Hi Fredrik, create a rule for your "level 2 events". Then, use the rule ID and the tag *rule_id *of granular email options: http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.email_alerts.html
I hope it helps. Regards. On Wednesday, November 9, 2016 at 8:29:02 PM UTC+1, Fredrik wrote: > > Thanks Jesus!! > > > Operators seems to be working just fine as you suggested! > > The "level" query is doing its job - I tested with the command in my post. > However, do you know of a way to trigger an email where all Level 2 events > within a certain timeframe (e.g. 24h) are grouped together and included in > the email? I realize this might involve multiple parts and configuration, > but perhaps you can give a few pointers without spending too much of your > time? > > Best regards, > Fredrik > > On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote: >> >> Hi Fredrik, >> >> according to the documentation you can use the Microsoft event schema >> <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385201(v=vs.85).aspx>. >> >> If you want to add multiple event IDs: >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=5140 and EventID=5144]</query> >> </localfile> >> >> Also, I think you can use other operators in the query (=, !=, <, >), so >> it could be useful for you to define an interval: >> <query>Event/System[EventID>xxxx and EventID<yyyy]</query> >> >> I've never used the "Level" query. is it not working?. >> >> Regards. >> >> On Wednesday, November 2, 2016 at 1:34:43 PM UTC+1, Fredrik wrote: >>> >>> Hi Santiago and others, >>> >>> >>> Interesting thread (even if dated). I did something similar today and >>> got an OSSEC agent to forward Windows Server Events according to below to >>> the OSSEC server. I have some experience writing decoders to syslog event >>> (but limited as you can see in this forum :)). How would I go about writing >>> rules on the OSSEC server to handle the forwarded events? >>> >>> - Say I would like to group all Level 1 events and send them in a daily >>> email? >>> - How would I add mulitiple eventIDs to the below query? OSSEC and >>> operand? Could you please provide example? >>> >>> ossec.conf >>> >>> <ossec_config> >>> >>> <!-- One entry for each file/Event log to monitor. >>> <localfile> >>> <location>Application</location> >>> <log_format>eventchannel</log_format> >>> </localfile> >>> >>> --> >>> >>> <localfile> >>> <location>Security</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/System[EventID=4740]</query> >>> </localfile> >>> >>> <localfile> >>> <location>System</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/System[Level=2]</query> >>> </localfile> >>> >>> The query for Level=2 generates alert below on OSSEC server when a test >>> event was created using command below. >>> >>> eventcreate /t error /id 100 /l system /d "Create event in application >>> log" >>> >>> alerts.log >>> 2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog >>> 2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: >>> contoso: win-testdc.contoso.com: (no message) >>> >>> >>> Best regards, >>> Fredrik >>> >>> On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett wrote: >>>> >>>> I guess you want to remove these sections from the ossec.conf file in >>>> the agent. Those are used to get all application, security and system >>>> events. >>>> >>>> <localfile> >>>> <location>Application</location> >>>> <log_format>eventlog</log_format> >>>> </localfile> >>>> >>>> <localfile> >>>> <location>Security</location> >>>> <log_format>eventlog</log_format> >>>> </localfile> >>>> >>>> <localfile> >>>> <location>System</location> >>>> <log_format>eventlog</log_format> >>>> </localfile> >>>> >>>> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <[email protected]> >>>> wrote: >>>> >>>>> The shared agent is as previously shared, copied below for reference: >>>>> >>>>> <agent_config> >>>>> <!-- Generic Agent configurations. --> >>>>> >>>>> <localfile> >>>>> <location>Security</location> >>>>> <log_format>eventchannel</log_format> >>>>> <query>Event/System[EventID=4624]</query> >>>>> </localfile> >>>>> >>>>> </agent_config> >>>>> >>>>> *The Windows OSSEC after the comments starts with *(middle portion >>>>> removed, and has no localfile entries. ) >>>>> >>>>> >>>>> <ossec_config> >>>>> >>>>> <!-- One entry for each file/Event log to monitor. --> >>>>> <localfile> >>>>> <location>Application</location> >>>>> <log_format>eventlog</log_format> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <location>Security</location> >>>>> <log_format>eventlog</log_format> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <location>System</location> >>>>> <log_format>eventlog</log_format> >>>>> </localfile> >>>>> >>>>> >>>>> <!