Hi Jesus!
Long time - and dated converation :) Ran into this again today as I wanted to query for multiple events on another host. First off, seems like I'm not able to use Eventchannel on this particular 2012r2 host (2019/06/27 15:30:57 ossec-logcollector: ERROR: Could not EvtSubscribe() for (Security) which returned (15001)). Switched back to Eventlog and used query below. It works, kind of ;) but also include other EventID (4798 being one example). - Any ideas as to why I see other EventIDs from the ones listed below? - I'm guessing I will have to write custom decoders for the eventID (below) that are sent from the agent as they seem different from for example a Snare agent? Anyway, mostly wanted to contribute to an old post if anyone end up reading it :) Best regards, Fredrik <localfile> <location>Security</location> <log_format>eventlog</log_format> <query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730 or EventID = 1102]</query> </localfile> On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote: > > Hi Fredrik, > > according to the documentation you can use the Microsoft event schema > <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385201(v=vs.85).aspx>. > > If you want to add multiple event IDs: > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=5140 and EventID=5144]</query> > </localfile> > > Also, I think you can use other operators in the query (=, !=, <, >), so > it could be useful for you to define an interval: > <query>Event/System[EventID>xxxx and EventID<yyyy]</query> > > I've never used the "Level" query. is it not working?. > > Regards. > > On Wednesday, November 2, 2016 at 1:34:43 PM UTC+1, Fredrik wrote: >> >> Hi Santiago and others, >> >> >> Interesting thread (even if dated). I did something similar today and got >> an OSSEC agent to forward Windows Server Events according to below to the >> OSSEC server. I have some experience writing decoders to syslog event (but >> limited as you can see in this forum :)). How would I go about writing >> rules on the OSSEC server to handle the forwarded events? >> >> - Say I would like to group all Level 1 events and send them in a daily >> email? >> - How would I add mulitiple eventIDs to the below query? OSSEC and >> operand? Could you please provide example? >> >> ossec.conf >> >> <ossec_config> >> >> <!-- One entry for each file/Event log to monitor. >> <localfile> >> <location>Application</location> >> <log_format>eventchannel</log_format> >> </localfile> >> >> --> >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4740]</query> >> </localfile> >> >> <localfile> >> <location>System</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[Level=2]</query> >> </localfile> >> >> The query for Level=2 generates alert below on OSSEC server when a test >> event was created using command below. >> >> eventcreate /t error /id 100 /l system /d "Create event in application >> log" >> >> alerts.log >> 2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog >> 2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: >> contoso: win-testdc.contoso.com: (no message) >> >> >> Best regards, >> Fredrik >> >> On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett wrote: >>> >>> I guess you want to remove these sections from the ossec.conf file in >>> the agent. Those are used to get all application, security and system >>> events. >>> >>> <localfile> >>> <location>Application</location> >>> <log_format>eventlog</log_format> >>> </localfile> >>> >>> <localfile> >>> <location>Security</location> >>> <log_format>eventlog</log_format> >>> </localfile> >>> >>> <localfile> >>> <location>System</location> >>> <log_format>eventlog</log_format> >>> </localfile> >>> >>> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <ossec...@rd1.net> wrote: >>> >>>> The shared agent is as previously shared, copied below for reference: >>>> >>>> <agent_config> >>>> <!-- Generic Agent configurations. --> >>>> >>>> <localfile> >>>> <location>Security</location> >>>> <log_format>eventchannel</log_format> >>>> <query>Event/System[EventID=4624]</query> >>>> </localfile> >>>> >>>> </agent_config> >>>> >>>> *The Windows OSSEC after the comments starts with *(middle portion >>>> removed, and has no localfile entries. ) >>>> >>>> >>>> <ossec_config> >>>> >>>> <!-- One entry for each file/Event log to monitor. --> >>>> <localfile> >>>> <location>Application</location> >>>> <log_format>eventlog</log_format> >>>> </localfile> >>>> >>>> <localfile> >>>> <location>Security</location> >>>> <log_format>eventlog</log_format> >>>> </localfile> >>>> >>>> <localfile> >>>> <location>System</location> >>>> <log_format>eventlog</log_format> >>>> </localfile> >>>> >>>> >>>> <!