Hi Fredrik, according to the documentation you can use the Microsoft event schema <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385201(v=vs.85).aspx>. If you want to add multiple event IDs: <localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID=5140 and EventID=5144]</query> </localfile>
Also, I think you can use other operators in the query (=, !=, <, >), so it could be useful for you to define an interval: <query>Event/System[EventID>xxxx and EventID<yyyy]</query> I've never used the "Level" query. is it not working?. Regards. On Wednesday, November 2, 2016 at 1:34:43 PM UTC+1, Fredrik wrote: > > Hi Santiago and others, > > > Interesting thread (even if dated). I did something similar today and got > an OSSEC agent to forward Windows Server Events according to below to the > OSSEC server. I have some experience writing decoders to syslog event (but > limited as you can see in this forum :)). How would I go about writing > rules on the OSSEC server to handle the forwarded events? > > - Say I would like to group all Level 1 events and send them in a daily > email? > - How would I add mulitiple eventIDs to the below query? OSSEC and > operand? Could you please provide example? > > ossec.conf > > <ossec_config> > > <!-- One entry for each file/Event log to monitor. > <localfile> > <location>Application</location> > <log_format>eventchannel</log_format> > </localfile> > > --> > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4740]</query> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventchannel</log_format> > <query>Event/System[Level=2]</query> > </localfile> > > The query for Level=2 generates alert below on OSSEC server when a test > event was created using command below. > > eventcreate /t error /id 100 /l system /d "Create event in application > log" > > alerts.log > 2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog > 2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: > contoso: win-testdc.contoso.com: (no message) > > > Best regards, > Fredrik > > On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett wrote: >> >> I guess you want to remove these sections from the ossec.conf file in the >> agent. Those are used to get all application, security and system events. >> >> <localfile> >> <location>Application</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>System</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <ossec...@rd1.net> wrote: >> >>> The shared agent is as previously shared, copied below for reference: >>> >>> <agent_config> >>> <!-- Generic Agent configurations. --> >>> >>> <localfile> >>> <location>Security</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/System[EventID=4624]</query> >>> </localfile> >>> >>> </agent_config> >>> >>> *The Windows OSSEC after the comments starts with *(middle portion >>> removed, and has no localfile entries. ) >>> >>> >>> <ossec_config> >>> >>> <!-- One entry for each file/Event log to monitor. --> >>> <localfile> >>> <location>Application</location> >>> <log_format>eventlog</log_format> >>> </localfile> >>> >>> <localfile> >>> <location>Security</location> >>> <log_format>eventlog</log_format> >>> </localfile> >>> >>> <localfile> >>> <location>System</location> >>> <log_format>eventlog</log_format> >>> </localfile> >>> >>> >>> <!-- Rootcheck - Policy monitor config --> >>> . . . SNIP . . . >>> >>> >>> </ossec_config> >>> >>> >>> <!-- END of Default Configuration. --> >>> >>> >>> <ossec_config> >>> <client> >>> <server-hostname>xxx-ossec-srv1</server-hostname> >>> </client> >>> </ossec_config> >>> >>> -- Ralph Durkee >>> >>> On 08/18/2015 01:24 PM, Santiago Bassett wrote: >>> >>> Could you share your ossec.conf settings (from the agent) and also the >>> shared/agent.conf ones. Those are probably located in C:\Program >>> Files/ossec-agent >>> >>> I am guessing, but I think you probably are reading all Security events >>> in some other place of the configuration (look for the different locations). >>> >>> Regards >>> >>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <ossec...@rd1.net> wrote: >>> >>>> Tried stopping and starting the agent service on the windows system. >>>> Still getting other security events from that system such as 4672 and 4634 >>>> in addition to the 4624. Any other suggestions? >>>> >>>> -- Ralph Durkee >>>> >>>> >>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote: >>>> >>>> I've restarted ossec on the server several times. Are you refering to >>>> the Windows agent? >>>> >>>> -- Ralph Durkee >>>> >>>> >>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote: >>>> >>>> Try restarting it manually and see if that works. >>>> >>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <ossec...@rd1.net> wrote: >>>> >>>>> I'm trying to filter Windows events based on strings such as the login >>>>> type and workstation name, but as a starting point I tried the >>>>> configuration below to filter on EventID 4624. The >>>>> /var/ossec/etc/shared/agent.conf file contains: >>>>> >>>>> <agent_config> >>>>> <!-- Generic Agent configurations. --> >>>>> >>>>> <localfile> >>>>> <location>Security</location> >>>>> <log_format>eventchannel</log_format> >>>>> <query>Event/System[EventID=4624]</query> >>>>> </localfile> >>>>> >>>>> </agent_config> >>>>> >>>>> However I continue receiving all security events including Security >>>>> EventID 4624 and others. >>>>> I restarted the windows system agent via agent_control -R and also >>>>> restarted the OSSEC manager. >>>>> I don't have any errors in ossec.log with regard to the >>>>> shared/agent.conf file. >>>>> >>>>> Any suggestions on getting this working? >>>>> >>>>> Thanks, >>>>> >>>>> -- Ralph Durkee >>>>> >>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >>>>> >>>>> Hi, >>>>> >>>>> try using this configuration: >>>>> >>>>> <localfile> >>>>> <location>Security</location> >>>>> <log_format>eventchannel</log_format> >>>>> <query>Event/System[EventID=4624]</query> >>>>> </localfile> >>>>> >>>>> Best regards >>>>> >>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <swat...@gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have installed the new version of OSSEC v2.8.2. I have a windows >>>>>> ossec client. I would like to filter Windows event logs >>>>>> (Applications/Security/System/Application and Services Log) based on the >>>>>> event ids at ossec client (in order to reduce the logs forwarded to >>>>>> OSSEC >>>>>> manager). >>>>>> >>>>>> I have amended the client ossec.conf with the example from the OSSEC >>>>>> documentation. >>>>>> >>>>>> <localfile> >>>>>> <location>System</location> >>>>>> <log_format>eventchannel</log_format> >>>>>> <query>Event/System[EventID=7001]</query> >>>>>> </localfile> >>>>>> * This WORKS * >>>>>> <localfile> >>>>>> <location>Security</location> >>>>>> <log_format>eventchannel</log_format> >>>>>> <query>Event/Security[EventID=4624]</query> >>>>>> </localfile> >>>>>> >>>>>> >>>>>> * THIS DOESN'T WORK. If I remove the query field it does work but >>>>>> then it forwards all the logs coming out from Windows Security event >>>>>> log. I >>>>>> am getting similar issue when I try to filter based on "Applications and >>>>>> Services Logs". *If I try to give the whole path name in the >>>>>> location. The ossec client does not start and I get an error "Could not >>>>>> create bookmark". >>>>>> >>>>>> Am I doing something wrong here. Please advice. >>>>>> >>>>>> Kind Regards >>>>>> Swati >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.