Groups >> >> >> >> >> "ossec-list" group. >> >> >> >> >> To unsubscribe from this group and stop receiving emails from >> >> >> >> >> it, >> >> >> >> >> send >> >> >> >> >> an >> >> >> >> >> email to ossec-list+...@googlegroups.com. >> >> >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> > >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
