Hi Jesus!
Long time - and dated converation :)
Ran into this again today as I wanted to query for multiple events on
another host. First off, seems like I'm not able to use Eventchannel on
this particular 2012r2 host (2019/06/27 15:30:57 ossec-logcollector: ERROR:
Could not EvtSubscribe() for (Security) which returned (15001)). Switched
back to Eventlog and used query below. It works, kind of ;) but also
include other EventID (4798 being one example).
- Any ideas as to why I see other EventIDs from the ones listed below?
- I'm guessing I will have to write custom decoders for the eventID
(below) that are sent from the agent as they seem different from for
example a Snare agent?
Anyway, mostly wanted to contribute to an old post if anyone end up reading
it :)
Best regards,
Fredrik
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
<query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730
or EventID = 1102]</query>
</localfile>
On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote:
>
> Hi Fredrik,
>
> according to the documentation you can use the Microsoft event schema
> <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385201(v=vs.85).aspx>.
>
> If you want to add multiple event IDs:
> <localfile>
> <location>Security</location>
> <log_format>eventchannel</log_format>
> <query>Event/System[EventID=5140 and EventID=5144]</query>
> </localfile>
>
> Also, I think you can use other operators in the query (=, !=, <, >), so
> it could be useful for you to define an interval:
> <query>Event/System[EventID>xxxx and EventID<yyyy]</query>
>
> I've never used the "Level" query. is it not working?.
>
> Regards.
>
> On Wednesday, November 2, 2016 at 1:34:43 PM UTC+1, Fredrik wrote:
>>
>> Hi Santiago and others,
>>
>>
>> Interesting thread (even if dated). I did something similar today and got
>> an OSSEC agent to forward Windows Server Events according to below to the
>> OSSEC server. I have some experience writing decoders to syslog event (but
>> limited as you can see in this forum :)). How would I go about writing
>> rules on the OSSEC server to handle the forwarded events?
>>
>> - Say I would like to group all Level 1 events and send them in a daily
>> email?
>> - How would I add mulitiple eventIDs to the below query? OSSEC and
>> operand? Could you please provide example?
>>
>> ossec.conf
>>
>> <ossec_config>
>>
>> <!-- One entry for each file/Event log to monitor.
>> <localfile>
>> <location>Application</location>
>> <log_format>eventchannel</log_format>
>> </localfile>
>>
>> -->
>>
>> <localfile>
>> <location>Security</location>
>> <log_format>eventchannel</log_format>
>> <query>Event/System[EventID=4740]</query>
>> </localfile>
>>
>> <localfile>
>> <location>System</location>
>> <log_format>eventchannel</log_format>
>> <query>Event/System[Level=2]</query>
>> </localfile>
>>
>> The query for Level=2 generates alert below on OSSEC server when a test
>> event was created using command below.
>>
>> eventcreate /t error /id 100 /l system /d "Create event in application
>> log"
>>
>> alerts.log
>> 2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog
>> 2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN:
>> contoso: win-testdc.contoso.com: (no message)
>>
>>
>> Best regards,
>> Fredrik
>>
>> On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett wrote:
>>>
>>> I guess you want to remove these sections from the ossec.conf file in
>>> the agent. Those are used to get all application, security and system
>>> events.
>>>
>>> <localfile>
>>> <location>Application</location>
>>> <log_format>eventlog</log_format>
>>> </localfile>
>>>
>>> <localfile>
>>> <location>Security</location>
>>> <log_format>eventlog</log_format>
>>> </localfile>
>>>
>>> <localfile>
>>> <location>System</location>
>>> <log_format>eventlog</log_format>
>>> </localfile>
>>>
>>> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <ossec...@rd1.net> wrote:
>>>
>>>> The shared agent is as previously shared, copied below for reference:
>>>>
>>>> <agent_config>
>>>> <!-- Generic Agent configurations. -->
>>>>
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/System[EventID=4624]</query>
>>>> </localfile>
>>>>
>>>> </agent_config>
>>>>
>>>> *The Windows OSSEC after the comments starts with *(middle portion
>>>> removed, and has no localfile entries. )
>>>>
>>>>
>>>> <ossec_config>
>>>>
>>>> <!-- One entry for each file/Event log to monitor. -->
>>>> <localfile>
>>>> <location>Application</location>
>>>> <log_format>eventlog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventlog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>System</location>
>>>> <log_format>eventlog</log_format>
>>>> </localfile>
>>>>
>>>>
>>>> <!-- Rootcheck - Policy monitor config -->
>>>> . . . SNIP . . .
