Monitoring Windows security log with the CMK Event Console rule logwatch

There's a bakery rule, "Finetune Windows Eventlog monitoring", that should be used to define which Eventlogs should be considered and how.

LAST TESTED ON CHECKMK 2.2.0P1

Table of Contents

Getting Started

Background information regarding this subject is available on our:

Checkmk Rules needed

Configuring the Checkmk Agent

In this use case, we are only interested in the Security log, so the rule should look like this and should match all hosts we want to monitor the Security log on:

Setup→ Agents → Windows, Linux, Solaris, AIX → Agent rules → Finetune Windows Eventlog monitoring → Add Rule
Screenshot of finetune windows eventlog monitoring.

After saving this rule, activate the changes and bake & sign your agents.

Configuring the Event Console Forwarding

If you would discover the services of your affected Windows hosts now, you will get the old-school Checkmk Services "Log Security" with the "Open Log" in their context menus.

Instead, we want the events to be forwarded to the Event Console. Therefore, we use the rule "Logwatch Event Console Forwarding":

Setup → Services → Service monitoring rules → Logwatch Event Console Forwarding → Add Rule
Screenshot of logwatch event console fowarding rule. Forwarding method set to local. Syslog facility for forwarded messages set to local1.

We recommend using the spooling, so the events are buffered if the Event Console should be down for a moment. The syslog facility "local1" can be used later in the EC rules for efficient event handling.

After saving this rule, make a service discovery on the affected hosts and activate the changes.

Checking the Event Archive

From now on, the events from the Windows Eventlog on your hosts will be translated to Checkmk Event Console events and put into the event archive (if not matching any EC Rule yet):

Screenshot of recent event history

We will create some EC Rules in the next paragraph to categorize and classify the incoming events. Using the message texts from the Event History, you can define the needed Regex patterns for that.

Creating the Event Console Rules

Basic Rules

Create a Rulepack with a suitable name:
Go to the rules of this Rulepack
There, create a rule to handle all events that do not match any other rules yet

General properties

Setup → Events → Event Console rule packs → Add Rule
Screenshot of adding a new rule. Rule Id is WinEvtLot_unkonwn. Catch all events that are not categorized yet.

Matching Criteria

Here, we need two regular expressions:

Screenshot of adding a rule to match a regular expression statement.

The first one is applied to the message text and defines three matching groups using the brackets:
```
.{3} [0-9]+ [0-9:]{8} [0-9]+\.([0-9]{4}) ([^ ]+) (.*) 
```
The website https://regex101.com helps you to understand how the regex matches the message text and which groups are created:

These groups can later be accessed using the placeholders \1, \2, and \3 in the message text rewriting. They might also become important when automatic duplicate detection is used. We'll come to that later on.
The second regular expression "^(.*)$" simply matches on any Application text (in our case, it's always "Security", though) and puts it into a matching group. Later, we can access this group using the macro "$MATCH_GROUPS_SYSLOG_APPLICATION_1$".

Counting & Timing

The "Outcome & Action" section can remain unchanged, but in the Counting & Timing, we have two definitions:

Screenshot of force separate events for different host and applications enabled.

The counting is done based on the hostname and the application. Forcing separate events for different match groups makes no sense here because the message text is stored in group 3, and as we all know, these texts sometimes contain IDs, timestamps, and similar unique strings.

As the events that match this rule will be categorized as "unknown", we will only keep them for 4 hours to keep our Event view as small and clean as possible.

Rewriting

In the Rewriting section, we can adjust the message text, application, and other variables that will be shown in the event views:

Screenshot of rewrite message text

The message text will be replaced using the groups from above:

Unknown $MATCH_GROUPS_SYSLOG_APPLICATION_1$ event with ID \1: \3

When using the example log entry from our regex101.com excursion, we get:

Unknown Security event with ID 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-DLP6NNN$ Account Domain: WORKGROUP Logon ID: ...

The application will also be replaced using groups from above:

WinEvtLog_Unknown_$MATCH_GROUPS_SYSLOG_APPLICATION_1$_$MATCH_GROUPS_MESSAGE_1$

When using the example log entry from our regex101.com excursion, we get:

WinEvtLog_Unknown_Security_4799

Conclusion

Using this "unknown" rule, we will catch all so-far not categorized events, adjust their message text and application, and then aggregate ("count") them based on the hostname and that modified application.

Specific Rules

Based on the events that are now caught by the "unknown" rule, we can pick single Event IDs and create rules for them to handle them separately. Let's choose this event in the first step:

Unknown Security event with ID 4720: A user account was created. Subject: Security ID: S-1-12-1-123456789012-123456789012-123456789012-123456789012 Account Name: LarsGetwan Account Domain: AzureAD Logon ID: 0x83d81 New Account: Security ID: S-1-5-21-123456789012-123456789012-123456789012-1001 Account Name: eric.clapton Account Domain: DESKTOP-DLP6NNN Attributes: SAM Account Name: eric.clapton Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -