Hi Fredrik, I'm glad you could solve your problem! Happy to help, don't hesitate to ask if you have any other doubts.
Best regards, Cristina On Thursday, August 22, 2019 at 9:27:50 AM UTC+2, Fredrik wrote: > > Hi Christina! Sorry for the late response, got sidetracked and once > deployed wanted to make sure the discussed was achieved. With your help I > definitely see a different behavior, thanks also for clearing out that > eventchannel is a requirement. I thought that might be the case, but got > fooled by the error my config attempts resulted in ;) I thought I had tried > most of the variants, but apparently that wasn't the case. Again, must > appreciated! I will re-post when I see more of the filtered events > forwarded! > > Cheers, > Fred > > On Friday, June 28, 2019 at 10:23:22 AM UTC+2, Cristina Garrido López > wrote: >> >> Hi Fredrik, >> >> You are seeing every generated event because eventlog does not support >> XPATH querying. In order to fix this, you should use eventchannel, but it >> seems that your query isn't correctly formed as the error code returned is >> 15001 >> <https://docs.microsoft.com/en-us/windows/desktop/debug/system-error-codes--12000-15999-> >> . >> Keeping that in mind, I have been trying to monitor these EventIDs with >> the same query as you pasted before. I have been able to see only these >> events creating a custom view with this query at the Event Viewer. Please >> try adding the next just in case you didn't use the right query or log >> format. >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID = 4624 or EventID = 4625 or EventID = >> 4730 or EventID = 1102]</query> >> </localfile> >> >> Let me know if you could solve this or not and I will try to find out >> what could be happening. >> Kind regards, >> Cristina >> >> On Thursday, June 27, 2019 at 3:56:18 PM UTC+2, Fredrik wrote: >>> >>> Hi Jesus! >>> >>> >>> Long time - and dated converation :) >>> >>> Ran into this again today as I wanted to query for multiple events on >>> another host. First off, seems like I'm not able to use Eventchannel on >>> this particular 2012r2 host (2019/06/27 15:30:57 ossec-logcollector: >>> ERROR: Could not EvtSubscribe() for (Security) which returned (15001)). >>> Switched back to Eventlog and used query below. It works, kind of ;) but >>> also include other EventID (4798 being one example). >>> >>> >>> - Any ideas as to why I see other EventIDs from the ones listed >>> below? >>> - I'm guessing I will have to write custom decoders for the eventID >>> (below) that are sent from the agent as they seem different from for >>> example a Snare agent? >>> >>> >>> Anyway, mostly wanted to contribute to an old post if anyone end up >>> reading it :) >>> >>> Best regards, >>> Fredrik >>> >>> <localfile> >>> <location>Security</location> >>> <log_format>eventlog</log_format> >>> <query>Event/System[EventID = 4624 or EventID = 4625 or EventID = >>> 4730 or EventID = 1102]</query> >>> </localfile> >>> >>> >>> >>> On Friday, November 4, 2016 at 9:37:37 AM UTC+1, Jesus Linares wrote: >>>> >>>> Hi Fredrik, >>>> >>>> according to the documentation you can use the Microsoft event schema >>>> <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385201(v=vs.85).aspx>. >>>> >>>> If you want to add multiple event IDs: >>>> <localfile> >>>> <location>Security</location> >>>> <log_format>eventchannel</log_format> >>>> <query>Event/System[EventID=5140 and EventID=5144]</query> >>>> </localfile> >>>> >>>> Also, I think you can use other operators in the query (=, !=, <, >), >>>> so it could be useful for you to define an interval: >>>> <query>Event/System[EventID>xxxx and EventID<yyyy]</query> >>>> >>>> I've never used the "Level" query. is it not working?. >>>> >>>> Regards. >>>> >>>> On Wednesday, November 2, 2016 at 1:34:43 PM UTC+1, Fredrik wrote: >>>>> >>>>> Hi Santiago and others, >>>>> >>>>> >>>>> Interesting thread (even if dated). I did something similar today and >>>>> got an OSSEC agent to forward Windows Server Events according to below to >>>>> the OSSEC server. I have some experience writing decoders to syslog event >>>>> (but limited as you can see in this forum :)). How would I go about >>>>> writing >>>>> rules on the OSSEC server to handle the forwarded events? >>>>> >>>>> - Say I would like to group all Level 1 events and send them in a >>>>> daily email? >>>>> - How would I add mulitiple eventIDs to the below query? OSSEC and >>>>> operand? Could you please provide example? >>>>> >>>>> ossec.conf >>>>> >>>>> <ossec_config> >>>>> >>>>> <!