[ossec-list] Re: OSSEC - windows event

Hello Irshad You have configurated your manager in order to recorder all events in archives.log. In this file, you have all the events and there is the event you want to see on the GUI. But, an event could be or not an alert. And if you want to see it on the GUI must be an alert. This is the

[ossec-list] Re: OSSEC - windows event

The logs are being pushed to archives.log and not ossec.log On Thursday, June 15, 2017 at 11:09:01 AM UTC+4, Irshad Rahimbux wrote: > > > Hi, > > I have done the following changes in my configuration files as follows: > > > OAlerts > eventchannel > > > Logs are being pushed to

[ossec-list] Re: OSSEC - windows event

Hi, I have done the following changes in my configuration files as follows: OAlerts eventchannel Logs are being pushed to ossec.log on server as follows: 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300):

[ossec-list] Re: OSSEC - windows event

Hi Irshad, sorry, I thought was the same problem than Akash. I would like to be able to retrieve logs from windows machine to my OSSIM Do you meand OSSEC, right?. Review the ossec.log of your agent. Maybe the location is wrong or there are no events. I hope it helps. Regards. On Thursday,

[ossec-list] Re: OSSEC - windows event

ANy one can provide some help? @Jesus Linares... the link you provided is not helping much. It's for another issue. On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote: > > https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo > > On Tuesday, May 30, 2017 at 4:34:46 PM

[ossec-list] Re: OSSEC - windows event

https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote: > > > Hi All, > > I am also facing the same problem.I am not getting alert of > creation/deletion of file from windows agent > to my manager(linux). Agent show

[ossec-list] Re: OSSEC - windows event

Hi All, I am also facing the same problem.I am not getting alert of creation/deletion of file from windows agent to my manager(linux). Agent show connected and active, I only get alert from agent(win) is agent start/restart/change in ossec.conf(agent). To monitor D:\ drive, I have done the

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I know this is old, but thank you SO much for posting the resolution. I ran into the exact same issue when writing a decoder for a Windows log file. I did not realize that the OSSEC logs in archive contained an added header and it caused me a HUGE headache when writing the decoder. I tested

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I didn't know how to get the rule to match the log id. I tried doing the ^500$ for example, but it didn't work for me. This used to be my rule when I was messing around with it: ^400$|^403$|^500$|^501$|^600$ Powershell Event. I also have the problem in which opening PowerShell and running

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Oh yeah, it probably didn't work because I didn't have if_sid maybe the first time I was doing this. On Wednesday, December 16, 2015 at 4:07:21 PM UTC-6, Phillipa Moorea wrote: > > I didn't know how to get the rule to match the log id. I tried doing the > ^500$ for example, but it didn't work

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

So basically what you're doing is looking for INFO logs and then matching the log content and not the actual log ID? Interesting. My general rule workflow is this: If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then create alert with LEVEL=y. Types can be referenced in

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks Phillipa for sharing. So good to see you actually integrated it with AlienVault OSSIM too. On Wed, Dec 2, 2015 at 1:02 PM, Phillipa Moorea wrote: > Thanks for all the help from you (Santiago), from dan, some other posts on > here, github repository issues, a book

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Glad it finally worked Phillipa :-) On Tue, Dec 1, 2015 at 5:28 PM, Phillipa Moorea wrote: > Yeah, I finally got the alerts working. This post helped me out alot: >

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks for all the help from you (Santiago), from dan, some other posts on here, github repository issues, a book I bought on ossec for $10, and the work of the OSSEC developers that made the 2.8.3 update, and of course the people in the AlienVault Labs! I was now able to get the alerts

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks for all the help from you (Santiago), from dan, some other posts on here, github repository issues, a book I bought on ossec for $10, and the work of the OSSEC developers that made the 2.8.3 update, and of course the people in the AlienVault Labs! I was now able to get the alerts

