No recieving events 6006 or 6008

[BernaldoPenasAntelo]

Hi all:
I want a new rule who triggers windows System event 6006 or 6008, this events are for halting/rerbooting the system, i have checked that the client it's getting the security log, but i'm not recieving events 6006 or 6008, i've made a test enabling <log_all> and checking the archieve.log in manager, i'm able to see some system events like 7036, etc... but even when i verify that event 6006 bappears in windows events it's not been transfer by the client to the agent.

<rule id="100420" level="7">
		<if_sid>61100</if_sid>
		<field name="win.eventdata.eventID">^6006$|^6008$</field>
		<description>Mitre ATT&CK T1529,  Impact, System Shutdown/Reboot</description>
		<options>no_full_log</options>
	</rule>
		<rule id="100421" level="7">
		<if_sid>61100</if_sid>
		<field name="win.eventdata.eventID">^1074$</field>
		<description>Mitre ATT&CK T1529,  Impact, System Shutdown/Reboot, An application forces the system to reboot</description>
		<options>no_full_log</options>
	</rule>
		<rule id="100422" level="7">
		<if_sid>61100</if_sid>
		<field name="win.eventdata.eventID">^41$</field>
		<description>Mitre ATT&CK T1529,  Impact, System Shutdown/Reboot, The system has rebooted without cleanly shutting down first.</description>
		<options>no_full_log</options>
	</rule>

[danimegar]

Hi @BernaldoPenasAntelo

Thank you for the information! We will try to include the rules to the ruleset as soon as possible.

You have to know that we have a Pull Request that adds Mitre information to some rules so we can include these rules using the same format.

Regards,
Daniel

[BernaldoPenasAntelo]

HI @danimegar :

This issue it's not only a enhancement, my main concern it's that events 6006 and 6008 even when they're been generated by windows they're not arriving to the manager.

I have to said that my testing enviroment it's conformed by a Windows 2016 with an 3.11.3 agent and an ubuntu server with 3.11.3 manager.

[danimegar]

Hi @BernaldoPenasAntelo
I have two ideas to try:

1. Your rule 100420 considers that "severityValue" = INFORMATION (<if_sid>61100</if_sid>). ¿Can you confirm that in the log? If it is not INFORMATION, maybe you have to use:
   <if_sid>61101</if_sid> or <if_sid>61102</if_sid>

  <rule id="63101" level="0">
    <if_sid>60007</if_sid>
    <field name="win.system.severityValue">^WARNING$</field>
    <description>Windows Eventlog warning event</description>
    <options>no_full_log</options>
    <group>gpg13_4.12,</group>
  </rule>

  <rule id="63102" level="5">
    <if_sid>60007</if_sid>
    <field name="win.system.severityValue">^ERROR$</field>
    <description>Windows Eventlog error event</description>
    <options>no_full_log</options>
    <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
  </rule>

2. Maybe you have to modify the field name: use win.system.eventID instead of win.eventdata.eventID

[BernaldoPenasAntelo]

Hi:

I have doublecheck that event 6006 and 6008 both are INFORMATIONAL, even i have to say that i've triyed to replace win.eventdata.eventID by win.system.eventID, but have no luck.

As i had said i had activated log_all in config and check that i'm recieving other events from system log, but i see no 6006 or 6008 ... it's not suppoused that even if the rule it's not correct i have to see how the event appears in the manager ??

[danimegar]

Thanks for the information.

Yes, those events should appear in the archives.log/archives.json even when they do not match the rules. Perhaps these events come from another Windows channel. Here you will find the available channels: https://documentation.wazuh.com/3.12/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#available-channels-and-providers

Also, you can find more information on that link.

[danimegar]

Hi @BernaldoPenasAntelo
I think this issue is related to your issue: #635. I think that issue is the reason why System event 6006 is not generated.

[BernaldoPenasAntelo]

hi:

I see ... are you thinking in fix it ... cause i could do it but if i upgrade my manager, that it's something that i have to do ... my changes are going to be lost

Thanks for the update.

[danimegar]

Yes, I have created a Pull Request to fix it. I do not know when it will be merged. If you want to do that change, you can override a rule as explained in https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule

For that, copy this to /var/ossec/etc/rules/local_rules.xml in Manager:

  <rule id="60007" level="0" overwrite="yes">
    <if_sid>60002</if_sid>
    <field name="win.system.providerName">^Microsoft-Windows-Eventlog$</field>
    <options>no_full_log</options>
    <description>Group of rules for Windows Eventlog</description>
  </rule>

Restart Wazuh service.

Regards.

[BernaldoPenasAntelo]

Hi:

i'm a little bit confused with this issue, i made the changes in my testing enviroment and activate log_all to verify that events are passed from the agent to the manager.