-- One entry for each file/Event log to monitor. >>>>> <localfile> >>>>> <location>Application</location> >>>>> <log_format>eventchannel</log_format> >>>>> </localfile> >>>>> >>>>> --> >>>>> >>>>> <localfile> >>>>> <location>Security</location> >>>>> <log_format>eventchannel</log_format> >>>>> <query>Event/System[EventID=4740]</query> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <location>System</location> >>>>> <log_format>eventchannel</log_format> >>>>> <query>Event/System[Level=2]</query> >>>>> </localfile> >>>>> >>>>> The query for Level=2 generates alert below on OSSEC server when a >>>>> test event was created using command below. >>>>> >>>>> eventcreate /t error /id 100 /l system /d "Create event in application >>>>> log" >>>>> >>>>> alerts.log >>>>> 2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog >>>>> 2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: >>>>> contoso: win-testdc.contoso.com: (no message) >>>>> >>>>> >>>>> Best regards, >>>>> Fredrik >>>>> >>>>> On Tuesday, August 18, 2015 at 9:20:43 PM UTC+2, Santiago Bassett >>>>> wrote: >>>>>> >>>>>> I guess you want to remove these sections from the ossec.conf file in >>>>>> the agent. Those are used to get all application, security and system >>>>>> events. >>>>>> >>>>>> <localfile> >>>>>> <location>Application</location> >>>>>> <log_format>eventlog</log_format> >>>>>> </localfile> >>>>>> >>>>>> <localfile> >>>>>> <location>Security</location> >>>>>> <log_format>eventlog</log_format> >>>>>> </localfile> >>>>>> >>>>>> <localfile> >>>>>> <location>System</location> >>>>>> <log_format>eventlog</log_format> >>>>>> </localfile> >>>>>> >>>>>> On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> The shared agent is as previously shared, copied below for reference: >>>>>>> >>>>>>> <agent_config> >>>>>>> <!-- Generic Agent configurations. --> >>>>>>> >>>>>>> <localfile> >>>>>>> <location>Security</location> >>>>>>> <log_format>eventchannel</log_format> >>>>>>> <query>Event/System[EventID=4624]</query> >>>>>>> </localfile> >>>>>>> >>>>>>> </agent_config> >>>>>>> >>>>>>> *The Windows OSSEC after the comments starts with *(middle portion >>>>>>> removed, and has no localfile entries. ) >>>>>>> >>>>>>> >>>>>>> <ossec_config> >>>>>>> >>>>>>> <!-- One entry for each file/Event log to monitor. --> >>>>>>> <localfile> >>>>>>> <location>Application</location> >>>>>>> <log_format>eventlog</log_format> >>>>>>> </localfile> >>>>>>> >>>>>>> <localfile> >>>>>>> <location>Security</location> >>>>>>> <log_format>eventlog</log_format> >>>>>>> </localfile> >>>>>>> >>>>>>> <localfile> >>>>>>> <location>System</location> >>>>>>> <log_format>eventlog</log_format> >>>>>>> </localfile> >>>>>>> >>>>>>> >>>>>>> <!-- Rootcheck - Policy monitor config --> >>>>>>> . . . SNIP . . . >>>>>>> >>>>>>> >>>>>>> </ossec_config> >>>>>>> >>>>>>> >>>>>>> <!-- END of Default Configuration. --> >>>>>>> >>>>>>> >>>>>>> <ossec_config> >>>>>>> <client> >>>>>>> <server-hostname>xxx-ossec-srv1</server-hostname> >>>>>>> </client> >>>>>>> </ossec_config> >>>>>>> >>>>>>> -- Ralph Durkee >>>>>>> >>>>>>> On 08/18/2015 01:24 PM, Santiago Bassett wrote: >>>>>>> >>>>>>> Could you share your ossec.conf settings (from the agent) and also >>>>>>> the shared/agent.conf ones. Those are probably located in C:\Program >>>>>>> Files/ossec-agent >>>>>>> >>>>>>> I am guessing, but I think you probably are reading all Security >>>>>>> events in some other place of the configuration (look for the different >>>>>>> locations). >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Tried stopping and starting the agent service on the windows >>>>>>>> system. Still getting other security events from