Hi Jesus! Got around to giving this a shot today :) In fact still at it as I write this.
Figured out that the aforemention event will trigger the built-in 18103 rule (below): <rule id="18103" level="5"> <if_sid>18100</if_sid> <status>^ERROR</status> <description>Windows error event.</description> <group>system_error,</group> </rule> So I figured I could just test the granular e-mail options using the below criteria, just to see if it fires. So far, I haven't had any luck so perhaps someone can point out the mistakes I have made? :) I will update the thread if I get it to work. For testing purposes, I write events to the eventlog on the monitored hosts (as mentioned in previous post) and I can see those events be passed on to the ossec server (triggering 18103 rule). <email_alerts> <email_to>os...@example.com</email_to> <rule_id>18103</rule_id> <do_not_delay /> <do_not_group /> </email_alerts> On Thursday, November 10, 2016 at 10:19:09 AM UTC+1, Jesus Linares wrote: > > Hi Fredrik, > > create a rule for your "level 2 events". Then, use the rule ID and the tag > *rule_id > *of granular email options: > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.email_alerts.html > > I hope it helps. > Regards. > > On Wednesday, November 9, 2016 at 8:29:02 PM UTC+1, Fredrik wrote: >> >> Thanks Jesus!! >> >> >> Operators seems to be working just fine as you suggested! >> >> The "level" query is doing its job - I tested with the command in my >> post. However, do you know of a way to trigger an email where all Level 2 >> events within a certain timeframe (e.g. 24h) are grouped together and >> included in the email? I realize this might involve multiple parts and >> configuration, but perhaps you can give a few pointers without spending too >> much of your time? >> >> Best regards, >> Fredrik >> >> On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote: >>> >>> Hi Fredrik, >>> >>> according to the documentation you can use the Microsoft event schema >>> <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385201(v=vs.85).aspx>. >>> >>> If you want to add multiple event IDs: >>> <localfile> >>> <location>Security</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/System[EventID=5140 and EventID=5144]</query> >>> </localfile> >>> >>> Also, I think you can use other operators in the query (=, !=, <, >), so >>> it could be useful for you to define an interval: >>> <query>Event/System[EventID>xxxx and EventID<yyyy]</query> >>> >>> I've never used the "Level" query. is it not working?. >>> >>> Regards. >>> >>> On Wednesday, November 2, 2016 at 1:34:43 PM UTC+1, Fredrik wrote: >>>> >>>> Hi Santiago and others, >>>> >>>> >>>> Interesting thread (even if dated). I did something similar today and >>>> got an OSSEC agent to forward Windows Server Events according to below to >>>> the OSSEC server. I have some experience writing decoders to syslog event >>>> (but limited as you can see in this forum :)). How would I go about >>>> writing >>>> rules on the OSSEC server to handle the forwarded events? >>>> >>>> - Say I would like to group all Level 1 events and send them in a daily >>>> email? >>>> - How would I add mulitiple eventIDs to the below query? OSSEC and >>>> operand? Could you please provide example? >>>> >>>> ossec.conf >>>> >>>> <ossec_config> >>>> >>>> <!-- One entry for each file/Event log to monitor. >>>> <localfile> >>>> <location>Application</location> >>>> <log_format>eventchannel</log_format> >>>> </localfile> >>>> >>>> --> >>>> >>>> <localfile> >>>> <location>Security</location> >>>> <log_format>eventchannel</log_format> >>>> <query>Event/System[EventID=4740]</query> >>>> </localfile> >>>> >>>> <localfile> >>>> <location>System</location> >>>> <log_format>eventchannel</log_format> >>>> <query>Event/System[Level=2]</query> >>>> </localfile> >>>> >>>> The query for Level=2 generates alert below on OSSEC server when a test >>>> event was created using command below. >>>> >>>> eventcreate /t error /id 100 /l system /d "Create event in application >>>> log" >>>> >>>> alerts.log >>>> 2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog >>>> 2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: >>>> contoso: win-testdc.contoso.com: (no message) >>>> >>>> >>>> Best regards, >>>> Fredrik >>>> >>>> On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett wrote: >>>>> >>>>> I guess you want to remove these sections from the ossec.conf file in >>>>> the agent. Those are used to get all application, security and system >>>>> events. >>>>> >>>>> <localfile> >>>>> <location>Application</location> >>>>> <log_format>eventlog</log_format> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <location>Security</location> >>>>> <log_format>eventlog</log_format> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <location>System</location> >>>>> <log_format>eventlog</log_format> >>>>> </localfile> >>>>> >>>>> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <ossec...@rd1.net> >>>>> wrote: >>>>> >>>>>> The shared agent is as previously shared, copied below for reference: >>>>>> >>>>>> <agent_config> >>>>>> <!-- Generic Agent configurations. --> >>>>>> >>>>>> <localfile> >>>>>> <location>Security</location> >>>>>> <log_format>eventchannel</log_format> >>>>>> <query>Event/System[EventID=4624]</query> >>>>>> </localfile> >>>>>> >>>>>> </agent_config> >>>>>> >>>>>> *The Windows OSSEC after the comments starts with *(middle portion >>>>>> removed, and has no localfile entries. ) >>>>>> >>>>>> >>>>>> <ossec_config> >>>>>> >>>>>> <!