I am struggling to see the log on events [event id 4624]. I can see 4648 that is Account Login with Explicit Credentials. Any idea???
The other thing I noticied because of filtering at ossec client the ossec manager recieves ossec events from client after 5-6 minutes. The events received from client is not consistent. I could see some events but I can't see rather even though it is in my conf file. Has anybody got any performance issue or noticed this behaviour. Kind Regards Swati On Tuesday, 25 August 2015 16:43:19 UTC+1, Ralph Durkee wrote: > > I've tried removing the shared agent.conf, and updated the windows > ossec.conf and restarted the agent and server. I don't think the shared > agent configuration was or is working but I wanted to focus on just getting > the filtering to work on a Windows 2008 agent by updating the ossec.conf on > the client first. I can get none of the security events if the security > location is removed on the client, or all of the security events if it is > present. The query filter doesn't seem to make any difference. Is this > working for anyone else? > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4624]</query> > </localfile> > > Thanks, > -- Ralph > > > On 08/24/2015 06:56 PM, Ralph Durkee wrote: > > I removed the Security <localfile> from client, and now am receiving no > security events, instead of all security events, so that's a small step > forward. I am seeing in the ossec.log file the following error > > 2015/08/24 18:19:20 ossec-remoted(1405): ERROR: Message size not valid: ''. > 2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating encrypted > message. > 2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating encrypted > message. > 2015/08/24 18:19:20 ossec-remoted: ERROR: Unable to send file 'merged.mg' > to agent. > > So I'm thinking that the server is unable to send the shared config back > to the agent. Events from the agent are being received fine. Server > platform is Ubuntu Server 14.04 and Windows 2008 on the agent side. I've > removed the shared/agent.conf, and the message continues, so the problem > isn't limited to the shared agent, but I would expect the lack of > communication from the server to the agents would prevent the shared conf > from working. I did a make clean and re-installed, thinking a mismatch > in openssl libraries might cause the problem, but no luck. Is there a > debug option or a verbose logging option to get more details on the issue? > > > Compile options include: -DUSE_OPENSSL -DUSEINOTIFY > > Thanks for the help! > > -- Ralph Durkee > > > > On 08/18/2015 03:20 PM, Santiago Bassett wrote: > > I guess you want to remove these sections from the ossec.conf file in the > agent. Those are used to get all application, security and system events. > > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <[email protected] > <javascript:>> wrote: > >> The shared agent is as previously shared, copied below for reference: >> >> <agent_config> >> <!-- Generic Agent configurations. --> >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4624]</query> >> </localfile> >> >> </agent_config> >> >> *The Windows OSSEC after the comments starts with *(middle portion >> removed, and has no localfile entries. ) >> >> >> <ossec_config> >> >> <!-- One entry for each file/Event log to monitor. --> >> <localfile> >> <location>Application</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>System</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> >> <!-- Rootcheck - Policy monitor config --> >> . . . SNIP . . . >> >> >> </ossec_config> >> >> >> <!-- END of Default Configuration. --> >> >> >> <ossec_config> >> <client> >> <server-hostname>xxx-ossec-srv1</server-hostname> >> </client> >> </ossec_config> >> >> -- Ralph Durkee >> >> On 08/18/2015 01:24 PM, Santiago Bassett wrote: >> >> Could you share your ossec.conf settings (from the agent) and also the >> shared/agent.conf ones. Those are probably located in C:\Program >> Files/ossec-agent >> >> I am guessing, but I think you probably are reading all Security events >> in some other place of the configuration (look for the different locations). >> >> Regards >> >> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected] >> <javascript:>> wrote: >> >>> Tried stopping and starting the agent service on the windows system. >>> Still getting other security events from that system such as 4672 and 4634 >>> in addition to the 4624. Any other suggestions? >>> >>> -- Ralph Durkee >>> >>> >>> On 08/18/2015 01:10 PM, Ralph Durkee wrote: >>> >>> I've restarted ossec on the server several times. Are you refering to >>> the Windows agent? >>> >>> -- Ralph Durkee >>> >>> >>> On 08/18/2015 11:46 AM, Santiago Bassett wrote: >>> >>> Try restarting it manually and see if that works. >>> >>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected] >>> <javascript:>> wrote: >>> >>>> I'm trying to filter Windows events based on strings such as the login >>>> type and workstation name, but as a starting point I tried the >>>> configuration below to filter on EventID 4624. The >>>> /var/ossec/etc/shared/agent.conf file contains: >>>> >>>> <agent_config> >>>> <!-- Generic Agent configurations. --> >>>> >>>> <localfile> >>>> <location>Security</location> >>>> <log_format>eventchannel</log_format> >>>> <query>Event/System[EventID=4624]</query> >>>> </localfile> >>>> >>>> </agent_config> >>>> >>>> However I continue receiving all security events including Security >>>> EventID 4624 and others. >>>> I restarted the windows system agent via agent_control -R and also >>>> restarted the OSSEC manager. >>>> I don't have any errors in ossec.log with regard to the >>>> shared/agent.conf file. >>>> >>>> Any suggestions on getting this working? >>>> >>>> Thanks, >>>> >>>> -- Ralph Durkee >>>> >>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >>>> >>>> Hi, >>>> >>>> try using this configuration: >>>> >>>> <localfile> >>>> <location>Security</location> >>>> <log_format>eventchannel</log_format> >>>> <query>Event/System[EventID=4624]</query> >>>> </localfile> >>>> >>>> Best regards >>>> >>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected] <javascript:>> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have installed the new version of OSSEC v2.8.2. I have a windows >>>>> ossec client. I would like to filter Windows event logs >>>>> (Applications/Security/System/Application and Services Log) based on the >>>>> event ids at ossec client (in order to reduce the logs forwarded to OSSEC >>>>> manager). >>>>> >>>>> I have amended the client ossec.conf with the example from the OSSEC >>>>> documentation. >>>>> >>>>> <localfile> >>>>> <location>System</location> >>>>> <log_format>eventchannel</log_format> >>>>> <query>Event/System[EventID=7001]</query> >>>>> </localfile> >>>>> * This WORKS * >>>>> <localfile> >>>>> <location>Security</location> >>>>> <log_format>eventchannel</log_format> >>>>> <query>Event/Security[EventID=4624]</query> >>>>> </localfile> >>>>> >>>>> >>>>> * THIS DOESN'T WORK. If I remove the query field it does work but >>>>> then it forwards all the logs coming out from Windows Security event log. >>>>> I >>>>> am getting similar issue when I try to filter based on "Applications and >>>>> Services Logs". *If I try to give the whole path name in the >>>>> location. The ossec client does not start and I get an error "Could not >>>>> create bookmark". >>>>> >>>>> Am I doing something wrong here. Please advice. >>>>> >>>>> Kind Regards >>>>> Swati >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
