• Support
  • Forums
  • Blogs

OSSEC configure that SIEM collects every Windows event


Big Time
How to configure OSSEC Agent on Windows so SIEM show's all Windows events.

I enable plugin OSSEC and install default installation on Windows Server 2008 R2+ossim adress and key.

OSSIM starting to get data but it does not getting all of Windows Event log.

How to configure that all/every event is shown in SIEM GUI console?


Share post:


  • I seem to have the same issue... Anyone ever get this working?
  • Did anyone ever figure this out?  Still haven't found the answer.  We're using the USM for PCI compliance, and without the Windows system event log analysis, we're missing a LOT of PCI compliance mandates.
  • I am having the same issue on 5.1.1.....anyone figure this out?
  • Could you look at your ossec agent log file to see if your agent actually looks at the other event logs. I just started collecting info from my ossec agent so i don't have much data just yet but i did notice in my agent log that it wrote it was analyzing event log application security and system. Lets look at this as our next step and move on from there.
  • I have the same problem, ask Alienvault for support and they say it a Professional Services issue.

    It surely cant be if many people have the same problem. 

    I would also welcome a solution if anyone has one...
  • R_Ghani,

    The default OSSEC plugin is configured with local decoders for windows security events in the default log locations. The unit does not capture all events as this would waste resources, and fill storage much more quickly with unnecessary logs. 

    The plugins team consistently reviews logs, including submissions from customers, to see if they need to add decoders for new security events, but we have to strike a balance as most users would not want us to add data collection to the default plugin that consumes storage, network, and CPU resources with no benefit to their security profile.

    We leave the ability to add local decoders and custom plugins so that users can collect custom data beyond this if they so choose.
  • Completely agreed w/ kcoe.  I figured this out after a months of working on it.  The first thing you have to figure out is, do you even want all the logs going into AlienVault, tons are usually generated and it would most likely be a mess.  Next, so what logs do I want?  Maybe just logs from specific Event IDs?  This would probably be easier than writing regular expressions.

    Great, now you have your list of Event ID's you want to get into AlienVault. Now what?

    First of all, of the EventID's that you want to get into AlienVault, you must check to see if OSSEC is generating alerts for the logs.  There's 2 types of logs inside of OSSEC server.  1 - Archive, 2 - Alert
    1 - /var/ossec/logs/archives/archives.log
    2 - /var/ossec/logs/alerts/alerts.log

    The archives.log is basically just a dumping ground for logs.  So say, you don't even see your log in archives.log, then you first need to enable the setting in ossec.conf on the OSSEC client to add "<logall>true</logall>" inside of the "<global>...</global>" config section.  This should dump every single event log as specified by the client's ossec.config into the archives.log file.  This should only be turned on when trying to setup an alert, otherwise do not have the <logall> section in the config at all, it will only waste lots of space.

    Great, now you enabled <logall> and all your windows event's are being logged from the client to the archives.log file, but how do I get my custom EventID's into the alerts.log?  What is the alerts.log?  The alerts.log is where you can generate actionable events to the specific logs.  To get your Windows Events into the alerts.log (which is needed to get the specific Windows Events log into AlienVault), you need to setup rules on the ossec server.  I place my rules inside of /var/ossec/rules/local_rules.xml.

    After you put your rules inside of local_rules.xml, you need to test the rules to make sure it is working properly.  This is one of the most commonly messed up parts which prevented me from getting my alerts working for about a month.  Ok, you should have a log record inside of /var/ossec/logs/archives/archives.log that looks similar to this:
    (This is an example log from when I was putting PowerShell logs into AlienVault)

    2015 Nov 30 13:02:39 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 13:02:39 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME_FQDN: Command "Get-Host" is Started.     Details:    NewCommandState=Started   SequenceNumber=41   HostName=ConsoleHost  HostVersion=2.0  HostId=9579f128-903c-463c-80fa-7eaa4a80dc54  EngineVersion=2.0  RunspaceId=c07bf134-24b9-47f7-9dfe-9732dc3e675d  PipelineId=5  CommandName=Get-Host  CommandType=Cmdlet  ScriptName=  CommandPath=  CommandLine=Get-Host

    Now, it's time to test your rules against the log.  This is the most important part which is easy to mess up.  First of all OSSEC server has a file for testing that can be ran with this command "/var/ossec/bin/ossec-logtest -v".

