Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I know this is old, but thank you SO much for posting the resolution. I ran into the exact same issue when writing a decoder for a Windows log file. I did not realize that the OSSEC logs in archive contained an added header and it caused me a HUGE headache when writing the decoder. I tested

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I didn't know how to get the rule to match the log id. I tried doing the ^500$ for example, but it didn't work for me. This used to be my rule when I was messing around with it: ^400$|^403$|^500$|^501$|^600$ Powershell Event. I also have the problem in which opening PowerShell and running

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Oh yeah, it probably didn't work because I didn't have if_sid maybe the first time I was doing this. On Wednesday, December 16, 2015 at 4:07:21 PM UTC-6, Phillipa Moorea wrote: > > I didn't know how to get the rule to match the log id. I tried doing the > ^500$ for example, but it didn't work

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

So basically what you're doing is looking for INFO logs and then matching the log content and not the actual log ID? Interesting. My general rule workflow is this: If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then create alert with LEVEL=y. Types can be referenced in

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks Phillipa for sharing. So good to see you actually integrated it with AlienVault OSSIM too. On Wed, Dec 2, 2015 at 1:02 PM, Phillipa Moorea wrote: > Thanks for all the help from you (Santiago), from dan, some other posts on > here, github repository issues, a book

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Glad it finally worked Phillipa :-) On Tue, Dec 1, 2015 at 5:28 PM, Phillipa Moorea wrote: > Yeah, I finally got the alerts working. This post helped me out alot: >

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks for all the help from you (Santiago), from dan, some other posts on here, github repository issues, a book I bought on ossec for $10, and the work of the OSSEC developers that made the 2.8.3 update, and of course the people in the AlienVault Labs! I was now able to get the alerts

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks for all the help from you (Santiago), from dan, some other posts on here, github repository issues, a book I bought on ossec for $10, and the work of the OSSEC developers that made the 2.8.3 update, and of course the people in the AlienVault Labs! I was now able to get the alerts

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Could the problem (of not creating alerts) be caused because PowerShell events are INFORMATIONAL? Informational Event Codes generated by PowerShell: 400, 403, 500, 501, 600 On Monday, November 30, 2015 at 1:05:35 PM UTC-6, Phillipa Moorea wrote: > > Here's another example of a log file in

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I had before restarted only OSSEC, but now I tried restarting the server, but no fixes yet. Could the issue be caused by the use of OSSEC on an AlienVault OSSIM server? On Tuesday, December 1, 2015 at 5:40:19 PM UTC-6, Phillipa Moorea wrote: > > Could the problem (of not creating alerts) be

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I haven't have time to go through the whole email thread, but I don't think using OSSEC in AlienVault OSSIM would cause this. The only modification AlienVault does to OSSEC is the format used for alerts output (at alerts.log), so it can easily be parsed by the AlienVault plugin. Regarding your

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks Santiago for the information about OSSIM. I do not have conditions for "if_sid" in the rules. I'm not sure what I would even put there since this is the first rule for PowerShell events. I currently have set the alert level on the rule to 2. I tried other values, but nothing was

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Yeah, I finally got the alerts working. This post helped me out alot: https://groups.google.com/forum/#!searchin/ossec-list/alert$20to$20be$20generated/ossec-list/SWJe7nm2cbU/pKc8HSfDXCEJ It shows exactly a log inside of the archive.log, and what you should paste into the ossec-logtest. I

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Hi Dan! Here's a log from my archives.log file 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 WinEvtLog: Security: AUDIT_SUCCESS(4688): Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A new process has been created. Subject: Security ID:

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Also, thanks for the information about the groups On Monday, November 30, 2015 at 10:15:26 AM UTC-6, Phillipa Moorea wrote: > > Hi Dan! Here's a log from my archives.log file > > 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 > WinEvtLog: Security: AUDIT_SUCCESS(4688):

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Here's another example of a log file in which I'm actually interested in: 2015 Nov 30 13:02:39 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 13:02:39 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME_FQDN: Command "Get-Host" is Started. Details:

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

If anybody knows what I am doing wrong, any help would be great. Even just a documentation link or something or a question of clarification? I have posted this issue in the AlienVault forums as well. I've been keeping both forums updated. I think a lot of people will want to monitor any

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea wrote: > If anybody knows what I am doing wrong, any help would be great. Even just > a documentation link or something or a question of clarification? I have > posted this issue in the AlienVault forums as well. I've

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Well, I updated both the server and client OSSEC HIDS to 2.8.3, but still no luck. The PowerShell logs in archive.log are still multi-line logs, and I am getting the same results. On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea wrote: > > Ok, I think I know what's going on

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

A little further, I changed the logformat from eventlog to eventchannel, and now the archive.log has taken out all of the multiple lines. I still do not have a generated alert yet even though ossec-logtest says it generates an alert and it matches my custom rule. I set the level to level 6.

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Ok, I think I know what's going on now. I do not have the latest stable release of 2.8.3. I think I might have 2.8.2 or 2.8.1 or something. I found this issue which resembled my issue because the logs have multiple lines in powershell. https://github.com/ossec/ossec-hids/issues/224 Then I

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I have restarted OSSEC using the OSSEC Agent Manager on the ossec client computer. I have also restarted the OSSEC service on the OSSEC server. I'm not sure why I can't reply to your response, so I had to reply to mine @dan(ddpbsd) Also I am using OSSEC HIDS v2.8 on the client & server. --

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I have restarted OSSEC using the OSSEC Agent Manager on the ossec client computer. I have also restarted the OSSEC service on the OSSEC server. I'm not sure why I can't reply to your response, so I had to reply to mine @dan(ddpbsd) On Friday, November 6, 2015 at 11:00:00 AM UTC-6, Phillipa