How to collect Windows logs

Windows events can be gathered and forwarded to the manager, where they are processed and alerted if they match any rule. There are two formats to collect Windows logs:

  • Eventlog (supported by every Windows version)

  • Eventchannel (for Windows Vista and later versions)

Windows logs are descriptive messages which come with relevant information about events that occur in the system. They are collected and shown at the Event Viewer, where they are classified by the source that generated them.

Eventlog and eventchannel can be both monitored by Wazuh. Eventchannel data processing has been improved since Wazuh version 3.8, keeping the old functionality and configuration. This updated log format uses the Windows API in order to get every event generated at a monitored channel's log.

This information is gathered by the Windows agent, including the event description, the system standard fields and the specific eventdata information from the event. Once an event is sent to the manager, it is processed and translated to JSON format, which leads to an easier way of querying and filtering the event fields.

Eventlog uses as well the Windows API to obtain events from Windows logs and return the information in a specific format.

  1. Windows Eventlog vs Windows Eventchannel

  2. Monitor the Windows Event Log with Wazuh

  3. Monitor the Windows Event Channel with Wazuh

  4. Filtering events from Windows Event Channel with queries

Windows Eventlog vs Windows Eventchannel

Eventlog is supported on every Windows version and can monitor any logs except for particular Applications and Services Logs, this means that the information that can be retrieved is reduced to System, Application and Security channels.

On the other hand, Eventchannel is maintained since Windows Vista and can monitor the Application and Services logs along with the basic Windows logs. In addition, the use of queries to filter by any field is supported for this log format.

With the new changes made in the eventchannel log format for versions higher than v3.8.0, the number of fields decoded has increased. In addition, the Windows ruleset has been updated, extended and reorganized according to the source channel.

Furthermore, this modifications facilitate the process of rules creation as well as the alert triggering since the event is now gathered in JSON format.

Monitor the Windows Event Log with Wazuh

To monitor a Windows event log, it is necessary to provide the format as "eventlog" and the location as the name of the event log.

<localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
</localfile>

These logs are obtained through Windows API calls and sent to the manager where they will be alerted if they match any rule.

Monitor the Windows Event Channel with Wazuh

Windows event channels can be monitored by placing their name at the location field from the localfile block and "eventchannel" as the log format.

Note

Read the How to collect Windows events with Wazuh document for more information.

Note

If the channel name contains a % it is necessary to replace it with /. For example, replace Microsoft-Windows-PrintService%Operational with Microsoft-Windows-PrintService/Operational.

<localfile>
    <location>Microsoft-Windows-PrintService/Operational</location>
    <log_format>eventchannel</log_format>
</localfile>

Note

Eventchannel is supported on Windows versions equal or more recent than Vista.

Available channels and providers

Table below shows available channels and providers to monitor included in the Wazuh ruleset:

Source

Channel location

Provider name

Description

Application

Application

Any

This log retrieves every event related to system applications management and is one of the main Windows administrative channels along with Security and System.

Security

Security

Any

This channel gathers information related to users and groups creation, login, logoff and audit policy modifications.

System

System

Any

The System channel collects events associated with kernel and service control.

Sysmon

Microsoft-Windows-Sysmon/Operational

Microsoft-Windows-Sysmon

Sysmon monitors system activity as process creation and termination, network connection and file changes.

Windows Defender

Microsoft-Windows-Windows Defender/Operational

Microsoft-Windows-Windows Defender

The Windows Defender log file shows information about the scans passed, malware detection and actions taken against them.

McAfee

Application

McLogEvent

This source shows McAfee scan results, virus detection and actions taken against them.

EventLog

System

Eventlog

This source retrieves information about audit and Windows logs.

Microsoft Security Essentials

System

Microsoft Antimalware

This software gives information about real-time protection for the system, malware-detection scans and antivirus settings.

Remote Access

File Replication Service

Any

Other channels (they are grouped in a generic Windows rule file).

Terminal Services

Service Microsoft-Windows-TerminalServices-RemoteConnectionManager

When monitoring a channel, events from different providers can be gathered. At the ruleset this is taken into account to monitor logs from McAfee, Eventlog or Security Essentials.

Windows ruleset redesign

In order to ease the addition of new rules, the eventchannel ruleset has been classified according to the channel from which events belong. This will ensure an easier way of maintaining the ruleset organized and find the better place for custom rules. To accomplish this, several modifications have been added:

  • Each eventchannel file contains a specific channel's rules.

  • A base file includes every parent rule filtering by the specific channels monitored.

  • Rules have been updated and improved to match the new JSON events, showing relevant information at the rule's description and facilitating the way of filtering them.

  • New channel's rules have been added. By default, the monitored channels are System, Security and Application, these channels have their own file now and include a fair set of rules.

  • Every file has their own rule ID range in order to get it organized. There are a hundred IDs set for the base rules and five hundred for each channel file.

