How to collect Windows logs¶

Windows events can be gathered and forwarded to the manager, where they are processed and alerted if they match any rule. There are two formats to collect Windows logs:

Eventlog (supported by every Windows version)

Eventchannel (for Windows Vista and later versions)

Windows logs are descriptive messages which come with relevant information about events that occur in the system. They are collected and shown at the Event Viewer, where they are classified by the source that generated them.

Eventlog and eventchannel can be both monitored by Wazuh. Eventchannel data processing has been improved since Wazuh version 3.8, keeping the old functionality and configuration. This updated log format uses the Windows API in order to get every event generated at a monitored channel’s log.

This information is gathered by the Windows agent, including the event description, the system standard fields and the specific eventdata information from the event. Once an event is sent to the manager, it is processed and translated to JSON format, which leads to an easier way of querying and filtering the event fields.

Eventlog uses as well the Windows API to obtain events from Windows logs and return the information in a specific format.

Windows Eventlog vs Windows Eventchannel¶

Eventlog is supported on every Windows version and can monitor any logs except for particular Applications and Services Logs, this means that the information that can be retrieved is reduced to System, Application and Security channels.

On the other hand, Eventchannel is maintained since Windows Vista and can monitor the Application and Services logs along with the basic Windows logs. In addition, the use of queries to filter by any field is supported for this log format.

With the new changes made in the eventchannel log format for versions higher than v3.8.0, the number of fields decoded has increased. In addition, the Windows ruleset has been updated, extended and reorganized according to the source channel.

Furthermore, this modifications facilitate the process of rules creation as well as the alert triggering since the event is now gathered in JSON format.

Monitor the Windows Event Log with Wazuh¶

To monitor a Windows event log, it is necessary to provide the format as “eventlog” and the location as the name of the event log.

These logs are obtained through Windows API calls and sent to the manager where they will be alerted if they match any rule.

Monitor the Windows Event Channel with Wazuh¶

Windows event channels can be monitored by placing their name at the location field from the localfile block and “eventchannel” as the log format.

Read the How to collect Windows events with Wazuh document for more information.

If the channel name contains a % it is necessary to replace it with / . For example, replace Microsoft-Windows-PrintService%Operational with Microsoft-Windows-PrintService/Operational.

Eventchannel is supported on Windows versions equal or more recent than Vista.

Available channels and providers¶

Table below shows available channels and providers to monitor included in the Wazuh ruleset:

This log retrieves every event related to system applications management and is one of the main Windows administrative channels along with Security and System.

This channel gathers information related to users and groups creation, login, logoff and audit policy modifications.

The System channel collects events associated with kernel and service control.

Sysmon monitors system activity as process creation and termination, network connection and file changes.

The Windows Defender log file shows information about the scans passed, malware detection and actions taken against them.

This source shows McAfee scan results, virus detection and actions taken against them.

This source retrieves information about audit and Windows logs.

Microsoft Security Essentials

This software gives information about real-time protection for the system, malware-detection scans and antivirus settings.

File Replication Service

Other channels (they are grouped in a generic Windows rule file).

When monitoring a channel, events from different providers can be gathered. At the ruleset this is taken into account to monitor logs from McAfee, Eventlog or Security Essentials.

Windows ruleset redesign¶

In order to ease the addition of new rules, the eventchannel ruleset has been classified according to the channel from which events belong. This will ensure an easier way of maintaining the ruleset organized and find the better place for custom rules. To accomplish this, several modifications have been added:

Each eventchannel file contains a specific channel’s rules.

A base file includes every parent rule filtering by the specific channels monitored.

Rules have been updated and improved to match the new JSON events, showing relevant information at the rule’s description and facilitating the way of filtering them.

New channel’s rules have been added. By default, the monitored channels are System, Security and Application, these channels have their own file now and include a fair set of rules.

Every file has their own rule ID range in order to get it organized. There are a hundred IDs set for the base rules and five hundred for each channel file.

In case some rules can’t be classified easily or there are so few belonging to a specific channel, they are included at a generic Windows rule file.

To have a complete view of which events are equivalent to the old ones from eventlog and the previous version of eventchannel , this table classifies every rule according to the source in which they were recorded, including their range of rule IDs and the file where they are described.