-- One entry for each file/Event log to monitor. --> >>>>>> <localfile> >>>>>> <location>Application</location> >>>>>> <log_format>eventlog</log_format> >>>>>> </localfile> >>>>>> >>>>>> <localfile> >>>>>> <location>Security</location> >>>>>> <log_format>eventlog</log_format> >>>>>> </localfile> >>>>>> >>>>>> <localfile> >>>>>> <location>System</location> >>>>>> <log_format>eventlog</log_format> >>>>>> </localfile> >>>>>> >>>>>> >>>>>> <!-- Rootcheck - Policy monitor config --> >>>>>> . . . SNIP . . . >>>>>> >>>>>> >>>>>> </ossec_config> >>>>>> >>>>>> >>>>>> <!-- END of Default Configuration. --> >>>>>> >>>>>> >>>>>> <ossec_config> >>>>>> <client> >>>>>> <server-hostname>xxx-ossec-srv1</server-hostname> >>>>>> </client> >>>>>> </ossec_config> >>>>>> >>>>>> -- Ralph Durkee >>>>>> >>>>>> On 08/18/2015 01:24 PM, Santiago Bassett wrote: >>>>>> >>>>>> Could you share your ossec.conf settings (from the agent) and also >>>>>> the shared/agent.conf ones. Those are probably located in C:\Program >>>>>> Files/ossec-agent >>>>>> >>>>>> I am guessing, but I think you probably are reading all Security >>>>>> events in some other place of the configuration (look for the different >>>>>> locations). >>>>>> >>>>>> Regards >>>>>> >>>>>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <ossec...@rd1.net> >>>>>> wrote: >>>>>> >>>>>>> Tried stopping and starting the agent service on the windows system. >>>>>>> Still getting other security events from that system such as 4672 and >>>>>>> 4634 >>>>>>> in addition to the 4624. Any other suggestions? >>>>>>> >>>>>>> -- Ralph Durkee >>>>>>> >>>>>>> >>>>>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote: >>>>>>> >>>>>>> I've restarted ossec on the server several times. Are you refering >>>>>>> to the Windows agent? >>>>>>> >>>>>>> -- Ralph Durkee >>>>>>> >>>>>>> >>>>>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote: >>>>>>> >>>>>>> Try restarting it manually and see if that works. >>>>>>> >>>>>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <ossec...@rd1.net> >>>>>>> wrote: >>>>>>> >>>>>>>> I'm trying to filter Windows events based on strings such as the >>>>>>>> login type and workstation name, but as a starting point I tried the >>>>>>>> configuration below to filter on EventID 4624. The >>>>>>>> /var/ossec/etc/shared/agent.conf file contains: >>>>>>>> >>>>>>>> <agent_config> >>>>>>>> <!-- Generic Agent configurations. --> >>>>>>>> >>>>>>>> <localfile> >>>>>>>> <location>Security</location> >>>>>>>> <log_format>eventchannel</log_format> >>>>>>>> <query>Event/System[EventID=4624]</query> >>>>>>>> </localfile> >>>>>>>> >>>>>>>> </agent_config> >>>>>>>> >>>>>>>> However I continue receiving all security events including Security >>>>>>>> EventID 4624 and others. >>>>>>>> I restarted the windows system agent via agent_control -R and also >>>>>>>> restarted the OSSEC manager. >>>>>>>> I don't have any errors in ossec.log with regard to the >>>>>>>> shared/agent.conf file. >>>>>>>> >>>>>>>> Any suggestions on getting this working? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> -- Ralph Durkee >>>>>>>> >>>>>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> try using this configuration: >>>>>>>> >>>>>>>> <localfile> >>>>>>>> <location>Security</location> >>>>>>>> <log_format>eventchannel</log_format> >>>>>>>> <query>Event/System[EventID=4624]</query> >>>>>>>> </localfile> >>>>>>>> >>>>>>>> Best regards >>>>>>>> >>>>>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <swat...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have installed the new version of OSSEC v2.8.2. I have a windows >>>>>>>>> ossec client. I would like to filter Windows event logs >>>>>>>>> (Applications/Security/System/Application and Services Log) based on >>>>>>>>> the >>>>>>>>> event ids at ossec client (in order to reduce the logs forwarded to >>>>>>>>> OSSEC >>>>>>>>> manager). >>>>>>>>> >>>>>>>>> I have amended the client ossec.conf with the example from the >>>>>>>>> OSSEC documentation. >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <location>System</location> >>>>>>>>> <log_format>eventchannel</log_format> >>>>>>>>> <query>Event/System[EventID=7001]</query> >>>>>>>>> </localfile> >>>>>>>>> * This WORKS * >>>>>>>>> <localfile> >>>>>>>>> <location>Security</location> >>>>>>>>> <log_format>eventchannel</log_format> >>>>>>>>> <query>Event/Security[EventID=4624]</query> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> >>>>>>>>> * THIS DOESN'T WORK. If I remove the query field it does work but >>>>>>>>> then it forwards all the logs coming out from Windows Security event >>>>>>>>> log. I >>>>>>>>> am getting similar issue when I try to filter based on "Applications >>>>>>>>> and >>>>>>>>> Services Logs". *If I try to give the whole path name in the >>>>>>>>> location. The ossec client does not start and I get an error "Could >>>>>>>>> not >>>>>>>>> create bookmark". >>>>>>>>> >>>>>>>>> Am I doing something wrong here. Please advice. >>>>>>>>> >>>>>>>>> Kind Regards >>>>>>>>> Swati >>>>>>>>> -- >>>>>>>>> >>>>>>>>> --- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "ossec-list" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.