Hi Fredrik,
You are seeing every generated event because eventlog does not support
XPATH querying. In order to fix this, you should use eventchannel, but it
seems that your query isn't correctly formed as the error code returned is
15001
<https://docs.microsoft.com/en-us/windows/desktop/debug/system-error-codes--12000-15999->
.
Keeping that in mind, I have been trying to monitor these EventIDs with the
same query as you pasted before. I have been able to see only these events
creating a custom view with this query at the Event Viewer. Please try
adding the next just in case you didn't use the right query or log format.
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730
or EventID = 1102]</query>
</localfile>
Let me know if you could solve this or not and I will try to find out what
could be happening.
Kind regards,
Cristina
On Thursday, June 27, 2019 at 3:56:18 PM UTC+2, Fredrik wrote:
>
> Hi Jesus!
>
>
> Long time - and dated converation :)
>
> Ran into this again today as I wanted to query for multiple events on
> another host. First off, seems like I'm not able to use Eventchannel on
> this particular 2012r2 host (2019/06/27 15:30:57 ossec-logcollector:
> ERROR: Could not EvtSubscribe() for (Security) which returned (15001)).
> Switched back to Eventlog and used query below. It works, kind of ;) but
> also include other EventID (4798 being one example).
>
>
> - Any ideas as to why I see other EventIDs from the ones listed below?
> - I'm guessing I will have to write custom decoders for the eventID
> (below) that are sent from the agent as they seem different from for
> example a Snare agent?
>
>
> Anyway, mostly wanted to contribute to an old post if anyone end up
> reading it :)
>
> Best regards,
> Fredrik
>
> <localfile>
> <location>Security</location>
> <log_format>eventlog</log_format>
> <query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730
> or EventID = 1102]</query>
> </localfile>
>
>
>
> On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote:
>>
>> Hi Fredrik,
>>
>> according to the documentation you can use the Microsoft event schema
>> <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385201(v=vs.85).aspx>.
>>
>> If you want to add multiple event IDs:
>> <localfile>
>> <location>Security</location>
>> <log_format>eventchannel</log_format>
>> <query>Event/System[EventID=5140 and EventID=5144]</query>
>> </localfile>
>>
>> Also, I think you can use other operators in the query (=, !=, <, >), so
>> it could be useful for you to define an interval:
>> <query>Event/System[EventID>xxxx and EventID<yyyy]</query>
>>
>> I've never used the "Level" query. is it not working?.
>>
>> Regards.
>>
>> On Wednesday, November 2, 2016 at 1:34:43 PM UTC+1, Fredrik wrote:
>>>
>>> Hi Santiago and others,
>>>
>>>
>>> Interesting thread (even if dated). I did something similar today and
>>> got an OSSEC agent to forward Windows Server Events according to below to
>>> the OSSEC server. I have some experience writing decoders to syslog event
>>> (but limited as you can see in this forum :)). How would I go about writing
>>> rules on the OSSEC server to handle the forwarded events?
>>>
>>> - Say I would like to group all Level 1 events and send them in a daily
>>> email?
>>> - How would I add mulitiple eventIDs to the below query? OSSEC and
>>> operand? Could you please provide example?
>>>
>>> ossec.conf
>>>
>>> <ossec_config>
>>>
>>> <!-- One entry for each file/Event log to monitor.
>>> <localfile>
>>> <location>Application</location>
>>> <log_format>eventchannel</log_format>
>>> </localfile>
>>>
>>> -->
>>>
>>> <localfile>
>>> <location>Security</location>
>>> <log_format>eventchannel</log_format>
>>> <query>Event/System[EventID=4740]</query>
>>> </localfile>
>>>
>>> <localfile>
>>> <location>System</location>
>>> <log_format>eventchannel</log_format>
>>> <query>Event/System[Level=2]</query>
>>> </localfile>
>>>
>>> The query for Level=2 generates alert below on OSSEC server when a test
>>> event was created using command below.
>>>
>>> eventcreate /t error /id 100 /l system /d "Create event in application
>>> log"
>>>
>>> alerts.log
>>> 2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog
>>> 2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN:
>>> contoso: win-testdc.contoso.com: (no message)
>>>
>>>
>>> Best regards,
>>> Fredrik
>>>
>>> On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett wrote:
>>>>
>>>> I guess you want to remove these sections from the ossec.conf file in
>>>> the agent. Those are used to get all application, security and system
>>>> events.
>>>>
>>>> <localfile>
>>>> <location>Application</location>
>>>> <log_format>eventlog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventlog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>System</location>
>>>> <log_format>eventlog</log_format>
>>>> </localfile>
>>>>
>>>> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <[email protected]>
>>>> wrote:
>>>>
>>>>> The shared agent is as previously shared, copied below for reference:
>>>>>
>>>>> <agent_config>
>>>>> <!-- Generic Agent configurations. -->
>>>>>
>>>>> <localfile>
>>>>> <location>Security</location>
>>>>> <log_format>eventchannel</log_format>
>>>>> <query>Event/System[EventID=4624]</query>
>>>>> </localfile>
>>>>>
>>>>> </agent_config>
>>>>>
>>>>> *The Windows OSSEC after the comments starts with *(middle portion
>>>>> removed, and has no localfile entries. )
>>>>>
>>>>>
>>>>> <ossec_config>
>>>>>
>>>>> <!-- One entry for each file/Event log to monitor. -->
>>>>> <localfile>
>>>>> <location>Application</location>
>>>>> <log_format>eventlog</log_format>
>>>>> </localfile>
>>>>>
>>>>> <localfile>
>>>>> <location>Security</location>
>>>>> <log_format>eventlog</log_format>
>>>>> </localfile>
>>>>>
>>>>> <localfile>
>>>>> <location>System</location>
>>>>> <log_format>eventlog</log_format>
>>>>> </localfile>
>>>>>
>>>>>
>>>>> <!-- Rootcheck - Policy monitor config -->
>>>>> . . . SNIP . . .