How to collect Windows logs¶

Windows events can be gathered and forwarded to the manager, where they are processed and alerted if they match any rule. There are two formats to collect Windows logs:

Eventlog (supported by every Windows version)

Eventchannel (for Windows Vista and later versions)

Windows logs are descriptive messages which come with relevant information about events that occur in the system. They are collected and shown at the Event Viewer, where they are classified by the source that generated them.

Eventlog and eventchannel can be both monitored by Wazuh. Eventchannel data processing has been improved since Wazuh version 3.8, keeping the old functionality and configuration. This updated log format uses the Windows API in order to get every event generated at a monitored channel’s log.

This information is gathered by the Windows agent, including the event description, the system standard fields and the specific eventdata information from the event. Once an event is sent to the manager, it is processed and translated to JSON format, which leads to an easier way of querying and filtering the event fields.

Eventlog uses as well the Windows API to obtain events from Windows logs and return the information in a specific format.

Windows Eventlog vs Windows Eventchannel¶

Eventlog is supported on every Windows version and can monitor any logs except for particular Applications and Services Logs, this means that the information that can be retrieved is reduced to System, Application and Security channels.

On the other hand, Eventchannel is maintained since Windows Vista and can monitor the Application and Services logs along with the basic Windows logs. In addition, the use of queries to filter by any field is supported for this log format.

With the new changes made in the eventchannel log format for versions higher than v3.8.0, the number of fields decoded has increased. In addition, the Windows ruleset has been updated, extended and reorganized according to the source channel.

Furthermore, this modifications facilitate the process of rules creation as well as the alert triggering since the event is now gathered in JSON format.

Monitor the Windows Event Log with Wazuh¶

To monitor a Windows event log, it is necessary to provide the format as “eventlog” and the location as the name of the event log.

These logs are obtained through Windows API calls and sent to the manager where they will be alerted if they match any rule.

Monitor the Windows Event Channel with Wazuh¶

Windows event channels can be monitored by placing their name at the location field from the localfile block and “eventchannel” as the log format.

Read the How to collect Windows events with Wazuh document for more information.

If the channel name contains a % it is necessary to replace it with / . For example, replace Microsoft-Windows-PrintService%Operational with Microsoft-Windows-PrintService/Operational.

Eventchannel is supported on Windows versions equal or more recent than Vista.

Available channels and providers¶

Table below shows available channels and providers to monitor included in the Wazuh ruleset:

This log retrieves every event related to system applications management and is one of the main Windows administrative channels along with Security and System.

This channel gathers information related to users and groups creation, login, logoff and audit policy modifications.

The System channel collects events associated with kernel and service control.

Sysmon monitors system activity as process creation and termination, network connection and file changes.

The Windows Defender log file shows information about the scans passed, malware detection and actions taken against them.

This source shows McAfee scan results, virus detection and actions taken against them.

This source retrieves information about audit and Windows logs.

Microsoft Security Essentials

This software gives information about real-time protection for the system, malware-detection scans and antivirus settings.

File Replication Service

Other channels (they are grouped in a generic Windows rule file).

When monitoring a channel, events from different providers can be gathered. At the ruleset this is taken into account to monitor logs from McAfee, Eventlog or Security Essentials.

Windows ruleset redesign¶

In order to ease the addition of new rules, the eventchannel ruleset has been classified according to the channel from which events belong. This will ensure an easier way of maintaining the ruleset organized and find the better place for custom rules. To accomplish this, several modifications have been added:

Each eventchannel file contains a specific channel’s rules.

A base file includes every parent rule filtering by the specific channels monitored.

Rules have been updated and improved to match the new JSON events, showing relevant information at the rule’s description and facilitating the way of filtering them.

New channel’s rules have been added. By default, the monitored channels are System, Security and Application, these channels have their own file now and include a fair set of rules.

Every file has their own rule ID range in order to get it organized. There are a hundred IDs set for the base rules and five hundred for each channel file.

In case some rules can’t be classified easily or there are so few belonging to a specific channel, they are included at a generic Windows rule file.

To have a complete view of which events are equivalent to the old ones from eventlog and the previous version of eventchannel , this table classifies every rule according to the source in which they were recorded, including their range of rule IDs and the file where they are described.

