Not abble to finish the lab, i’m configuring the /var/ossec/etc/rules/local_rules.xml as it shows in the instructions of the lab but the alert do not show up in wazuh, i’m also restarting the wazuh-manager.service and reconnecting in Remmina.
Configuration of the rule in the /var/ossec/etc/rules/local_rules.xml:
Were you able to figure it out? I’m stuck on that lab
One thing to be sure of is that the Window’s agent can reach the Wazuh server. You have to find the IPs for your lab and be sure the wazuh service is stopped and started on the Windows client. When you log into Wazuh for the first time you need to see an active agent:
Hi Joseph, thanks for the reply,
Yes, the agent appers in the wazuh as active agent, the lab goes well through all the steps before the custom rule is configured but the rule of level 12 doesn’t appears in wazuh.
I am experiencing the same issues in this lab. I have questions about Part 3. editing the script and using the following commands per the instructions, vi /var/ossec/ruleset/rules/0840-win_event_channel.xml, etc. to trigger Rule 92653.
I highlighted and copy Rule 92653 and then opened a new tab and pasted the script and followed steps 13 - 15. However, after pasting the new rule, I had issues saving and then exiting and I am not sure the new rule was saved. How can I make sure the script changes have been saved in the script?
I also had issues logging out of the Remmina RDP and then reopening the RDP. Where do you log out on the RDP? There was no log out prompt. I just “x” out of RDP.
Next, after clicking the back arrow in Firefox, under “Security Alerts” in Wazuh, I did not see the new rule 100002. Which means the new rule was never saved.
Finally, where do you find the lab flag?
I have posted screenshots below.
This is a screen shot of the Rule 10002 I pasted in the new tab. Is there something in the text that is not correct?
This is a screenshot of the step #21
What does this statement mean? “I don’t see the correct field name and user name.”
Thank you!
Compare your work to the screen shot in the lab for Step 15 and you will see that you are using win.eventdata.logonType for the field name when you are asked to use win.eventdata.targetUserName and the keyword Administrator.
Hi, Thank you for the quick response. Could you please clarify? I am referring to part 3 - Creating a new rule in Wazuh. The new rule was not listed under the Security Alerts in Wazuh after I entered the commands and added the new rule (100002) per the instructions, log out of the RDP, logged back in and used the back arrow in Firefox (Wazuh). I worked on this lab again tonight and still had the same issues with part 3. Part 1 & 2 are ok. Thank you.