that system such as >>>>>>>> 4672 >>>>>>>> and 4634 in addition to the 4624. Any other suggestions? >>>>>>>> >>>>>>>> -- Ralph Durkee >>>>>>>> >>>>>>>> >>>>>>>> On 08/18/2015 01:10 PM, Ralph Durkee wrote: >>>>>>>> >>>>>>>> I've restarted ossec on the server several times. Are you refering >>>>>>>> to the Windows agent? >>>>>>>> >>>>>>>> -- Ralph Durkee >>>>>>>> >>>>>>>> >>>>>>>> On 08/18/2015 11:46 AM, Santiago Bassett wrote: >>>>>>>> >>>>>>>> Try restarting it manually and see if that works. >>>>>>>> >>>>>>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I'm trying to filter Windows events based on strings such as the >>>>>>>>> login type and workstation name, but as a starting point I tried the >>>>>>>>> configuration below to filter on EventID 4624. The >>>>>>>>> /var/ossec/etc/shared/agent.conf file contains: >>>>>>>>> >>>>>>>>> <agent_config> >>>>>>>>> <!-- Generic Agent configurations. --> >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <location>Security</location> >>>>>>>>> <log_format>eventchannel</log_format> >>>>>>>>> <query>Event/System[EventID=4624]</query> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> </agent_config> >>>>>>>>> >>>>>>>>> However I continue receiving all security events including >>>>>>>>> Security EventID 4624 and others. >>>>>>>>> I restarted the windows system agent via agent_control -R and >>>>>>>>> also restarted the OSSEC manager. >>>>>>>>> I don't have any errors in ossec.log with regard to the >>>>>>>>> shared/agent.conf file. >>>>>>>>> >>>>>>>>> Any suggestions on getting this working? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> -- Ralph Durkee >>>>>>>>> >>>>>>>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> try using this configuration: >>>>>>>>> >>>>>>>>> <localfile> >>>>>>>>> <location>Security</location> >>>>>>>>> <log_format>eventchannel</log_format> >>>>>>>>> <query>Event/System[EventID=4624]</query> >>>>>>>>> </localfile> >>>>>>>>> >>>>>>>>> Best regards >>>>>>>>> >>>>>>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I have installed the new version of OSSEC v2.8.2. I have a >>>>>>>>>> windows ossec client. I would like to filter Windows event logs >>>>>>>>>> (Applications/Security/System/Application and Services Log) based on >>>>>>>>>> the >>>>>>>>>> event ids at ossec client (in order to reduce the logs forwarded to >>>>>>>>>> OSSEC >>>>>>>>>> manager). >>>>>>>>>> >>>>>>>>>> I have amended the client ossec.conf with the example from the >>>>>>>>>> OSSEC documentation. >>>>>>>>>> >>>>>>>>>> <localfile> >>>>>>>>>> <location>System</location> >>>>>>>>>> <log_format>eventchannel</log_format> >>>>>>>>>> <query>Event/System[EventID=7001]</query> >>>>>>>>>> </localfile> >>>>>>>>>> * This WORKS * >>>>>>>>>> <localfile> >>>>>>>>>> <location>Security</location> >>>>>>>>>> <log_format>eventchannel</log_format> >>>>>>>>>> <query>Event/Security[EventID=4624]</query> >>>>>>>>>> </localfile> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> * THIS DOESN'T WORK. If I remove the query field it does work >>>>>>>>>> but then it forwards all the logs coming out from Windows Security >>>>>>>>>> event >>>>>>>>>> log. I am getting similar issue when I try to filter based on >>>>>>>>>> "Applications >>>>>>>>>> and Services Logs". *If I try to give the whole path name in the >>>>>>>>>> location. The ossec client does not start and I get an error "Could >>>>>>>>>> not >>>>>>>>>> create bookmark". >>>>>>>>>> >>>>>>>>>> Am I doing something wrong here. Please advice. >>>>>>>>>> >>>>>>>>>> Kind Regards >>>>>>>>>> Swati >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> --- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "ossec-list" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to [email protected]. >>>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> --- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "ossec-list" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> --- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "ossec-list" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/d5142183-2dce-4cae-83f5-4b5b7f2f3a2d%40googlegroups.com.
