OSSEC configure that SIEM collects every Windows event

Idriel

How to configure OSSEC Agent on Windows so SIEM show's all Windows events.

I enable plugin OSSEC and install default installation on Windows Server 2008 R2+ossim adress and key.

OSSIM starting to get data but it does not getting all of Windows Event log.

How to configure that all/every event is shown in SIEM GUI console?

marcmunk

If you look at your config file under <ossec_comfig> you should see lines for Application, Secuity and System. if you need more then that you will have to add them your self in the same way as the ones that are in the config file allready.

Did you add the ossec plugin under Deployment - System configuration  -  Collection?

Idriel

Yes. I add ossec plugin. I am getting data from ossec.

Do you mean ossec_config on Windows machine where I install plugin. Or you think inside /etc/ossim/agent/plugins/ossec.conf?

I don't have any exp with regexp I'll need then to find some good regexp tutorial. :(

marcmunk

The config file on your windows machine. I had a look at mine and it was done by default. But take a look at it and lets see what we can figure out.

Idriel

I have also Default Config with lines
  <localfile>
    <location>Application</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>


For Windows in OSSEC config.file i see
[OSSEC - Windows Security audit - Failure]
[OSSEC - Windows Security audit - Logged on/off]
[OSSEC - Windows Security audit -zzz- Generic Rule]

So I assume that I need to create regexp for application and system log file?

In what file can I see are system and application logs are comeing to OSSIM, beacuse when I
tail -f /var/ossec/logs/alerts/alerts.log I see only security events are arriving. eg. I restart print spooler and that information is not forwarded to OSSIM but Log On/Off are.
So how to configure OSSEC to forward also System and Application log then I will play with regexp :)

marcmunk

Sorry the long response but i've been busy at work. Could you look at your ossec agent log file to see if your agent actually looks at the other event logs. I just started collecting info from my ossec agent so i don't have much data just yet but i did notice in my agent log that it wrote it was analyzing event log application security and system. Lets look at this as our next step and move on from there.

Idriel

Well. We need to see how to configure it to send app and system log. It's sends only security logs to ossim.
As I see in log file only Security events are showing up.

marcmunk

IF you find your install folder on the windows machine. In the folder you should have a ossec.log if you restart your ossecagent it should tell what eventlogs it monitors. Just to make it 100% sure that you log all with your agent.

aizzi

I have the same problem. This is an part of the ossec.log file:
...........
2013/02/15 11:31:06 ossec-agent(4102): INFO: Connected to the server (<ip server ossim>:1514).
2013/02/15 11:31:06 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
2013/02/15 11:31:06 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
2013/02/15 11:31:07 ossec-agent(1951): INFO: Analyzing event log: 'System'.
.......

But, it's sends only security logs to ossim.