• Support
  • Forums
  • Blogs

Windows Forwarded events in OSSIM

keepcool5283keepcool5283

New Life Form

Hello.
I'm using OSSIM 5.1 and I try to get all events logged on forwardedEvents.evtx from my W2012 R2 server.

I have installed OSSEC agent on my Server and add this config :

<localfile>
    <location>ForwardedEvents</location>
    <log_format>eventlog</log_format>
 </localfile>

I get already all events logged on security.evtx from this server, but not those from forwardedEvents file.

Do you know how can I solve that (restart server and Agent is already done) ?

Thanks


Share post:

Answers

  • Hello, any ideas ?

    Thanks

  • keepcool5283,

    You may want to start by checking to see if the agent is even able to parse the file. You can do this by editing the file /var/ossec/etc/internal_options.conf and setting debug on for the appropriate actions and restart ossec, then monitoring the alerts.log and ossec.log to see if the events are being sent to the servers by the agent.

    If the agent is sending the logs, then you may need to create some custom decoder rules to parse events from the data. Instructions for this can be found at the link below:

  • Hi everyone,

    The thread is a bit old but I'm facing exactly the same problem.

    I can get all events from Application, Security, System and DNS Server without problem but it seams it's another story for Forwarded Events.

    Basically, Forwarded Events contains "Microsoft Windows security auditing" events (event ID 4742, 4728 ...) coming from other servers (same type as Security).

    Strangely, when I look in /var/ossec/logs/archives/archives.log for Forwarded Events I have some results with "WinEvtLog: Forwarded Events". BUT ! It's Application logs, not Forwarded Events logs...

    windows.debug is set to 2 (full debugging) in internal_options.conf,
    <logall>yes</logall> in Environment>Detection>Config>Configuration
    Information level set to 4 in msauth_rules.xml...

    If someone have any idea event a little lead, I'll gladly take it

  • Hi everyone,

    The thread is a bit old but I'm facing exactly the same problem.

    I can get all events from Application, Security, System and DNS Server without problem but it seams it's another story for Forwarded Events.

    Basically, Forwarded Events contains "Microsoft Windows security auditing" events (event ID 4742, 4728 ...) coming from other servers (same type as Security).

    Strangely, when I look in /var/ossec/logs/archives/archives.log for Forwarded Events I have some results with "WinEvtLog: Forwarded Events". BUT ! It's Application logs, not Forwarded Events logs...

    windows.debug is set to 2 (full debugging) in internal_options.conf,
    <logall>yes</logall> in Environment>Detection>Config>Configuration
    Information level set to 4 in msauth_rules.xml...

    If someone have any idea event a little lead, I'll gladly take it

  • Bumping this... did you ever get any joy with this @Keepangry @keepcool5283

    We have our AD DC's forwarding selected key security events into a load balanced pool of Windows event collectors. As per the recommended MS approach to this, a subset of key events are configured through subscriptions, which then get forwarded from the Security logs from each DC to the collectors (e.g. logon, logoffs, group membership change, account lockouts, etc.)

    With our present SIEM platform, we configure the native agent for each collector to pull directly from this event log by name 'Forwarded Events'. We prefer this route as it means no agents/clients on the DC's themselves, and we have a means of storing/analysing the logs outside of the central AD infrastructure itself.

    In ossec.conf, I've tried both specififying the eventlog as 'ForwardedEvents' and 'Forwarded Events'. With debug level on, this merely appear in ossec.log as:

    2018/11/22 16:16:25 ossec-logcollector(1951): INFO: Analyzing event log: 'Application'.
    2018/11/22 16:16:26 ossec-logcollector(1951): INFO: Analyzing event log: 'Security'.
    2018/11/22 16:16:32 ossec-logcollector(1951): INFO: Analyzing event log: 'System'.
    2018/11/22 16:16:33 ossec-logcollector(1951): INFO: Analyzing event log: 'ForwardedEvents'.

    2018/11/22 16:16:25 ossec-logcollector(1951): INFO: Analyzing event log: 'Application'.
    2018/11/22 16:16:26 ossec-logcollector(1951): INFO: Analyzing event log: 'Security'.
    2018/11/22 16:16:32 ossec-logcollector(1951): INFO: Analyzing event log: 'System'.
    2018/11/22 16:16:33 ossec-logcollector(1951): INFO: Analyzing event log: 'Forwarded Events'.


    With no errors, warnings, or other such info logged. I can see selected events from the local Security log of the event collectors themselves being processed and sent.

    I've also tried adding the <logall> option to internal_options.conf too but to no avail.

    Has anyone managed this successfully with OSSEC. Alternatively, through NXLog?

    Thanks in advance!

  • Just to update that I've gone down the NXLog route with this.
Sign In or Register to comment.