>>>>>
>>>>>
>>>>> </ossec_config>
>>>>>
>>>>>
>>>>> <!-- END of Default Configuration. -->
>>>>>
>>>>>
>>>>> <ossec_config>
>>>>> <client>
>>>>> <server-hostname>xxx-ossec-srv1</server-hostname>
>>>>> </client>
>>>>> </ossec_config>
>>>>>
>>>>> -- Ralph Durkee
>>>>>
>>>>> On 08/18/2015 01:24 PM, Santiago Bassett wrote:
>>>>>
>>>>> Could you share your ossec.conf settings (from the agent) and also the
>>>>> shared/agent.conf ones. Those are probably located in C:\Program
>>>>> Files/ossec-agent
>>>>>
>>>>> I am guessing, but I think you probably are reading all Security
>>>>> events in some other place of the configuration (look for the different
>>>>> locations).
>>>>>
>>>>> Regards
>>>>>
>>>>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Tried stopping and starting the agent service on the windows system.
>>>>>> Still getting other security events from that system such as 4672 and
>>>>>> 4634
>>>>>> in addition to the 4624. Any other suggestions?
>>>>>>
>>>>>> -- Ralph Durkee
>>>>>>
>>>>>>
>>>>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote:
>>>>>>
>>>>>> I've restarted ossec on the server several times. Are you refering
>>>>>> to the Windows agent?
>>>>>>
>>>>>> -- Ralph Durkee
>>>>>>
>>>>>>
>>>>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote:
>>>>>>
>>>>>> Try restarting it manually and see if that works.
>>>>>>
>>>>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> I'm trying to filter Windows events based on strings such as the
>>>>>>> login type and workstation name, but as a starting point I tried the
>>>>>>> configuration below to filter on EventID 4624. The
>>>>>>> /var/ossec/etc/shared/agent.conf file contains:
>>>>>>>
>>>>>>> <agent_config>
>>>>>>> <!-- Generic Agent configurations. -->
>>>>>>>
>>>>>>> <localfile>
>>>>>>> <location>Security</location>
>>>>>>> <log_format>eventchannel</log_format>
>>>>>>> <query>Event/System[EventID=4624]</query>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> </agent_config>
>>>>>>>
>>>>>>> However I continue receiving all security events including Security
>>>>>>> EventID 4624 and others.
>>>>>>> I restarted the windows system agent via agent_control -R and also
>>>>>>> restarted the OSSEC manager.
>>>>>>> I don't have any errors in ossec.log with regard to the
>>>>>>> shared/agent.conf file.
>>>>>>>
>>>>>>> Any suggestions on getting this working?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> -- Ralph Durkee
>>>>>>>
>>>>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> try using this configuration:
>>>>>>>
>>>>>>> <localfile>
>>>>>>> <location>Security</location>
>>>>>>> <log_format>eventchannel</log_format>
>>>>>>> <query>Event/System[EventID=4624]</query>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have installed the new version of OSSEC v2.8.2. I have a windows
>>>>>>>> ossec client. I would like to filter Windows event logs
>>>>>>>> (Applications/Security/System/Application and Services Log) based on
>>>>>>>> the
>>>>>>>> event ids at ossec client (in order to reduce the logs forwarded to
>>>>>>>> OSSEC
>>>>>>>> manager).
>>>>>>>>
>>>>>>>> I have amended the client ossec.conf with the example from the
>>>>>>>> OSSEC documentation.
>>>>>>>>
>>>>>>>> <localfile>
>>>>>>>> <location>System</location>
>>>>>>>> <log_format>eventchannel</log_format>
>>>>>>>> <query>Event/System[EventID=7001]</query>
>>>>>>>> </localfile>
>>>>>>>> * This WORKS *
>>>>>>>> <localfile>
>>>>>>>> <location>Security</location>
>>>>>>>> <log_format>eventchannel</log_format>
>>>>>>>> <query>Event/Security[EventID=4624]</query>
>>>>>>>> </localfile>
>>>>>>>>
>>>>>>>>
>>>>>>>> * THIS DOESN'T WORK. If I remove the query field it does work but
>>>>>>>> then it forwards all the logs coming out from Windows Security event
>>>>>>>> log. I
>>>>>>>> am getting similar issue when I try to filter based on "Applications
>>>>>>>> and
>>>>>>>> Services Logs". *If I try to give the whole path name in the
>>>>>>>> location. The ossec client does not start and I get an error "Could
>>>>>>>> not
>>>>>>>> create bookmark".
>>>>>>>>
>>>>>>>> Am I doing something wrong here. Please advice.
>>>>>>>>
>>>>>>>> Kind Regards
>>>>>>>> Swati
>>>>>>>> --
>>>>>>>>
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google
>>>>>>>> Groups "ossec-list" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>>> send an email to [email protected].
>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "ossec-list" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to [email protected].
>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "ossec-list" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to [email protected].
>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to [email protected].
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to [email protected].
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/716340a4-930f-41b6-a845-6b3dd0914ea0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
