Looking for documentation? Check out our new learning center!
AlienVault v4.5 Released! Download here

OSSEC configure that SIEM collects every Windows event

How to configure OSSEC Agent on Windows so SIEM show's all Windows events.

I enable plugin OSSEC and install default installation on Windows Server 2008 R2+ossim adress and key.

OSSIM starting to get data but it does not getting all of Windows Event log.

How to configure that all/every event is shown in SIEM GUI console?

Tagged:

Answers

  • marcmunkmarcmunk Abducted By Aliens
    If you look at your config file under <ossec_comfig> you should see lines for Application, Secuity and System. if you need more then that you will have to add them your self in the same way as the ones that are in the config file allready.

    Did you add the ossec plugin under Deployment - System configuration  -  Collection?
  • IdrielIdriel Contactee
    Yes. I add ossec plugin. I am getting data from ossec.

    Do you mean ossec_config on Windows machine where I install plugin. Or you think inside /etc/ossim/agent/plugins/ossec.conf?

    I don't have any exp with regexp I'll need then to find some good regexp tutorial. :(
  • marcmunkmarcmunk Abducted By Aliens
    The config file on your windows machine. I had a look at mine and it was done by default. But take a look at it and lets see what we can figure out.
  • IdrielIdriel Contactee
    I have also Default Config with lines
      <localfile>
        <location>Application</location>
        <log_format>eventlog</log_format>
      </localfile>

      <localfile>
        <location>Security</location>
        <log_format>eventlog</log_format>
      </localfile>

      <localfile>
        <location>System</location>
        <log_format>eventlog</log_format>
      </localfile>


    For Windows in OSSEC config.file i see
    [OSSEC - Windows Security audit - Failure]
    [OSSEC - Windows Security audit - Logged on/off]
    [OSSEC - Windows Security audit -zzz- Generic Rule]

    So I assume that I need to create regexp for application and system log file?

    In what file can I see are system and application logs are comeing to OSSIM, beacuse when I
    tail -f /var/ossec/logs/alerts/alerts.log I see only security events are arriving. eg. I restart print spooler and that information is not forwarded to OSSIM but Log On/Off are.
    So how to configure OSSEC to forward also System and Application log then I will play with regexp :)


  • marcmunkmarcmunk Abducted By Aliens
    Sorry the long response but i've been busy at work. Could you look at your ossec agent log file to see if your agent actually looks at the other event logs. I just started collecting info from my ossec agent so i don't have much data just yet but i did notice in my agent log that it wrote it was analyzing event log application security and system. Lets look at this as our next step and move on from there.
  • IdrielIdriel Contactee
    Well. We need to see how to configure it to send app and system log. It's sends only security logs to ossim.
    As I see in log file only Security events are showing up.
  • marcmunkmarcmunk Abducted By Aliens
    IF you find your install folder on the windows machine. In the folder you should have a ossec.log if you restart your ossecagent it should tell what eventlogs it monitors. Just to make it 100% sure that you log all with your agent.
  • aizziaizzi Contactee
    I have the same problem. This is an part of the ossec.log file:
    ...........
    2013/02/15 11:31:06 ossec-agent(4102): INFO: Connected to the server (<ip server ossim>:1514).
    2013/02/15 11:31:06 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
    2013/02/15 11:31:06 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
    2013/02/15 11:31:07 ossec-agent(1951): INFO: Analyzing event log: 'System'.
    .......

    But, it's sends only security logs to ossim.

  • Samlll42Samlll42 UFO Spotter
    I have the exact same problem... getting tons of Security Events but nothing from Application (Also the ossec.log on windows shows it is "Analyzing event log: 'Application' . Any solution in sight? are extra rules or ossec conf required? thx
Sign In or Register to comment.