How to collect Windows logs¶

Windows events can be gathered and forwarded to the manager, where they are processed and alerted if they match any rule. There are two formats to collect Windows logs:

Eventlog (supported by every Windows version)

Eventchannel (for Windows Vista and later versions)

Windows logs are descriptive messages which come with relevant information about events that occur in the system. They are collected and shown at the Event Viewer, where they are classified by the source that generated them.

Eventlog and eventchannel can be both monitored by Wazuh. Eventchannel data processing has been improved since Wazuh version 3.8, keeping the old functionality and configuration. This updated log format uses the Windows API in order to get every event generated at a monitored channel’s log.

This information is gathered by the Windows agent, including the event description, the system standard fields and the specific eventdata information from the event. Once an event is sent to the manager, it is processed and translated to JSON format, which leads to an easier way of querying and filtering the event fields.

Eventlog uses as well the Windows API to obtain events from Windows logs and return the information in a specific format.

Windows Eventlog vs Windows Eventchannel¶

Eventlog is supported on every Windows version and can monitor any logs except for particular Applications and Services Logs, this means that the information that can be retrieved is reduced to System, Application and Security channels.

On the other hand, Eventchannel is maintained since Windows Vista and can monitor the Application and Services logs along with the basic Windows logs. In addition, the use of queries to filter by any field is supported for this log format.

With the new changes made in the eventchannel log format for versions higher than v3.8.0, the number of fields decoded has increased. In addition, the Windows ruleset has been updated, extended and reorganized according to the source channel.

Furthermore, this modifications facilitate the process of rules creation as well as the alert triggering since the event is now gathered in JSON format.

Monitor the Windows Event Log with Wazuh¶

To monitor a Windows event log, it is necessary to provide the format as “eventlog” and the location as the name of the event log.

These logs are obtained through Windows API calls and sent to the manager where they will be alerted if they match any rule.

Monitor the Windows Event Channel with Wazuh¶

Windows event channels can be monitored by placing their name at the location field from the localfile block and “eventchannel” as the log format.

Read the How to collect Windows events with Wazuh document for more information.

If the channel name contains a % it is necessary to replace it with / . For example, replace Microsoft-Windows-PrintService%Operational with Microsoft-Windows-PrintService/Operational.

Eventchannel is supported on Windows versions equal or more recent than Vista.

Available channels and providers¶

Table below shows available channels and providers to monitor included in the Wazuh ruleset:

This log retrieves every event related to system applications management and is one of the main Windows administrative channels along with Security and System.

This channel gathers information related to users and groups creation, login, logoff and audit policy modifications.

The System channel collects events associated with kernel and service control.

Sysmon monitors system activity as process creation and termination, network connection and file changes.

The Windows Defender log file shows information about the scans passed, malware detection and actions taken against them.

This source shows McAfee scan results, virus detection and actions taken against them.

This source retrieves information about audit and Windows logs.

Microsoft Security Essentials

This software gives information about real-time protection for the system, malware-detection scans and antivirus settings.

File Replication Service

Other channels (they are grouped in a generic Windows rule file).

When monitoring a channel, events from different providers can be gathered. At the ruleset this is taken into account to monitor logs from McAfee, Eventlog or Security Essentials.

Windows ruleset redesign¶

In order to ease the addition of new rules, the eventchannel ruleset has been classified according to the channel from which events belong. This will ensure an easier way of maintaining the ruleset organized and find the better place for custom rules. To accomplish this, several modifications have been added:

Each eventchannel file contains a specific channel’s rules.

A base file includes every parent rule filtering by the specific channels monitored.

Rules have been updated and improved to match the new JSON events, showing relevant information at the rule’s description and facilitating the way of filtering them.

New channel’s rules have been added. By default, the monitored channels are System, Security and Application, these channels have their own file now and include a fair set of rules.

Every file has their own rule ID range in order to get it organized. There are a hundred IDs set for the base rules and five hundred for each channel file.

In case some rules can’t be classified easily or there are so few belonging to a specific channel, they are included at a generic Windows rule file.

To have a complete view of which events are equivalent to the old ones from eventlog and the previous version of eventchannel , this table classifies every rule according to the source in which they were recorded, including their range of rule IDs and the file where they are described.