On Nov 6, 2015 12:00 PM, "Phillipa Moorea" <[email protected]> wrote: > > I'm having issues trying to setup logging for PowerShell. > > > I started out creating a powershell profile file ("C:\Winodws\System32\WindowsPowerShell\v1.0\Profile.ps1") with the following lines of code: > $LogCommandHealth = $true > $LogCommandLifecycleEvent = $true > > > This allowed me to get Windows Event Logs for PowerShell commands. > This is the Windows Event log path: %SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx > > On the OSSEC client I enabled logging for the PowerShell event log by adding this to ossec.conf: > <localfile> > <location>Windows PowerShell</location> > <log_format>eventlog</log_format> > </localfile> > > To get the logs on the OSSEC server at /var/ossec/logs/archives/archives.log, I added this to /var/ossec/etc/ossec.conf file under the "<global>" section: > <logall>yes</logall> > > I need to get the logs to show up in the alert logs though at /var/ossec/logs/alerts/alerts.log. They do not show up? > > The log inside archives.log looks like this: > 2015 Nov 06 10:20:11 (HOSTNAME) 192.168.5.1->WinEvtLog 2015 Nov 06 10:20:08 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME.DOMAIN.com: Get-Host Started NewCommandState=Started > > SequenceNumber=127 > > HostName=ConsoleHost > HostVersion=2.0 > HostId=2ff69cc2-302d-4d7c-baef-f57106d8c4b3 > EngineVersion=2.0 > RunspaceId=261b4763-f866-4b2a-a472-eae41e3c0d72 > PipelineId=9 > CommandName=Get-Host > CommandType=Cmdlet > ScriptName= > CommandPath= > CommandLine=Get-Host > > I tried to run /var/ossec/bin/ossec-logtest and paste in the log, but it doesn't work because of all the newlines. So then I tried just pasting in the first line to the command and got this output: > **Phase 1: Completed pre-decoding. > full event: '2015 Nov 06 10:20:11 (HOSTNAME) 192.168.5.1->WinEvtLog 2015 Nov 06 10:20:08 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME.DOMAIN.com: Get-Host Started' > hostname: 'alien' > program_name: '(null)' > log: '2015 Nov 06 10:20:11 (HOSTNAME) 192.168.5.1->WinEvtLog 2015 Nov 06 10:20:08 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME.DOMAIN.com: Get-Host Started' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '100212' > Level: '5' > Description: 'Powershell Command.' > **Alert to be generated. > > So it says "Alert to be generated", but I never get an alert. Also it shows "No decoder matched". Do I have to have a decoder in order to get an alert? How do I write a decoder for this? But my main question is how do I get an alert? > > Any help would be greatly appreciated!!! Because I am now lost >
You do not need a decoder. Did you restart the ossec processes on the manager after adding the rule? > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
