Windows agent & custom alerts

[securemoi]

Hi All: I am struggling to get windows alerts to work for custom events. On a couple of windows 10 clients I have added a couple of events but can't get them to come back as alerts. I am using a debian server, and I believe "canned" windows events work (e.g., windows user log ins and logouts) as I am getting alerts from the windows clients to my email and in the ossec archive.log. I've tried adding rules on both the client and server side but no joy. Happy to share configs, but was thinking maybe the place to start with examples that "work" for others...

Q is there a link someone could share as to how to come at this? Hopefully a step by step, with examples.

Thx

[wolle604]

Hi,

that sounds really like a configuration problem. Did you tried troubleshooting with ossec-logtest? https://ossec-documentation.readthedocs.io/en/latest/legacy/docs/programs/ossec-logtest.html?highlight=logtest

Best wishes

[securemoi]

Thx so much for response (and apologies for my slow uptake...). I tried logtest, but user error and now doing it right, so am pursuing that. Says there is no matching decoder, so will see if I can figure that out, share what I find. Thx!

…

On Tue, Jan 24, 2023 at 9:30 AM wolle604 ***@***.***> wrote: Hi, that sounds really like a configuration problem. Did you tried troubleshooting with ossec-logtest? https://ossec-documentation.readthedocs.io/en/latest/legacy/docs/programs/ossec-logtest.html?highlight=logtest Best wishes — Reply to this email directly, view it on GitHub <#2074 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A5L7AFVOIEOEZ2M3G3QIWIDWT7RPXANCNFSM6AAAAAAUB4A2U4> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[securemoi]

Still stuck, I am attempting to add selected parts of my configs and logtest below that I assume are most relevant (can add these in their entirety if that's better). I can see that an alert for the custom event I've added to the client is ending up in "archive.log" (so that's progress), but I'm not getting any emails for the particular test alert I'm testing against (am getting email alerts for non custom rules).. The ID of the fake windows event I've added to a test client is 5090. * logtest shows no decoder match, not sure this matters but if so that could be where I've gone wrong * not sure my rule pcre2 is off or not, or if some other part of my rule 100011 is wrong THX ARCHIVE.LOG grep excerpt (I've redacted some of this) that shows alert is ending in archive.log 2023 Feb 02 13:23:05 (machine) PublicIP->WinEvtLog 2023 Feb 02 08:23:07 WinEvtLog: Application: ERROR(5090): SourceText: (no user): no domain: Machine: Test rule fired LOGALL SET & CUSTOM RULE (From /var/ossec/etc/ossec.conf) <logall>yes</logall> ... alerts> <log_alert_level>0</log_alert_level> <email_alert_level>0</email_alert_level> </alerts> CUSTOM DECODER (From /var/ossec/rules/local_rules.xml) <group name="windows_test,"> <rule id="100010" level="0"> <program_name>example</program_name> <category>windows</category> <decoded_as>example</decoded_as> <description>Group of custom windows rules.</description> </rule> <rule id="100011" level="0"> <if_sid>100010</if_sid> <program_name>example</program_name> <pcre2>5090</pcre2> <description>Test rule fired</description> </rule> FROM LOGTEST (/var/ossec/bin/ossec-logtest -v) **Phase 1: Completed pre-decoding. full event: 'archive.log' hostname: 'test' program_name: '(null)' log: 'archive.log' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. ...(passes a number of :"rule 1" vtests & hangs on. rule 51559) Trying rule: 51559 - ntpd peer connection refused.

[securemoi]

PS big apologies, messed up my headings above:(., .and left out custom decoder from /var/ossec/etc/decoder.xml <decoder name="example"> <program_name>example</program_name> </decoder> <decoder name="example"> <parent>example</parent> <pcre2>5090</pcre2> <order>id</order> </decoder>

…

On Thu, Feb 2, 2023 at 10:04 AM Secure moi ***@***.***> wrote: Still stuck, I am attempting to add selected parts of my configs and logtest below that I assume are most relevant (can add these in their entirety if that's better). I can see that an alert for the custom event I've added to the client is ending up in "archive.log" (so that's progress), but I'm not getting any emails for the particular test alert I'm testing against (am getting email alerts for non custom rules).. The ID of the fake windows event I've added to a test client is 5090. * logtest shows no decoder match, not sure this matters but if so that could be where I've gone wrong * not sure my rule pcre2 is off or not, or if some other part of my rule 100011 is wrong THX ARCHIVE.LOG grep excerpt (I've redacted some of this) that shows alert is ending in archive.log 2023 Feb 02 13:23:05 (machine) PublicIP->WinEvtLog 2023 Feb 02 08:23:07 WinEvtLog: Application: ERROR(5090): SourceText: (no user): no domain: Machine: Test rule fired LOGALL SET & CUSTOM RULE (From /var/ossec/etc/ossec.conf) <logall>yes</logall> ... alerts> <log_alert_level>0</log_alert_level> <email_alert_level>0</email_alert_level> </alerts> CUSTOM DECODER (From /var/ossec/rules/local_rules.xml) <group name="windows_test,"> <rule id="100010" level="0"> <program_name>example</program_name> <category>windows</category> <decoded_as>example</decoded_as> <description>Group of custom windows rules.</description> </rule> <rule id="100011" level="0"> <if_sid>100010</if_sid> <program_name>example</program_name> <pcre2>5090</pcre2> <description>Test rule fired</description> </rule> FROM LOGTEST (/var/ossec/bin/ossec-logtest -v) **Phase 1: Completed pre-decoding. full event: 'archive.log' hostname: 'test' program_name: '(null)' log: 'archive.log' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. ...(passes a number of :"rule 1" vtests & hangs on. rule 51559) Trying rule: 51559 - ntpd peer connection refused.