-- Rootcheck - Policy monitor config --> >>>> . . . SNIP . . . >>>> >>>> >>>> </ossec_config> >>>> >>>> >>>> <!-- END of Default Configuration. --> >>>> >>>> >>>> <ossec_config> >>>> <client> >>>> <server-hostname>xxx-ossec-srv1</server-hostname> >>>> </client> >>>> </ossec_config> >>>> >>>> -- Ralph Durkee >>>> >>>> On 08/18/2015 01:24 PM, Santiago Bassett wrote: >>>> >>>> Could you share your ossec.conf settings (from the agent) and also the >>>> shared/agent.conf ones. Those are probably located in C:\Program >>>> Files/ossec-agent >>>> >>>> I am guessing, but I think you probably are reading all Security events >>>> in some other place of the configuration (look for the different >>>> locations). >>>> >>>> Regards >>>> >>>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <ossec...@rd1.net> >>>> wrote: >>>> >>>>> Tried stopping and starting the agent service on the windows system. >>>>> Still getting other security events from that system such as 4672 and >>>>> 4634 >>>>> in addition to the 4624. Any other suggestions? >>>>> >>>>> -- Ralph Durkee >>>>> >>>>> >>>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote: >>>>> >>>>> I've restarted ossec on the server several times. Are you refering to >>>>> the Windows agent? >>>>> >>>>> -- Ralph Durkee >>>>> >>>>> >>>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote: >>>>> >>>>> Try restarting it manually and see if that works. >>>>> >>>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <ossec...@rd1.net> >>>>> wrote: >>>>> >>>>>> I'm trying to filter Windows events based on strings such as the >>>>>> login type and workstation name, but as a starting point I tried the >>>>>> configuration below to filter on EventID 4624. The >>>>>> /var/ossec/etc/shared/agent.conf file contains: >>>>>> >>>>>> <agent_config> >>>>>> <!-- Generic Agent configurations. --> >>>>>> >>>>>> <localfile> >>>>>> <location>Security</location> >>>>>> <log_format>eventchannel</log_format> >>>>>> <query>Event/System[EventID=4624]</query> >>>>>> </localfile> >>>>>> >>>>>> </agent_config> >>>>>> >>>>>> However I continue receiving all security events including Security >>>>>> EventID 4624 and others. >>>>>> I restarted the windows system agent via agent_control -R and also >>>>>> restarted the OSSEC manager. >>>>>> I don't have any errors in ossec.log with regard to the >>>>>> shared/agent.conf file. >>>>>> >>>>>> Any suggestions on getting this working? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> -- Ralph Durkee >>>>>> >>>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> try using this configuration: >>>>>> >>>>>> <localfile> >>>>>> <location>Security</location> >>>>>> <log_format>eventchannel</log_format> >>>>>> <query>Event/System[EventID=4624]</query> >>>>>> </localfile> >>>>>> >>>>>> Best regards >>>>>> >>>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <swat...@gmail.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have installed the new version of OSSEC v2.8.2. I have a windows >>>>>>> ossec client. I would like to filter Windows event logs >>>>>>> (Applications/Security/System/Application and Services Log) based on >>>>>>> the >>>>>>> event ids at ossec client (in order to reduce the logs forwarded to >>>>>>> OSSEC >>>>>>> manager). >>>>>>> >>>>>>> I have amended the client ossec.conf with the example from the OSSEC >>>>>>> documentation. >>>>>>> >>>>>>> <localfile> >>>>>>> <location>System</location> >>>>>>> <log_format>eventchannel</log_format> >>>>>>> <query>Event/System[EventID=7001]</query> >>>>>>> </localfile> >>>>>>> * This WORKS * >>>>>>> <localfile> >>>>>>> <location>Security</location> >>>>>>> <log_format>eventchannel</log_format> >>>>>>> <query>Event/Security[EventID=4624]</query> >>>>>>> </localfile> >>>>>>> >>>>>>> >>>>>>> * THIS DOESN'T WORK. If I remove the query field it does work but >>>>>>> then it forwards all the logs coming out from Windows Security event >>>>>>> log. I >>>>>>> am getting similar issue when I try to filter based on "Applications >>>>>>> and >>>>>>> Services Logs". *If I try to give the whole path name in the >>>>>>> location. The ossec client does not start and I get an error "Could not >>>>>>> create bookmark". >>>>>>> >>>>>>> Am I doing something wrong here. Please advice. >>>>>>> >>>>>>> Kind Regards >>>>>>> Swati >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/3817ca35-bb2e-4524-bc74-424aedf34ab1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.