-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathwazuh-agent-win-vars.yml
75 lines (72 loc) · 2.89 KB
/
wazuh-agent-win-vars.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
wazuh_manager_ip: "192.168.33.10"
wazuh_managers:
- address: "{{ wazuh_manager_ip }}"
port: 1514
protocol: tcp
api_port: 55000
api_proto: "http"
api_user: foo
api_pass: bar
wazuh_agent_authd:
# authd_pass: 'foobar'
registration_address: "{{ wazuh_manager_ip }}"
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: "no"
ssl_agent_cert: null
wazuh_winagent_config:
check_md5: False
wazuh_agent_config:
syscollector:
disable: "no"
os: "yes"
# Needed for windows
win_hotfixes: "yes"
interval: 10m
scan_on_start: "yes"
### OSQUERY
# Wazuh OSquery config
osquery:
disable: "no"
run_daemon: "no"
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: "yes"
# Sysmon events
localfiles:
windows:
# - format: 'eventchannel'
# location: 'Microsoft-Windows-Sysmon/Operational'
- format: "eventchannel"
location: "Microsoft-Windows-Powershell/Operational"
# location: 'Windows PowerShell'
query: "Event/System[EventID=4104 or EventID=4100 or EventID=4103]"
- format: "eventlog"
location: "Microsoft-Windows-Powershell/Operational"
# location: 'Windows PowerShell'
# query: 'Event/System[EventID=4104 or EventID=4100 or EventID=4103]'
- format: "eventlog"
# location: 'Microsoft-Windows-Powershell/Operational'
location: "Windows PowerShell"
# query: 'Event/System[EventID=4104 or EventID=4100 or EventID=4103]'
# query: 'Event/System[EventID=4104]'
# 4100 and 4103 should be helpful too
# - format: 'eventchannel'
# location: 'Microsoft-Windows-Powershell/Operational'
# query: 'Event/System[EventID=4103]'
# https://documentation.wazuh.com/3.9/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
# https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
# Windows 8.1and Server 2012and above:oPowerShellversion 3 and4, “Windows PowerShell” log-Event ID’s 400, 500, 501 and 800o“Microsoft-Windows-PowerShell/Operational”log –Event ID4104Windows 7 and Server 2008 and above:oPowerShellversion 5, “Windows PowerShell” log-Event ID’s 200, 400, 500and 501o“Microsoft-Windows-PowerShell/Operational”log –Event ID4100, 4103 and 410
# {% for localfile in wazuh_agent_config.localfiles.windows %}
# <localfile>
# <log_format>{{ localfile.format }}</log_format>
# {% if localfile.format == 'eventchannel' %}
# <location>{{ localfile.location }}</location>
# <query>{{ localfile.query}}</query>
# {% else %}
# <location>{{ localfile.location }}</location>
# {% endif %}
# </localfile>
# {% endfor %}