Hi, I realize this is a slightly older discussion, but it's the closest I could find to anyone with experience collecting ForwardedEvents event channel logs with Ossec when using Windows Event Collection.
I have a server configured as a Event Collector "subscriber", gathering system/application/security logs from remote workstations out in the field, using the method basically described here: https://technet.microsoft.com/en-us/library/cc749183(v=ws.11).aspx. This creates an EventChannel source on the server called "ForwardedEvents", which I have an Ossec agent installed on and configured to grab with the following config (via shared agent.conf); <agent_config name="collectorservername"> <localfile> <log_format>eventchannel</log_format> <location>ForwardedEvents</location> </localfile> </agent_config> According to Ossec agent log on the "collector" server, the event channel can be opened, but when an event comes in from a remote system, I get an error: 2017/02/01 10:25:52 ossec-agent(1951): INFO: Analyzing event log: 'ForwardedEvents'. <---when agent is started 2017/02/01 13:42:07 ossec-agent: ERROR: Could not get message for (ForwardedEvents) <---when remote log comes in My question is that has anyone successfully used Ossec to grab these ForwardedEvents in this fashion? or does the error suggest some other (permissions) issue? Thanks in advance! Mike On Thursday, September 24, 2015 at 10:47:06 AM UTC-4, DefensiveDepth wrote: > > Greetings Wes, > > Yes, Dan is correct - the "collector" is a windows server that has the > OSSEC client installed on it and configured through <eventchannel> to > forward the logs onto the SO sensor. > > You don't have to use WEF for collecting the logs... You could use the > OSSEC client installed locally, nxlog, or something else like that. > > -Josh > > On Thursday, September 24, 2015 at 9:37:23 AM UTC-4, Wes wrote: >> >> >> Thanks for your help, Dan. >> >> Wes >> >> >> >> >> On Thursday, September 24, 2015 at 9:28:04 AM UTC-4, dan (ddpbsd) wrote: >>> >>> >>> On Sep 24, 2015 9:15 AM, "Wes" <wlamb...@gmail.com> wrote: >>> > >>> > Please excuse me if this is not the proper place, but I was reading >>> Josh's paper ( >>> https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837) >>> >>> in regard to the use of Sysmon, Windows Event Collector Framework, and >>> OSSEC to forward logs from Windows workstations and servers to Security >>> Onion, but I wanted to be sure about a thing or two before I began such a >>> project. >>> > >>> > From the paper, I can see that the intention (for the Hybrid setup) is >>> that Sysmon will be running on all workstations (onsite/offsite), and all >>> workstations will be configured with Windows Event Forwarding to forward >>> logs to a log collector (OSSEC). From here the log collector will forward >>> information to Security Onion (sensor) >>> > >>> > --The log collector should be running the OSSEC agent, correct? Or is >>> this to run the manager? I guess my impression was that the agent only >>> collected logs locally, but from what I have read gives me the impression >>> that the agent can be forwarded logs and forward those logs as well? >>> > >>> >>> I've only skimmed the hybrid section of the paper, and i don't know a >>> lot about windows event forwarder, but I would assume the log collector is >>> a windows system. Because of that it can only run the ossec agent software. >>> It looks like the collector collects the logs via wef, allowing the ossec >>> agent to pull them in, and forwars them onto the ossec server. >>> >>> Josh is on the list though, and I would expect him to reply when he gets >>> a chance. :-) >>> >>> > Again please excuse my ignorance--if anyone could clarify or could >>> point me towards some more information, I would greatly appreciate it. >>> > >>> > Thanks, >>> > >>> > Wes >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
