CentOS 7.x Configure custom rules

From Notes_Wiki
Revision as of 09:36, 25 August 2022 by Saurabh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > CentOS > CentOS 7.x > Security Tools > CentOS 7.x OSSEC > CentOS 7.x Configure custom rules

Configure local rules for specific windows events

Create windows custom event logs

To create custom windows events use:

  1. Open command prompt with administrator privileges. Run below command for creating custom event log
    > eventcreate /ID 1000 /L APPLICATION /T INFORMATION /SO MyEventSource /D "My-First-log"
    Here 1000 is event ID, event is created in application section, event type or severity is information, event source is "MyEventSource" and description of the event is "My-First-log"

This would help in configuring OSSEC later to catch our custom events. The same steps also work for generating alerts for inbuilt or default Windows events generated from other sources.


On OSSEC Server, Create local rule for windows custom log

  1. If logall is enabled as described at CentOS 7.x Configure OSSEC server on OSSEC server, then windows custom logs are saved in '/var/ossec/logs/archives/archives.log'.
  2. You can grep above windows log using below command.
    grep My-First-Log /var/ossec/logs/archives/archives.log
  3. Windows predefined rule ids can be found in below file
    vim /var/ossec/rules/msauth_rules.xml
  4. For getting emails/alerts, create local rule in '/var/ossec/rules/local_rules.xml'
    <rule id="100008" level="12">
    <if_sid>18101</if_sid>
    <id>^1000$</id>
    <match>My-First-log</match>
    <description>my custom event</description>
    </rule>
    Here, 100008 is ID for our new rule. The new rule ID should start from 100000. 18101 is windows event log Information rule id learned from predefined rules mentioned in /var/ossec/rules/msauth_rules.xml. 1000 is windows event ID. This event ID will be matched against value given against /ID while generating the logs. My-First-Log is custom string which is searched in description given using /D while generating custom logs. Value for description can be anything suitable that you want to see on OSSEC Web-UI and in OSSEC email alerts. Emails will get generated for alerts with level 7 or above by default.
  5. Restart OSSEC server for changes to take effect
    systemctl ossec restart
  6. Again generate a windows alert using eventcreate command. This time you should be able to see the alert on OSSEC web-UI. If emails are configured and custom rule level is high enough, you should also receive email for above event.



Steps contributed by Pavan Ponamala



Home > CentOS > CentOS 7.x > Security Tools > CentOS 7.x OSSEC > CentOS 7.x Configure custom rules