Wazuh-agent not forwarding Windows event logs

[mmasino-matc]

Wazuh does not seem to be forwarding EventLogs from Windows 2008 rc2. Is this disabled by default somewhere now (I was thinking that since Wazuh, OSQuery, and WinlogBeats could do the job maybe you had to enable it)? I am pretty sure I was getting those winlogs before I updated to the Version of the wazuh-agent that is available in the "downloads" tab.

[dougburks]

Are you sure the Wazuh agent is registered properly as described at https://docs.securityonion.net/en/2.3/wazuh.html#adding-agents?

Have you checked the log for the agent itself for additional clues?

[mmasino-matc]

Hi Doug
Thanks for the help.

So after doing some debugging I think it has something to do with the ability of the wazuh-agent to forward logs from Win2008rc2 in the "eventchannel" log format. I can't figure out why that one server won't log/decode correctly. I am trying to figure out if there is a default setting in Win2008rc2 that disables eventchannel logging.

What I have tried:

1. Installed the same version of wazuh-agent on Win10, Win7, win 2012 If I set the <log_format> to eventchannel in wazuh.conf then I get

• module: windows_eventlog
• Dataset
• • security
• • system
• • alert
• • application
    Log is fully parsed out.

2. If I set the <log_format> to eventchannel in 2008rc2 in the wazuh.conf file I get nothing. If I set it to eventlog then I get:

• module: "ossec"
• dataset: "windows"
  But it is just the raw log, it is not parsed out.

[dougburks]

You could try a different endpoint agent like osquery or Winlogbeat to see if that makes any difference.