科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>windows - Unable to add new event ids in wazuh - Stack Overflow

    windows - Unable to add new event ids in wazuh - Stack Overflow

    programmeradmin7浏览0评论

    I have installed wazuh and want to configure it so that the event IDs 4800, 4801 are collected. I read about hundred of articles on the web on how to add new event ids. I edited the ossec.conf file on the client (also tried it on the server) to include the event ids.

    <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID=4800 or EventID=4801]</query>
</localfile>

    but there are no logs in wazuh. Am i missing something? I can see the events in the event viewer and using wevtutil

    PS C:\Windows\system32> wevtutil qe Security /q:"*[System[(EventID=4800 or EventID=4801)]]" /c:5 /rd:true /f:text
Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2025-03-23T11:37:53.2150000Z
  Event ID: 4801
  Task: Other Logon/Logoff Events
  Level: Informationen
  Opcode: Info
  Keyword: Überwachung erfolgreich
  User: N/A
  User Name: N/A
  Computer: vie-t-srv-audit.d2000.local
  Description:
Die Arbeitsstation wurde entsperrt.

Antragsteller:
        Sicherheits-ID:         S-1-5-21-796845957-1326574676-839522115-10812
        Kontoname:              admin_zarat
        Kontodomäne:            D2000
        Anmelde-ID:             0x2FB632FE
        Sitzungs-ID:    7

Event[1]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2025-03-23T11:37:47.9590000Z
  Event ID: 4800
  Task: Other Logon/Logoff Events
  Level: Informationen
  Opcode: Info
  Keyword: Überwachung erfolgreich
  User: N/A
  User Name: N/A
  Computer: vie-t-srv-audit.d2000.local
  Description:
Die Arbeitsstation wurde gesperrt.

Antragsteller:
        Sicherheits-ID:         S-1-5-21-796845957-1326574676-839522115-10812
        Kontoname:              admin_zarat
        Kontodomäne:            D2000
        Anmelde-ID:             0x2FB632FE
        Sitzungs-ID:    7

PS C:\Windows\system32>

    I also tried creating custom rules in

    nano /var/ossec/ruleset/rules/0210-windows_screenlock_rules.xml

    with this content

    <group name="windows,">
    <rule id="100100" level="5">
        <decoded_as>json</decoded_as>
        <field name="win.system.eventID">4800</field>
        <description>Windows: Arbeitsstation gesperrt</description>
    </rule>

    <rule id="100101" level="5">
        <decoded_as>json</decoded_as>
        <field name="win.system.eventID">4801</field>
        <description>Windows: Arbeitsstation entsperrt</description>
    </rule>
</group>

    The agent is definitely running and is collecting other events but not the ones i configured. I use the pre-configured docker version of wazuh. Thank you in advance.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论