Taylor, thank you so much! I love Wazuh, and I know many people complain and say Wazuh is a pain to manage, but that's what I love about Wazuh and its granularity that many of the big products don't offer. You are truly a master at your craft. Thanks again for these great videos.
Hey Taylor, I followd this guide and I get some sysmon alerts in Wazuh (process creation and a few others), but for some reason the DNS query alert rule (101100) seems to not be working for me. I see the DNS queries in sysmon on the windows client, but they are not showing in the Wazuh dashboard. As mentioned, other sysmon alerts do show. Any ideas why that particular rule might fail?
It is not working because the rule ID is not defined correctly. Use the following rule: 61650 Sysmon - Event 22: DNS Query. no_full_log Hopefully, this will resolve the issue for the DNS query.
@@tommykohler1168 It is not working because the rule ID is not defined correctly. Use the following rule: 61650 Sysmon - Event 22: DNS Query. no_full_log Hopefully, this will resolve the issue for the DNS query.
@@2809kev It is not working because the rule ID is not defined correctly. Use the following rule: 61650 Sysmon - Event 22: DNS Query. no_full_log Hopefully, this will resolve the issue for the DNS query.
just one thing is missing here :) while running sysmon for the first time you need to add option -accepteula because it wont install and you wont get any error message :(
You are good. The explanation is simple and straightforward
Taylor, thank you so much! I love Wazuh, and I know many people complain and say Wazuh is a pain to manage, but that's what I love about Wazuh and its granularity that many of the big products don't offer. You are truly a master at your craft. Thanks again for these great videos.
Hello guys, why there is only the first Event which work for me ?
same issue , could you please tell me if you solve it and how
Hey Taylor,
I followd this guide and I get some sysmon alerts in Wazuh (process creation and a few others), but for some reason the DNS query alert rule (101100) seems to not be working for me. I see the DNS queries in sysmon on the windows client, but they are not showing in the Wazuh dashboard. As mentioned, other sysmon alerts do show. Any ideas why that particular rule might fail?
Same problem here...have you solved the problem? If yes, could you please tell me how?
@@tommykohler1168 did either of you figure this out?
It is not working because the rule ID is not defined correctly. Use the following rule:
61650
Sysmon - Event 22: DNS Query.
no_full_log
Hopefully, this will resolve the issue for the DNS query.
@@tommykohler1168 It is not working because the rule ID is not defined correctly. Use the following rule:
61650
Sysmon - Event 22: DNS Query.
no_full_log
Hopefully, this will resolve the issue for the DNS query.
@@2809kev It is not working because the rule ID is not defined correctly. Use the following rule:
61650
Sysmon - Event 22: DNS Query.
no_full_log
Hopefully, this will resolve the issue for the DNS query.
is it possible that i ll be receiving logs in wazuh manger deploed locally on vmware workstation and windows 10 vm on azure
i tried hell alot and nothing is working out
just one thing is missing here :) while running sysmon for the first time you need to add option -accepteula because it wont install and you wont get any error message :(
Hey Pawel, thanks for pointing that out :). Command to be ran "sysmon -accepteula -i c:\windows\config.xml"