    Now you paste in the single-line log record text to test, but it is not the entire log record from the archives.log.  The archives.log adds an additional prefix of information to each record.  So only paste in the non-prefixed information section.  It should be everything after the arrow "->".  So from the example, the text that you need to test is the following:

    WinEvtLog 2015 Nov 30 13:02:39 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME_FQDN: Command "Get-Host" is Started.     Details:    NewCommandState=Started   SequenceNumber=41   HostName=ConsoleHost  HostVersion=2.0  HostId=9579f128-903c-463c-80fa-7eaa4a80dc54  EngineVersion=2.0  RunspaceId=c07bf134-24b9-47f7-9dfe-9732dc3e675d  PipelineId=5  CommandName=Get-Host  CommandType=Cmdlet  ScriptName=  CommandPath=  CommandLine=Get-Host

    Once you run this, it will tell you all of the rules that this is hitting or stopping at.  If the RULE ID does not match your RULE ID, this means there is a previous existing rule that you need to clear out first with the RULE ID that was returned in the test.  To clear out the rules you need to add additional rules to do this.  These are the rules I had to add to clear out in order to get my custom rules working:

    <group name="powershell,">
      <rule id="100210" level="0">
        <description>Powershell Script.</description>
      <rule id="100211" level="0">
        <description>Powershell Command.</description>
      <rule id="100212" level="0">
        <description>Powershell Function.</description>

    Ok, so not only do you want to clear out the specific rules by setting the level="0" and by matching the rule ids with <if_sid>RULEID_TOHIDE</if_sid>, you also need to add the <match>...</match> to match it to something inside your log text so that you do not clear the log level for everything.

    Keep repeating this process adding more rules to clear out previously matching rules that are not your custom rules until your custom made RULEID is returned in the test.

    Once you do this, you should be getting your logs into "/var/ossec/logs/alerts/alerts.log".  Now you can remove the "<logall>true</logall>" from the "<global>" section in the ossec.conf file on the OSSEC client machine.  This will prevent all the Event Logs filling up the archives.log, while your custom events will still be able to get into the alerts.log file now.

    YEAH, we are generating OSSEC, alerts, but these alerts are still not inside of AlienVault yet.  Now you need to create a custom AlienVault plugin config file and plugin SQL file to get your logs into AlienVault.  This is a little "regex" intensive, but for the most part you can copy code from existing plugins and modify it to your needs.

    Where are the plugin configs and SQL files?  You can find them at the /etc/ossim/agent/plugins/ directory.
    Create a new file here called "plugin_name.cfg" and a file called "plugin_name.sql".  Make sure that plugin_name is the name for your plugin, not actually the text plugin_name, lol.

    If you are not REGEX oriented, this is probably the toughest point.  This is what matches up the values in the log to AlienVault SEIM variable information for a record.  Can't really help too much on your regex's, but here's a link to the file I used in my custom powershell.cfg file:

    I setup a plugin ID of 9002, I think your plugin ids have to be somewhere at 9001 and up, not sure how far up though. Also, I used this website to help figure out my regular expressions I needed: https://www.debuggex.com/

    This is my file for the sql file (http://pastebin.com/raw/f0Wd6sbj).  You need to a SQL file to insert the custom plugin into the database.  It will be setup so that it will put the database back in during upgrades too.
    id value is the ID of your plugin, type you set to 1 (?), name set to the name of the plugin, and then you also give your plugin a description.

