admin管理员组

文章数量:1406937

I have installed wazuh and want to configure it so that the event IDs 4800, 4801 are collected. I read about hundred of articles on the web on how to add new event ids. I edited the ossec.conf file on the client (also tried it on the server) to include the event ids.

<localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID=4800 or EventID=4801]</query>
</localfile>

but there are no logs in wazuh. Am i missing something? I can see the events in the event viewer and using wevtutil

PS C:\Windows\system32> wevtutil qe Security /q:"*[System[(EventID=4800 or EventID=4801)]]" /c:5 /rd:true /f:text
Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2025-03-23T11:37:53.2150000Z
  Event ID: 4801
  Task: Other Logon/Logoff Events
  Level: Informationen
  Opcode: Info
  Keyword: Überwachung erfolgreich
  User: N/A
  User Name: N/A
  Computer: vie-t-srv-audit.d2000.local
  Description:
Die Arbeitsstation wurde entsperrt.

Antragsteller:
        Sicherheits-ID:         S-1-5-21-796845957-1326574676-839522115-10812
        Kontoname:              admin_zarat
        Kontodomäne:            D2000
        Anmelde-ID:             0x2FB632FE
        Sitzungs-ID:    7

Event[1]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2025-03-23T11:37:47.9590000Z
  Event ID: 4800
  Task: Other Logon/Logoff Events
  Level: Informationen
  Opcode: Info
  Keyword: Überwachung erfolgreich
  User: N/A
  User Name: N/A
  Computer: vie-t-srv-audit.d2000.local
  Description:
Die Arbeitsstation wurde gesperrt.

Antragsteller:
        Sicherheits-ID:         S-1-5-21-796845957-1326574676-839522115-10812
        Kontoname:              admin_zarat
        Kontodomäne:            D2000
        Anmelde-ID:             0x2FB632FE
        Sitzungs-ID:    7

PS C:\Windows\system32>

I also tried creating custom rules in

nano /var/ossec/ruleset/rules/0210-windows_screenlock_rules.xml

with this content

<group name="windows,">
    <rule id="100100" level="5">
        <decoded_as>json</decoded_as>
        <field name="win.system.eventID">4800</field>
        <description>Windows: Arbeitsstation gesperrt</description>
    </rule>

    <rule id="100101" level="5">
        <decoded_as>json</decoded_as>
        <field name="win.system.eventID">4801</field>
        <description>Windows: Arbeitsstation entsperrt</description>
    </rule>
</group>

The agent is definitely running and is collecting other events but not the ones i configured. I use the pre-configured docker version of wazuh. Thank you in advance.

本文标签: windowsUnable to add new event ids in wazuhStack Overflow

版权声明:本文标题:windows - Unable to add new event ids in wazuh - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744289477a2599046.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。