Hi Santiago and others,
Interesting thread (even if dated). I did something similar today and got
an OSSEC agent to forward Windows Server Events according to below to the
OSSEC server. I have some experience writing decoders to syslog event (but
limited as you can see in this forum :)). How would I go about writing
rules on the OSSEC server to handle the forwarded events?
- Say I would like to group all Level 1 events and send them in a daily
email?
- How would I add mulitiple eventIDs to the below query? OSSEC and operand?
Could you please provide example?
ossec.conf
<ossec_config>
<!-- One entry for each file/Event log to monitor.
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
-->
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4740]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<query>Event/System[Level=2]</query>
</localfile>
The query for Level=2 generates alert below on OSSEC server when a test
event was created using command below.
eventcreate /t error /id 100 /l system /d "Create event in application log"
alerts.log
2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog
2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: contoso:
win-testdc.contoso.com: (no message)
Best regards,
Fredrik
On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett wrote:
>
> I guess you want to remove these sections from the ossec.conf file in the
> agent. Those are used to get all application, security and system events.
>
> <localfile>
> <location>Application</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>Security</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>System</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <[email protected]
> <javascript:>> wrote:
>
>> The shared agent is as previously shared, copied below for reference:
>>
>> <agent_config>
>> <!-- Generic Agent configurations. -->
>>
>> <localfile>
>> <location>Security</location>
>> <log_format>eventchannel</log_format>
>> <query>Event/System[EventID=4624]</query>
>> </localfile>
>>
>> </agent_config>
>>
>> *The Windows OSSEC after the comments starts with *(middle portion
>> removed, and has no localfile entries. )
>>
>>
>> <ossec_config>
>>
>> <!-- One entry for each file/Event log to monitor. -->
>> <localfile>
>> <location>Application</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>Security</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>System</location>
>> <log_format>eventlog</log_format>
>> </localfile>
>>
>>
>> <!-- Rootcheck - Policy monitor config -->
>> . . . SNIP . . .
>>
>>
>> </ossec_config>
>>
>>
>> <!-- END of Default Configuration. -->
>>
>>
>> <ossec_config>
>> <client>
>> <server-hostname>xxx-ossec-srv1</server-hostname>
>> </client>
>> </ossec_config>
>>
>> -- Ralph Durkee
>>
>> On 08/18/2015 01:24 PM, Santiago Bassett wrote:
>>
>> Could you share your ossec.conf settings (from the agent) and also the
>> shared/agent.conf ones. Those are probably located in C:\Program
>> Files/ossec-agent
>>
>> I am guessing, but I think you probably are reading all Security events
>> in some other place of the configuration (look for the different locations).
>>
>> Regards
>>
>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected]
>> <javascript:>> wrote:
>>
>>> Tried stopping and starting the agent service on the windows system.
>>> Still getting other security events from that system such as 4672 and 4634
>>> in addition to the 4624. Any other suggestions?
>>>
>>> -- Ralph Durkee
>>>
>>>
>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote:
>>>
>>> I've restarted ossec on the server several times. Are you refering to
>>> the Windows agent?
>>>
>>> -- Ralph Durkee
>>>
>>>
>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote:
>>>
>>> Try restarting it manually and see if that works.
>>>
>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected]
>>> <javascript:>> wrote:
>>>
>>>> I'm trying to filter Windows events based on strings such as the login
>>>> type and workstation name, but as a starting point I tried the
>>>> configuration below to filter on EventID 4624. The
>>>> /var/ossec/etc/shared/agent.conf file contains:
>>>>
>>>> <agent_config>
>>>> <!-- Generic Agent configurations. -->
>>>>
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/System[EventID=4624]</query>
>>>> </localfile>
>>>>
>>>> </agent_config>
>>>>
>>>> However I continue receiving all security events including Security
>>>> EventID 4624 and others.
>>>> I restarted the windows system agent via agent_control -R and also
>>>> restarted the OSSEC manager.
>>>> I don't have any errors in ossec.log with regard to the
>>>> shared/agent.conf file.
>>>>
>>>> Any suggestions on getting this working?
>>>>
>>>> Thanks,
>>>>
>>>> -- Ralph Durkee
>>>>
>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote:
>>>>
>>>> Hi,
>>>>
>>>> try using this configuration:
>>>>
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/System[EventID=4624]</query>
>>>> </localfile>
>>>>
>>>> Best regards
>>>>
>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected] <javascript:>>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have installed the new version of OSSEC v2.8.2. I have a windows
>>>>> ossec client. I would like to filter Windows event logs
>>>>> (Applications/Security/System/Application and Services Log) based on the
>>>>> event ids at ossec client (in order to reduce the logs forwarded to OSSEC
>>>>> manager).
>>>>>
>>>>> I have amended the client ossec.conf with the example from the OSSEC
>>>>> documentation.
>>>>>
>>>>> <localfile>
>>>>> <location>System</location>
>>>>> <log_format>eventchannel</log_format>
>>>>> <query>Event/System[EventID=7001]</query>
>>>>> </localfile>
>>>>> * This WORKS *
>>>>> <localfile>
>>>>> <location>Security</location>
>>>>> <log_format>eventchannel</log_format>
>>>>> <query>Event/Security[EventID=4624]</query>
>>>>> </localfile>
>>>>>
>>>>>
>>>>> * THIS DOESN'T WORK. If I remove the query field it does work but
>>>>> then it forwards all the logs coming out from Windows Security event log.
>>>>> I
>>>>> am getting similar issue when I try to filter based on "Applications and
>>>>> Services Logs". *If I try to give the whole path name in the
>>>>> location. The ossec client does not start and I get an error "Could not
>>>>> create bookmark".
>>>>>
>>>>> Am I doing something wrong here. Please advice.
>>>>>
>>>>> Kind Regards
>>>>> Swati
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected] <javascript:>.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected] <javascript:>.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected] <javascript:>.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected] <javascript:>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected] <javascript:>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