  • In case some rules can't be classified easily or there are so few belonging to a specific channel, they are included at a generic Windows rule file.

To have a complete view of which events are equivalent to the old ones from eventlog and the previous version of eventchannel, this table classifies every rule according to the source in which they were recorded, including their range of rule IDs and the file where they are described.

Eventchannel for Wazuh >= 3.9.0

Source

Rule IDs

Rule file

Base rules

60000 - 60099

0575-win-base_rules.xml

Security

60100 - 60599

0580-win-security_rules.xml

Application

60600 - 61099

0585-win-application_rules.xml

System

61100 - 61599

0590-win-system_rules.xml

Sysmon

61600 - 62099

0595-win-sysmon_rules.xml

Windows Defender

62100 - 62599

0600-win-wdefender_rules.xml

McAfee

62600 - 63099

0605-win-mcafee_rules.xml

Eventlog

63100 - 63599

0610-win-ms_logs_rules.xml

Microsoft Security Essentials

63600 - 64099

0615-win-ms-se_rules.xml

Others

64100 - 64599

0620-win-generic_rules.xml

Eventchannel and eventlog for Wazuh < 3.9.0

Source

Rule IDs

Rule file

Base rules

18100 - 18103, 7704, 7500

0220-msauth_rules.xml, 0230-ms-se_rules.xml, 0225-mcafee_av_rules.xml

Security

18100 - 18124, 18127 - 18128, 18130 - 18144, 18146 - 18149, 18151 - 18155, 18170 - 18181, 18200 - 18256, 18260 - 18261

0220-msauth_rules.xml

Application

18158 - 18160, 18146 - 18147

0220-msauth_rules.xml

System

18145

0220-msauth_rules.xml

Sysmon

184665 - 184776, 184676 - 184678, 184686 - 184687, 184696 - 184698, 184706 - 184707, 184716 - 184717, 184726 - 184727, 184736 - 184737, 184746 - 184747, 184766 - 184767, 184776 - 184777, 185000 - 185013

0330-sysmon_rules.xml

Windows Defender

83000 - 83002

0430-ms_wdefender_rules.xml

McAfee

7500 - 7514, 7550

0225-mcafee_av_rules.xml

Eventlog

83200 - 83202

0435-ms_logs_rules.xml

Microsoft Security Essentials

7701 - 7720

0230-ms-se_rules.xml

Others

18125 - 18126, 18129, 18257 - 18259, 18156 - 18157

0220-msauth_rules.xml

Use case

This section describes a simple use case of an alert triggered when an installation event occurs.

The installation log will be collected at the Application channel. To monitor logs generated by this source with the eventchannel format, the configuration file should include the next localfile block:

<localfile>
  <location>Application</location>
  <log_format>eventchannel</log_format>
</localfile>

The next step is to install a new application. Once it is installed, the Wazuh manager will build the next JSON event related with the installation process:

{
    "win": {
        "system": {
        "providerName": "MsiInstaller",
        "eventID": "11707",
        "level": "4",
        "task": "0",
        "keywords": "0x80000000000000",
        "systemTime": "2019-04-03T10:47:39.000000000Z",
        "eventRecordID": "12615",
        "channel": "Application",
        "computer": "pcname",
        "severityValue": "INFORMATION",
        "message": "Product: Dr. Memory -- Installation completed successfully."
        },
        "eventdata": {
        "binary": "7B36373637354144362D314642302D344445312D394543462D3834393937353135303235457D",
        "data": "Product: Dr. Memory -- Installation completed successfully."
        }
    }
}

This event can be filtered field by field in case an alert is desired to trigger when it occurs. In this use case, the filters used will be the provider name and the event ID, as follows:

<rule id="60612" level="3">
    <field name="win.system.providerName">MsiInstaller</field>
    <field name="win.system.eventID">^11707$|^1033$</field>
    <options>alert_by_email</options>
    <description>Application Installed $(win.eventdata.data)</description>
    <options>no_full_log</options>
</rule>

Finally, once the event is generated, the rule from above will be matched and therefore, trigger the next alert shown at the Kibana app:

The next images show a simple event collection with the eventchannel log format. The first one represents the number of events of each channel, filtered by provider name along the time.

Some events from different channels are shown below with the associated provider name and severity value:

Filtering events from Windows Event Channel with queries

Events from the Windows Event channel can be filtered as below. In this example, only events which levels are less or equal to "3" are checked.

<localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID=7040]</query>
</localfile>

Users can filter events with different severity levels.

<localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
    <query>
        \<QueryList>
            \<Query Id="0" Path="System">
                \<Select Path="System">*[System[(Level&lt;=3)]]\</Select>
            \</Query>
        \</QueryList>
    </query>
</localfile>

Note

The <QueryList> syntax requires escaping the XML labels inside the query as above.