I am using the eventchannel format. Eventlog provides no useful information for logs other than the three basics: Application, Security and System.
If confirmed, this is a significant bug that impacts the integrity of all deployments of Windows agents, as far as I can determine at minimum on Windows 10, other versions are TBD. I unfortunately do not have at hand other versions of Windows to test with, in order to determine whether it is an issue related to the agent that therefore impacts all Windows deployments, or a less serious issue that is specific to Windows 10. IMHO the agent code needs to be thoroughly debugged, as: i) some events are forwarded correctly; ii) some have field names removed (which makes it very difficult to decode for any information other than what is in the OSSEC header); and iii) some have important security information completely chopped off the message, that is in addition to missing field labels. On Windows 10, I can confirm (not an exhaustive list): i) The integrity of event IDs 4624, 4625, 4634, 4656~4663, 4688, 4689 is preserved. ii) Event IDs 5140 and 4703 are forwarded /without/ field labels (there are certainly others). iii) Eventchannel logs other than the three standard event logs have no field labels, /and/ are emptied of important security content. _Steps to reproduce on any recent flavor of Windows_: 1) From the Group Policy Editor turn on AppLocker in Audit mode, and temporarily turn on all auditing in Security. 2) Configure the agent to collect AppLocker logs (This is for Windows 10, the log names differ for Windows 7): In/var/ossec/etc/shared/agent.conf <agent_config name="AgentName"> <localfile> <log_format>eventchannel</log_format> <location>Microsoft-Windows-AppLocker/EXE and DLL</location> </localfile> <localfile> <log_format>eventchannel</log_format> <location>Microsoft-Windows-AppLocker/MSI and Script</location> </localfile> <localfile> <log_format>eventchannel</log_format> <location>Microsoft-Windows-AppLocker/Packaged app-Deployment</location> </localfile> <localfile> <log_format>eventchannel</log_format> <location>Microsoft-Windows-AppLocker/Packaged app-execution</location> </localfile> </agent_config> 3) Set the Windows agent to debug mode in internal_options.conf in the ossec-agent installation directory. 4) Restart the agent (net stop "OSSEC HIDS" then net start "OSSEC HIDS", or use the agent control GUI, or Services .msc to bounce the agent). 5) Examine events in the ossec.log file inside the OSSEC-agent installation directory. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature