Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.
After upgrading Windows 10 to the latest version: - Event ID 6417 is missing the event description and the field names. 2017 Feb 24 12:18:43 WinEvtLog: Security: AUDIT_SUCCESS(6417): Microsoft- Windows-Security-Auditing: (no user): no domain: Hostname: 0x38a0 C:\Windows \System32\wbem\WmiPrvSE.exe The event description is: "The FIPS module crypto selftests succeeded.", "0x38a0" is the process ID, and "C:\Windows\System32\wbem\WmiPrvSE.exe" the process name. I would probably filter these events (but that is no excuse to have description and field name chopped off), logging failures only -- which would qualify as suspicious. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] .txt file for log overwrites daily - ossec only reads once
How can we get the ossec agent to read a localfile that overwrites itself? The CIS CAT benchmarks write a .txt file which we are reading with "syslog" as the local file However when the benchmark tests run, ossec does not appear to re-read the log, its as if it never gets read again. As it turns out, there is no date/time in the log. We have a decoder and rules that work, just need this last piece. Anyone run into this before? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.
Any Windows users want to take a look at this? On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J. wrote: > I am using the eventchannel format. Eventlog provides no useful information > for logs other than the three basics: Application, Security and System. > > If confirmed, this is a significant bug that impacts the integrity of all > deployments of Windows agents, as far as I can determine at minimum on > Windows 10, other versions are TBD. > > I unfortunately do not have at hand other versions of Windows to test with, > in order to determine whether it is an issue related to the agent that > therefore impacts all Windows deployments, or a less serious issue that is > specific to Windows 10. > > IMHO the agent code needs to be thoroughly debugged, as: > i) some events are forwarded correctly; > ii) some have field names removed (which makes it very difficult to decode > for any information other than what is in the OSSEC header); and > iii) some have important security information completely chopped off the > message, that is in addition to missing field labels. > > On Windows 10, I can confirm (not an exhaustive list): > i) The integrity of event IDs 4624, 4625, 4634, 4656~4663, 4688, 4689 is > preserved. > ii) Event IDs 5140 and 4703 are forwarded without field labels (there are > certainly others). > iii) Eventchannel logs other than the three standard event logs have no > field labels, and are emptied of important security content. > > Steps to reproduce on any recent flavor of Windows: > > 1) From the Group Policy Editor turn on AppLocker in Audit mode, and > temporarily turn on all auditing in Security. > > 2) Configure the agent to collect AppLocker logs (This is for Windows 10, > the log names differ for Windows 7): > > In /var/ossec/etc/shared/agent.conf > > > > eventchannel > Microsoft-Windows-AppLocker/EXE and DLL > > > eventchannel > Microsoft-Windows-AppLocker/MSI and Script > > > eventchannel > Microsoft-Windows-AppLocker/Packaged app-Deployment > > > eventchannel > Microsoft-Windows-AppLocker/Packaged app-execution > > > > 3) Set the Windows agent to debug mode in internal_options.conf in the > ossec-agent installation directory. > > 4) Restart the agent (net stop "OSSEC HIDS" then net start "OSSEC HIDS", or > use the agent control GUI, or Services .msc to bounce the agent). > > 5) Examine events in the ossec.log file inside the OSSEC-agent installation > directory. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] .txt file for log overwrites daily - ossec only reads once
Hi Grant, how is that file overwritten? I mean, is it truncated and re-written or is replaced by another? OSSEC follows local files and never reads them again from the beginning, there is no mechanism to detect that a previous file segment has been changed. But OSSEC does detect that a file itself has been replaced by checking the file inode. So if the file is replaced (it is first removed and then re-created, or your benchmark writes on another log file that then is moved onto the monitored file) OSSEC should detect it and read it again entirely. I hope that it help. On Thu, Feb 23, 2017 at 1:39 PM, Grant Leonard wrote: > > How can we get the ossec agent to read a localfile that overwrites itself? > > The CIS CAT benchmarks write a .txt file which we are reading with > "syslog" as the local file > > However when the benchmark tests run, ossec does not appear to re-read the > log, its as if it never gets read again. > > As it turns out, there is no date/time in the log. > > We have a decoder and rules that work, just need this last piece. > > Anyone run into this before? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