>>>>
>>>>
>>>> </ossec_config>
>>>>
>>>>
>>>> <!-- END of Default Configuration. -->
>>>>
>>>>
>>>> <ossec_config>
>>>> <client>
>>>> <server-hostname>xxx-ossec-srv1</server-hostname>
>>>> </client>
>>>> </ossec_config>
>>>>
>>>> -- Ralph Durkee
>>>>
>>>> On 08/18/2015 01:24 PM, Santiago Bassett wrote:
>>>>
>>>> Could you share your ossec.conf settings (from the agent) and also the
>>>> shared/agent.conf ones. Those are probably located in C:\Program
>>>> Files/ossec-agent
>>>>
>>>> I am guessing, but I think you probably are reading all Security events
>>>> in some other place of the configuration (look for the different
>>>> locations).
>>>>
>>>> Regards
>>>>
>>>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <ossec...@rd1.net>
>>>> wrote:
>>>>
>>>>> Tried stopping and starting the agent service on the windows system.
>>>>> Still getting other security events from that system such as 4672 and
>>>>> 4634
>>>>> in addition to the 4624. Any other suggestions?
>>>>>
>>>>> -- Ralph Durkee
>>>>>
>>>>>
>>>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote:
>>>>>
>>>>> I've restarted ossec on the server several times. Are you refering to
>>>>> the Windows agent?
>>>>>
>>>>> -- Ralph Durkee
>>>>>
>>>>>
>>>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote:
>>>>>
>>>>> Try restarting it manually and see if that works.
>>>>>
>>>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <ossec...@rd1.net>
>>>>> wrote:
>>>>>
>>>>>> I'm trying to filter Windows events based on strings such as the
>>>>>> login type and workstation name, but as a starting point I tried the
>>>>>> configuration below to filter on EventID 4624. The
>>>>>> /var/ossec/etc/shared/agent.conf file contains:
>>>>>>
>>>>>> <agent_config>
>>>>>> <!-- Generic Agent configurations. -->
>>>>>>
>>>>>> <localfile>
>>>>>> <location>Security</location>
>>>>>> <log_format>eventchannel</log_format>
>>>>>> <query>Event/System[EventID=4624]</query>
>>>>>> </localfile>
>>>>>>
>>>>>> </agent_config>
>>>>>>
>>>>>> However I continue receiving all security events including Security
>>>>>> EventID 4624 and others.
>>>>>> I restarted the windows system agent via agent_control -R and also
>>>>>> restarted the OSSEC manager.
>>>>>> I don't have any errors in ossec.log with regard to the
>>>>>> shared/agent.conf file.
>>>>>>
>>>>>> Any suggestions on getting this working?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> -- Ralph Durkee
>>>>>>
>>>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> try using this configuration:
>>>>>>
>>>>>> <localfile>
>>>>>> <location>Security</location>
>>>>>> <log_format>eventchannel</log_format>
>>>>>> <query>Event/System[EventID=4624]</query>
>>>>>> </localfile>
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <swat...@gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have installed the new version of OSSEC v2.8.2. I have a windows
>>>>>>> ossec client. I would like to filter Windows event logs
>>>>>>> (Applications/Security/System/Application and Services Log) based on
>>>>>>> the
>>>>>>> event ids at ossec client (in order to reduce the logs forwarded to
>>>>>>> OSSEC
>>>>>>> manager).
>>>>>>>
>>>>>>> I have amended the client ossec.conf with the example from the OSSEC
>>>>>>> documentation.
>>>>>>>
>>>>>>> <localfile>
>>>>>>> <location>System</location>
>>>>>>> <log_format>eventchannel</log_format>
>>>>>>> <query>Event/System[EventID=7001]</query>
>>>>>>> </localfile>
>>>>>>> * This WORKS *
>>>>>>> <localfile>
>>>>>>> <location>Security</location>
>>>>>>> <log_format>eventchannel</log_format>
>>>>>>> <query>Event/Security[EventID=4624]</query>
>>>>>>> </localfile>
>>>>>>>
>>>>>>>
>>>>>>> * THIS DOESN'T WORK. If I remove the query field it does work but
>>>>>>> then it forwards all the logs coming out from Windows Security event
>>>>>>> log. I
>>>>>>> am getting similar issue when I try to filter based on "Applications
>>>>>>> and
>>>>>>> Services Logs". *If I try to give the whole path name in the
>>>>>>> location. The ossec client does not start and I get an error "Could not
>>>>>>> create bookmark".
>>>>>>>
>>>>>>> Am I doing something wrong here. Please advice.
>>>>>>>
>>>>>>> Kind Regards
>>>>>>> Swati
>>>>>>> --
>>>>>>>
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "ossec-list" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to ossec-list+...@googlegroups.com.
>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ossec-list+...@googlegroups.com.
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ossec-list+...@googlegroups.com.
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ossec-list+...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/3817ca35-bb2e-4524-bc74-424aedf34ab1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