As a result i'm only getting this event related to the system eventlog:

2020 May 19 09:28:23 (Windows2016) 192.16.10.15->EventChannel {"win":{"system":{"providerName":"Service Control Manager","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Service Control Manager","eventID":"7036","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2020-05-19T07:28:22.800406300Z","eventRecordID":"11924","processID":"668","threadID":"2748","channel":"System","computer":"WIN-LB1OCHSF1NC","severityValue":"INFORMATION","message":"\"The Software Protection service entered the stopped state.\""},"eventdata":{"param1":"Software Protection","param2":"stopped","binary":"7300700070007300760063002F0031000000"}}}

i review the system log in my agent and i see more events than this one (eventID 7036).

in fact i have this one too, wich is the one i want to be triggered.

eventID: 6006
Level: Information

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="EventLog" /> 
  <EventID Qualifiers="32768">6006</EventID> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2020-05-19T09:26:43.429960900Z" /> 
  <EventRecordID>11576</EventRecordID> 
  <Channel>System</Channel> 
  <Computer>WIN-2016</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Binary>0100000000000000</Binary> 
  </EventData>
  </Event>

But i also see events 37 and 47 in system logs, the problem it's that they're not passed to the manager so no alarms where triggered.

[danimegar]

The channel is 'System'. I guess you are using this code in ossec.conf in Windows agent:

<localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
</localfile>

There is another block that you can try but I am not sure if it will work:

<localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
</localfile>

If the blocks do not work, I can do a deeper investigation.

Regards.

[BernaldoPenasAntelo]

Hi again:

I have tested what you suggest but i have the same results, no event 6006.

Best regards.

[BernaldoPenasAntelo]

Hi:

Finally after fight with this strange issue i reinstall agent and now it's working ... so i'm going to close this issue cause it looks like it's related with problems in my test enviroment.

Thanks for the help.

[BernaldoPenasAntelo]

Hi:

I have to reopen this issue, i been making further tests and i conclude that i'm only getting alarms with event 1074 this means with the avobe alarms id=100421, and i'm getting them when i switch off the server with wazuh agent in a correct maner ... using the windows power off regular button.

I made other tests like just "kill" the virtual test machine, in this test i want to get a 6006 but nothing neither archieves log with logall registry the event. But event 6006 it's in the event registry of windows machine and i can review it in eventviewer.

So ... i conclude that there's or a missconfiguration that i'm not aware of in my lab enviroment or either this 6006, 6008 and 41 events are not been correctly parsed to the manager.

Have to said that reviewing the predefined wazuh base ruleset i found a rule for event 41 that it's neither working.

[danimegar]

Hi @BernaldoPenasAntelo
I know when the agent is disconnected, all the logs that it generates since that moment are not sent to the Manager (if you use UDP protocol). It can store the events in the Logcollector's buffer but it will no be able to send them. When the agent is connected again, the past events will not send (UDP). If the 6006/6008/41 events are generated when the agent is disconnected maybe that is the answer. Using TCP protocol should appear.

I can try to replicate it to check that. Also, can you copy the 6006 or 6008 log event? Maybe it has a different format from the rest.

Regarding the 41 events, can you copy the log event to verify it works?
Regards.

[danimegar]

Hi @BernaldoPenasAntelo

There is a parameter to recollect past Windows events. Add this line to the localfile:

 <localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
    <only-future-events>no</only-future-events>
 </localfile>

By default, only-future-events value is yes.

I was able to get the 6008 event in the archives.log:

cat /var/ossec/logs/archives/archives.log | grep 6008

2020 May 27 07:51:54 (Windows2016) any->EventChannel {"win":{"system":{"providerName":"EventLog","eventID":"6008","level":"2","task":"0","keywords":"0x80000000000000","systemTime":"2020-05-27T07:51:50.454470000Z","eventRecordID":"7573","channel":"System","computer":"win2016-agente12","severityValue":"ERROR","message":"\"The previous system shutdown at 7:50:28 AM on ‎5/‎27/‎2020 was unexpected.\""},"eventdata":{"binary":"E407050003001B00070032001C005902E407050003001B00070032001C0059023C0000003C000000000000000000000000000000000000000100000000000000","data":"7:50:28 AM, ‎5/‎27/‎2020, 356"}}}

Maybe this option can be useful.

Regards,
Daniel

[BernaldoPenasAntelo]

Hi:

Finally i have a moment to test everithing, and yes with that configuration parameter it works fine.

So this are the actual rules that i have tested and works for me based in the initial ones:

<rule id="100420" level="7">
    <if_sid>63102</if_sid>
    <field name="win.system.eventID">^6006$|^6008$</field>
    <description>Mitre ATT&CK T1529,  Impact, System Shutdown/Reboot</description>
    <options>no_full_log</options>
</rule>
<rule id="100421" level="7">
    <if_sid>61100</if_sid>
    <field name="win.system.eventID">^1074$</field>
    <description>Mitre ATT&CK T1529,  Impact, System Shutdown/Reboot, An application forces the system to reboot</description>
    <options>no_full_log</options>
</rule>
<rule id="100422" level="7">
    <if_sid>61105</if_sid>
    <field name="win.system.eventID">^41$</field>
    <description>Mitre ATT&CK T1529,  Impact, System Shutdown/Reboot, The system has rebooted without cleanly shutting down first.</description>
    <options>no_full_log</options>
</rule>

Thanks for your help