I've tried removing the shared agent.conf, and updated the windows
ossec.conf and restarted the agent and server. I don't think the shared
agent configuration was or is working but I wanted to focus on just
getting the filtering to work on a Windows 2008 agent by updating the
ossec.conf on the client first. I can get none of the security events
if the security location is removed on the client, or all of the
security events if it is present. The query filter doesn't seem to make
any difference. Is this working for anyone else?
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
Thanks,
-- Ralph
On 08/24/2015 06:56 PM, Ralph Durkee wrote:
> I removed the Security <localfile> from client, and now am receiving
> no security events, instead of all security events, so that's a small
> step forward. I am seeing in the ossec.log file the following error
>
> 2015/08/24 18:19:20 ossec-remoted(1405): ERROR: Message size not
> valid: ''.
> 2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating
> encrypted message.
> 2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating
> encrypted message.
> 2015/08/24 18:19:20 ossec-remoted: ERROR: Unable to send file
> 'merged.mg' to agent.
>
> So I'm thinking that the server is unable to send the shared config
> back to the agent. Events from the agent are being received fine.
> Server platform is Ubuntu Server 14.04 and Windows 2008 on the agent
> side. I've removed the shared/agent.conf, and the message continues,
> so the problem isn't limited to the shared agent, but I would expect
> the lack of communication from the server to the agents would prevent
> the shared conf from working. I did a make clean and re-installed,
> thinking a mismatch in openssl libraries might cause the problem, but
> no luck. Is there a debug option or a verbose logging option to get
> more details on the issue?
>
>
> Compile options include: -DUSE_OPENSSL -DUSEINOTIFY
>
> Thanks for the help!
>
> -- Ralph Durkee
>
>
> On 08/18/2015 03:20 PM, Santiago Bassett wrote:
>> I guess you want to remove these sections from the ossec.conf file in
>> the agent. Those are used to get all application, security and system
>> events.
>>
>> <localfile>
>> <location>Application</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>Security</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>System</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> The shared agent is as previously shared, copied below for reference:
>>
>> <agent_config>
>> <!-- Generic Agent configurations. -->
>>
>> <localfile>
>> <location>Security</location>
>> <log_format>eventchannel</log_format>
>> <query>Event/System[EventID=4624]</query>
>> </localfile>
>>
>> </agent_config>
>>
>> *The Windows OSSEC after the comments starts with *(middle
>> portion removed, and has no localfile entries. )
>>
>>
>> <ossec_config>
>>
>> <!-- One entry for each file/Event log to monitor. -->
>> <localfile>
>> <location>Application</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>Security</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>System</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>>
>> <!-- Rootcheck - Policy monitor config -->
>> . . . SNIP . . .
>>
>>
>> </ossec_config>
>>
>>
>> <!-- END of Default Configuration. -->
>>
>>
>> <ossec_config>
>> <client>
>> <server-hostname>xxx-ossec-srv1</server-hostname>
>> </client>
>> </ossec_config>
>>
>> -- Ralph Durkee
>>
>> On 08/18/2015 01:24 PM, Santiago Bassett wrote:
>>> Could you share your ossec.conf settings (from the agent) and
>>> also the shared/agent.conf ones. Those are probably located in
>>> C:\Program Files/ossec-agent
>>>
>>> I am guessing, but I think you probably are reading all Security
>>> events in some other place of the configuration (look for the
>>> different locations).
>>>
>>> Regards
>>>
>>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee
>>> <[email protected] <mailto:[email protected]>> wrote:
>>>
>>> Tried stopping and starting the agent service on the windows
>>> system. Still getting other security events from that system
>>> such as 4672 and 4634 in addition to the 4624. Any other
>>> suggestions?
>>>
>>> -- Ralph Durkee
>>>
>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote:
>>>> I've restarted ossec on the server several times. Are you
>>>> refering to the Windows agent?
>>>>
>>>> -- Ralph Durkee
>>>>
>>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote:
>>>>> Try restarting it manually and see if that works.