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Could the problem (of not creating alerts) be caused because PowerShell events are INFORMATIONAL? Informational Event Codes generated by PowerShell: 400, 403, 500, 501, 600 On Monday, November 30, 2015 at 1:05:35 PM UTC-6, Phillipa Moorea wrote: > > Here's another example of a log file in

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I had before restarted only OSSEC, but now I tried restarting the server, but no fixes yet. Could the issue be caused by the use of OSSEC on an AlienVault OSSIM server? On Tuesday, December 1, 2015 at 5:40:19 PM UTC-6, Phillipa Moorea wrote: > > Could the problem (of not creating alerts) be

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I haven't have time to go through the whole email thread, but I don't think using OSSEC in AlienVault OSSIM would cause this. The only modification AlienVault does to OSSEC is the format used for alerts output (at alerts.log), so it can easily be parsed by the AlienVault plugin. Regarding your

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Thanks Santiago for the information about OSSIM. I do not have conditions for "if_sid" in the rules. I'm not sure what I would even put there since this is the first rule for PowerShell events. I currently have set the alert level on the rule to 2. I tried other values, but nothing was

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Yeah, I finally got the alerts working. This post helped me out alot: https://groups.google.com/forum/#!searchin/ossec-list/alert$20to$20be$20generated/ossec-list/SWJe7nm2cbU/pKc8HSfDXCEJ It shows exactly a log inside of the archive.log, and what you should paste into the ossec-logtest. I

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Hi Dan! Here's a log from my archives.log file 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 WinEvtLog: Security: AUDIT_SUCCESS(4688): Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A new process has been created. Subject: Security ID:

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Also, thanks for the information about the groups On Monday, November 30, 2015 at 10:15:26 AM UTC-6, Phillipa Moorea wrote: > > Hi Dan! Here's a log from my archives.log file > > 2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 > WinEvtLog: Security: AUDIT_SUCCESS(4688):

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Here's another example of a log file in which I'm actually interested in: 2015 Nov 30 13:02:39 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 13:02:39 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME_FQDN: Command "Get-Host" is Started. Details:

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

If anybody knows what I am doing wrong, any help would be great. Even just a documentation link or something or a question of clarification? I have posted this issue in the AlienVault forums as well. I've been keeping both forums updated. I think a lot of people will want to monitor any

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea wrote: > If anybody knows what I am doing wrong, any help would be great. Even just > a documentation link or something or a question of clarification? I have > posted this issue in the AlienVault forums as well. I've

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Well, I updated both the server and client OSSEC HIDS to 2.8.3, but still no luck. The PowerShell logs in archive.log are still multi-line logs, and I am getting the same results. On Wednesday, November 25, 2015 at 8:45:18 AM UTC-6, Phillipa Moorea wrote: > > Ok, I think I know what's going on

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

A little further, I changed the logformat from eventlog to eventchannel, and now the archive.log has taken out all of the multiple lines. I still do not have a generated alert yet even though ossec-logtest says it generates an alert and it matches my custom rule. I set the level to level 6.

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

Ok, I think I know what's going on now. I do not have the latest stable release of 2.8.3. I think I might have 2.8.2 or 2.8.1 or something. I found this issue which resembled my issue because the logs have multiple lines in powershell. https://github.com/ossec/ossec-hids/issues/224 Then I

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I have restarted OSSEC using the OSSEC Agent Manager on the ossec client computer. I have also restarted the OSSEC service on the OSSEC server. I'm not sure why I can't reply to your response, so I had to reply to mine @dan(ddpbsd) Also I am using OSSEC HIDS v2.8 on the client & server. --

[ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

I have restarted OSSEC using the OSSEC Agent Manager on the ossec client computer. I have also restarted the OSSEC service on the OSSEC server. I'm not sure why I can't reply to your response, so I had to reply to mine @dan(ddpbsd) On Friday, November 6, 2015 at 11:00:00 AM UTC-6, Phillipa