Any Windows users want to take a look at this? On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J. <[email protected]> wrote: > I am using the eventchannel format. Eventlog provides no useful information > for logs other than the three basics: Application, Security and System. > > If confirmed, this is a significant bug that impacts the integrity of all > deployments of Windows agents, as far as I can determine at minimum on > Windows 10, other versions are TBD. > > I unfortunately do not have at hand other versions of Windows to test with, > in order to determine whether it is an issue related to the agent that > therefore impacts all Windows deployments, or a less serious issue that is > specific to Windows 10. > > IMHO the agent code needs to be thoroughly debugged, as: > i) some events are forwarded correctly; > ii) some have field names removed (which makes it very difficult to decode > for any information other than what is in the OSSEC header); and > iii) some have important security information completely chopped off the > message, that is in addition to missing field labels. > > On Windows 10, I can confirm (not an exhaustive list): > i) The integrity of event IDs 4624, 4625, 4634, 4656~4663, 4688, 4689 is > preserved. > ii) Event IDs 5140 and 4703 are forwarded without field labels (there are > certainly others). > iii) Eventchannel logs other than the three standard event logs have no > field labels, and are emptied of important security content. > > Steps to reproduce on any recent flavor of Windows: > > 1) From the Group Policy Editor turn on AppLocker in Audit mode, and > temporarily turn on all auditing in Security. > > 2) Configure the agent to collect AppLocker logs (This is for Windows 10, > the log names differ for Windows 7): > > In /var/ossec/etc/shared/agent.conf > > <agent_config name="AgentName"> > <localfile> > <log_format>eventchannel</log_format> > <location>Microsoft-Windows-AppLocker/EXE and DLL</location> > </localfile> > <localfile> > <log_format>eventchannel</log_format> > <location>Microsoft-Windows-AppLocker/MSI and Script</location> > </localfile> > <localfile> > <log_format>eventchannel</log_format> > <location>Microsoft-Windows-AppLocker/Packaged app-Deployment</location> > </localfile> > <localfile> > <log_format>eventchannel</log_format> > <location>Microsoft-Windows-AppLocker/Packaged app-execution</location> > </localfile> > </agent_config> > > 3) Set the Windows agent to debug mode in internal_options.conf in the > ossec-agent installation directory. > > 4) Restart the agent (net stop "OSSEC HIDS" then net start "OSSEC HIDS", or > use the agent control GUI, or Services .msc to bounce the agent). > > 5) Examine events in the ossec.log file inside the OSSEC-agent installation > directory. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