>>>>>
>>>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee
>>>>> <[email protected] <mailto:[email protected]>> wrote:
>>>>>
>>>>> I'm trying to filter Windows events based on strings
>>>>> such as the login type and workstation name, but as a
>>>>> starting point I tried the configuration below to
>>>>> filter on EventID 4624. The
>>>>> /var/ossec/etc/shared/agent.conf file contains:
>>>>>
>>>>> <agent_config>
>>>>> <!-- Generic Agent configurations. -->
>>>>>
>>>>> <localfile>
>>>>> <location>Security</location>
>>>>> <log_format>eventchannel</log_format>
>>>>> <query>Event/System[EventID=4624]</query>
>>>>> </localfile>
>>>>>
>>>>> </agent_config>
>>>>>
>>>>> However I continue receiving all security events
>>>>> including Security EventID 4624 and others.
>>>>> I restarted the windows system agent via agent_control
>>>>> -R and also restarted the OSSEC manager.
>>>>> I don't have any errors in ossec.log with regard to
>>>>> the shared/agent.conf file.
>>>>>
>>>>> Any suggestions on getting this working?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -- Ralph Durkee
>>>>>
>>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote:
>>>>>> Hi,
>>>>>>
>>>>>> try using this configuration:
>>>>>>
>>>>>> <localfile>
>>>>>> <location>Security</location>
>>>>>> <log_format>eventchannel</log_format>
>>>>>> <query>Event/System[EventID=4624]</query>
>>>>>> </localfile>
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati
>>>>>> <[email protected] <mailto:[email protected]>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have installed the new version of OSSEC v2.8.2.
>>>>>> I have a windows ossec client. I would like to
>>>>>> filter Windows event logs
>>>>>> (Applications/Security/System/Application and
>>>>>> Services Log) based on the event ids at ossec
>>>>>> client (in order to reduce the logs forwarded to
>>>>>> OSSEC manager).
>>>>>>
>>>>>> I have amended the client ossec.conf with the
>>>>>> example from the OSSEC documentation.
>>>>>>
>>>>>> <localfile>
>>>>>> <location>System</location>
>>>>>> <log_format>eventchannel</log_format>
>>>>>> <query>Event/System[EventID=7001]</query>
>>>>>> </localfile> *This
>>>>>> WORKS
>>>>>> *
>>>>>> <localfile>
>>>>>> <location>Security</location>
>>>>>> <log_format>eventchannel</log_format>
>>>>>> <query>Event/Security[EventID=4624]</query>
>>>>>> </localfile> *THIS DOESN'T WORK. If I remove
>>>>>> the query field it does work but then it forwards
>>>>>> all the logs coming out from Windows Security
>>>>>> event log. I am getting similar issue when I try
>>>>>> to filter based on "Applications and Services Logs".
>>>>>>
>>>>>>
>>>>>> *If I try to give the whole path name in the
>>>>>> location. The ossec client does not start and I
>>>>>> get an error "Could not create bookmark".
>>>>>>
>>>>>> Am I doing something wrong here. Please advice.
>>>>>>
>>>>>> Kind Regards
>>>>>> Swati
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are
>>>>>> subscribed to the Google Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving
>>>>>> emails from it, send an email to
>>>>>> [email protected]
>>>>>> <mailto:[email protected]>.
>>>>>> For more options, visit
>>>>>> https://groups.google.com/d/optout.
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed
>>>>>> to the Google Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving
>>>>>> emails from it, send an email to
>>>>>> [email protected]
>>>>>> <mailto:[email protected]>.
>>>>>> For more options, visit
>>>>>> https://groups.google.com/d/optout.
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed
>>>>> to the Google Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving
>>>>> emails from it, send an email to
>>>>> [email protected]
>>>>> <mailto:[email protected]>.
>>>>> For more options, visit
>>>>> https://groups.google.com/d/optout.
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to
>>>>> the Google Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails
>>>>> from it, send an email to
>>>>> [email protected]
>>>>> <mailto:[email protected]>.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails
>>> from it, send an email to
>>> [email protected]
>>> <mailto:[email protected]>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from
>>> it, send an email to [email protected]
>>> <mailto:[email protected]>.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to [email protected]
>> <mailto:[email protected]>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to [email protected]
>> <mailto:[email protected]>.
>> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