-- Rootcheck - Policy monitor config --> >>>>> . . . SNIP . . . >>>>> >>>>> >>>>> </ossec_config> >>>>> >>>>> >>>>> <!-- END of Default Configuration. --> >>>>> >>>>> >>>>> <ossec_config> >>>>> <client> >>>>> <server-hostname>xxx-ossec-srv1</server-hostname> >>>>> </client> >>>>> </ossec_config> >>>>> >>>>> -- Ralph Durkee >>>>> >>>>> On 08/18/2015 01:24 PM, Santiago Bassett wrote: >>>>> >>>>> Could you share your ossec.conf settings (from the agent) and also the >>>>> shared/agent.conf ones. Those are probably located in C:\Program >>>>> Files/ossec-agent >>>>> >>>>> I am guessing, but I think you probably are reading all Security >>>>> events in some other place of the configuration (look for the different >>>>> locations). >>>>> >>>>> Regards >>>>> >>>>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected]> >>>>> wrote: >>>>> >>>>>> Tried stopping and starting the agent service on the windows system. >>>>>> Still getting other security events from that system such as 4672 and >>>>>> 4634 >>>>>> in addition to the 4624. Any other suggestions? >>>>>> >>>>>> -- Ralph Durkee >>>>>> >>>>>> >>>>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote: >>>>>> >>>>>> I've restarted ossec on the server several times. Are you refering >>>>>> to the Windows agent? >>>>>> >>>>>> -- Ralph Durkee >>>>>> >>>>>> >>>>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote: >>>>>> >>>>>> Try restarting it manually and see if that works. >>>>>> >>>>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> I'm trying to filter Windows events based on strings such as the >>>>>>> login type and workstation name, but as a starting point I tried the >>>>>>> configuration below to filter on EventID 4624. The >>>>>>> /var/ossec/etc/shared/agent.conf file contains: >>>>>>> >>>>>>> <agent_config> >>>>>>> <!-- Generic Agent configurations. --> >>>>>>> >>>>>>> <localfile> >>>>>>> <location>Security</location> >>>>>>> <log_format>eventchannel</log_format> >>>>>>> <query>Event/System[EventID=4624]</query> >>>>>>> </localfile> >>>>>>> >>>>>>> </agent_config> >>>>>>> >>>>>>> However I continue receiving all security events including Security >>>>>>> EventID 4624 and others. >>>>>>> I restarted the windows system agent via agent_control -R and also >>>>>>> restarted the OSSEC manager. >>>>>>> I don't have any errors in ossec.log with regard to the >>>>>>> shared/agent.conf file. >>>>>>> >>>>>>> Any suggestions on getting this working? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> -- Ralph Durkee >>>>>>> >>>>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> try using this configuration: >>>>>>> >>>>>>> <localfile> >>>>>>> <location>Security</location> >>>>>>> <log_format>eventchannel</log_format> >>>>>>> <query>Event/System[EventID=4624]</query> >>>>>>> </localfile> >>>>>>> >>>>>>> Best regards >>>>>>> >>>>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have installed the new version of OSSEC v2.8.2. I have a windows >>>>>>>> ossec client. I would like to filter Windows event logs >>>>>>>> (Applications/Security/System/Application and Services Log) based on >>>>>>>> the >>>>>>>> event ids at ossec client (in order to reduce the logs forwarded to >>>>>>>> OSSEC >>>>>>>> manager). >>>>>>>> >>>>>>>> I have amended the client ossec.conf with the example from the >>>>>>>> OSSEC documentation. >>>>>>>> >>>>>>>> <localfile> >>>>>>>> <location>System</location> >>>>>>>> <log_format>eventchannel</log_format> >>>>>>>> <query>Event/System[EventID=7001]</query> >>>>>>>> </localfile> >>>>>>>> * This WORKS * >>>>>>>> <localfile> >>>>>>>> <location>Security</location> >>>>>>>> <log_format>eventchannel</log_format> >>>>>>>> <query>Event/Security[EventID=4624]</query> >>>>>>>> </localfile> >>>>>>>> >>>>>>>> >>>>>>>> * THIS DOESN'T WORK. If I remove the query field it does work but >>>>>>>> then it forwards all the logs coming out from Windows Security event >>>>>>>> log. I >>>>>>>> am getting similar issue when I try to filter based on "Applications >>>>>>>> and >>>>>>>> Services Logs". *If I try to give the whole path name in the >>>>>>>> location. The ossec client does not start and I get an error "Could >>>>>>>> not >>>>>>>> create bookmark". >>>>>>>> >>>>>>>> Am I doing something wrong here. Please advice. >>>>>>>> >>>>>>>> Kind Regards >>>>>>>> Swati >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
