0

I have installed wazuh and want to configure it so that the event IDs 4800, 4801 are collected. I read about hundred of articles on the web on how to add new event ids. I edited the ossec.conf file on the client (also tried it on the server) to include the event ids.

<localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID=4800 or EventID=4801]</query>
</localfile>

but there are no logs in wazuh. Am i missing something? I can see the events in the event viewer and using wevtutil

PS C:\Windows\system32> wevtutil qe Security /q:"*[System[(EventID=4800 or EventID=4801)]]" /c:5 /rd:true /f:text
Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2025-03-23T11:37:53.2150000Z
  Event ID: 4801
  Task: Other Logon/Logoff Events
  Level: Informationen
  Opcode: Info
  Keyword: Überwachung erfolgreich
  User: N/A
  User Name: N/A
  Computer: vie-t-srv-audit.d2000.local
  Description:
Die Arbeitsstation wurde entsperrt.

Antragsteller:
        Sicherheits-ID:         S-1-5-21-796845957-1326574676-839522115-10812
        Kontoname:              admin_zarat
        Kontodomäne:            D2000
        Anmelde-ID:             0x2FB632FE
        Sitzungs-ID:    7

Event[1]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2025-03-23T11:37:47.9590000Z
  Event ID: 4800
  Task: Other Logon/Logoff Events
  Level: Informationen
  Opcode: Info
  Keyword: Überwachung erfolgreich
  User: N/A
  User Name: N/A
  Computer: vie-t-srv-audit.d2000.local
  Description:
Die Arbeitsstation wurde gesperrt.

Antragsteller:
        Sicherheits-ID:         S-1-5-21-796845957-1326574676-839522115-10812
        Kontoname:              admin_zarat
        Kontodomäne:            D2000
        Anmelde-ID:             0x2FB632FE
        Sitzungs-ID:    7

PS C:\Windows\system32>

I also tried creating custom rules in

nano /var/ossec/ruleset/rules/0210-windows_screenlock_rules.xml

with this content

<group name="windows,">
    <rule id="100100" level="5">
        <decoded_as>json</decoded_as>
        <field name="win.system.eventID">4800</field>
        <description>Windows: Arbeitsstation gesperrt</description>
    </rule>

    <rule id="100101" level="5">
        <decoded_as>json</decoded_as>
        <field name="win.system.eventID">4801</field>
        <description>Windows: Arbeitsstation entsperrt</description>
    </rule>
</group>

The agent is definitely running and is collecting other events but not the ones i configured. I use the pre-configured docker version of wazuh. Thank you in advance.

Improve this question
Related questions
0
Writing wazuh/ossec rules for windows eventchannel
877
error: Unable to find vcvarsall.bat
777
Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.