    In the SQL file you start off by deleting your plugin from the database tables plugin and plugin_sid.  Then you insert your plugin into the plugin table.  Then you add all the different events for your plugin that will show up in the SEIM of AlienVault.  You specify the plugin id, then sid which I use the custom rule_ids, category_id idk I just set to NULL, class_id idk I just set to NULL, then the name of the rule event created from your plugin, and then values for priority and reliability.  Depending on the values you put in for priority and reliability, depends on what happens inside of AlienVault for your SEIM events.  AlienVault uses the Priority to assess event RISK.
    RISK = asset * (reliability * priority / 25)

    priority = 3, Reliability = 2
    Asset 1 ( - asset value of 2
    Asset 2 ( - asset value of 8

    Asset 1 RISK = 0.48 = 1
    Asset 2 RISK = 1.92 = 2

    Depending on what you have setup for your POLICY inside of the Threat Intelligence, is what action will take place.  I think the actions can be nothing, SEIM event, create ALARM, create Ticket, and email.  Not sure exactly how that maps out by default though?

    Asset can have a value between 0 - 5
    Priority can have a value between 0 - 5
    Reliability can have a value between 0 - 10

    I think the RISK is a value between 0 and 10, since if all values are 0, then the RISK = 0, if all values are the max, the RISK = 10.

    I'm not sure about how the RISK values translate to actions or how to properly update it, but I think if you just play around with the Asset/Priority/Reliabilty values, then you can see what happens.

    Oh yeah, so after you create the plugin SQL you also have to run it to insert it into the database.  Here's how you do that:
    run this command: "cat /etc/ossim/agent/plugins/plugin_name.sql | ossim-db"
    or you can run the command "ossim-db < /etc/ossim/agent/plugins/plugin_name.sql".  Either one should work.

    Ok, your plugin is done.  Not sure when you have to restart services or the server in these steps, you might have to do a restart here, but maybe not.

    If you go to Configuration -> Threat Intelligence -> Data Source, and then search your plugin name, you should be able to see your plugin with your given plugin id as the data source id.  You can then click into the details of the plugin and see your custom events with the ability to update the values for priority/reliability if you want.  You can then edit the plugin event item and give it a category or subcategory.  You can setup your category and subcategories on the Taxonomy page.

    You also need to enable your plugin you created so that it is working/running.
    Go to Configuration -> Deployment -> Components -> AlienVault Center
    Click on the System Details
    Select Sensor Configuration, then Collection, then click on the "+" icon next to your plugin under "Plugins available" to move your plugin to "Plugins enabled" and click "Apply Changes".
    Or you can enable the plugin from the terminal as well through the menu system.

  • Oh yeah, I forgot to mention about the actual rules you can use too:

    These are the rules I used for PowerShell to actually generate the OSSEC alarms properly when added to the above rules to clear out the rules what was cancelling these rules below.  So the rules below are checking to make sure to match the <if_sid> of the blocking rule to run the new rule.  Also, level is above 0 so this will generate the OSSEC alarm and not cancel out the alarm (which a value of 0 cancels the alarm out in OSSEC):
    <rule id="100213" level="2">
        <description>Powershell Script (500-Started).</description>
      <rule id="100214" level="2">
        <description>Powershell Script (501-Stopped).</description>
      <rule id="100215" level="2">
        <description>Powershell Command (500-Started).</description>
      <rule id="100216" level="2">
        <description>Powershell Command (501-Stopped).</description>
      <rule id="100217" level="2">
        <description>Powershell Function (500-Started).</description>
      <rule id="100218" level="2">
        <description>Powershell Function (501-Stopped).</description>

    This is an example of creating a rule to match Windows Event IDs:
    <rule id="100200" level="2">
      <description>Powershell Event.</description>

    Just wanted to add that info too.
  • When I was working on this, my first issue was with OSSEC, so I was able to work out my troubles through the google group for OSSEC here: https://groups.google.com/forum/#!topic/ossec-list/kA3gN3EV6gI
    I also bought an OSSEC book off of Amazon, lol.

    So you could get more OSSEC related help there too.
Sign In or Register to comment.