Wazuh Snapshot Migration Guide: Data Analysis, Rule Engine, and Windows Monitoring#

This comprehensive guide covers Wazuh’s data analysis workflow, rule engine architecture, snapshot migration procedures, and Windows monitoring capabilities using WMI and Icinga. Understanding these components is crucial for effective SIEM deployment and management.

Wazuh Data Analysis Workflow#

Complete Data Flow Architecture#

The Wazuh data analysis process follows a structured pipeline from log collection to alert generation:

1
graph TD
2
    A[Log Collection & Preprocessing] --> B[Decoder Selection]
3
    B --> C[JSON Decoder]
4
    B --> D[Dynamic Fields Decoder]
5
    B --> E[Sibling Decoders]
6
    B --> F[Custom Decoders]
7
    C --> G[Normalized Data]
8
    D --> G
9
    E --> G
10
    F --> G
11
    G --> H[Rule Matching Engine]
12
    H --> I[Default Rules]
13
    H --> J[Custom Rules]
14
    H --> K[Classification Rules]
15
    I --> L[Alert Generation]
16
    J --> L
17
    K --> L
18
    L --> M[Output & Notifications]

Log Collection and Preprocessing#

The first stage involves gathering logs from various sources:

Agent Log Collection:

1
<!-- ossec.conf on agent -->
2
<localfile>
3
  <log_format>json</log_format>
4
  <location>/var/log/application.log</location>
5
</localfile>
6

7
<localfile>
8
  <log_format>syslog</log_format>
9
  <location>/var/log/syslog</location>
10
</localfile>
11

12
<localfile>
13
  <log_format>eventlog</log_format>
14
  <location>Security</location>
15
</localfile>

Log Forwarding and Aggregation:

1
<!-- Manager configuration -->
2
<global>
3
  <logall>yes</logall>
4
  <logall_json>yes</logall_json>
5
  <integrity_checking>yes</integrity_checking>
6
</global>
7

8
<remote>
9
  <connection>syslog</connection>
10
  <port>514</port>
11
  <protocol>udp</protocol>
12
</remote>

Decoder Selection and Processing#

Wazuh uses multiple decoder types to handle different log formats:

JSON Decoder Configuration#

1
<decoder name="json">
2
  <program_name>^json_decoder$</program_name>
3
  <plugin_decoder>JSON_Decoder</plugin_decoder>
4
</decoder>
5

6
<decoder name="application-json">
7
  <parent>json</parent>
8
  <program_name>^application$</program_name>
9
  <json_null_field>null</json_null_field>
10
  <json_array_structure>array</json_array_structure>
11
</decoder>

Dynamic Fields Decoder#

1
<decoder name="dynamic-fields">
2
  <program_name>^dynamic$</program_name>
3
  <regex offset="after_parent">^(\S+)\s+(\S+)\s+(.+)$</regex>
4
  <order>field1,field2,extra_data</order>
5
</decoder>
6

7
<decoder name="dynamic-fields-child">
8
  <parent>dynamic-fields</parent>
9
  <regex>^(\w+)=(\S+)</regex>
10
  <order>key,value</order>
11
</decoder>

1
<decoder name="login-attempt">
2
  <program_name>^ssh$</program_name>
3
  <regex>^(\w+)\s+(\d+)\s+(\S+)\s+(.+)$</regex>
4
  <order>status,pid,user,srcip</order>
5
</decoder>
6

7
<decoder name="login-success">
8
  <parent>login-attempt</parent>
9
  <regex>Accepted</regex>
10
  <fts>name,user,srcip</fts>
11
</decoder>
12

13
<decoder name="login-failure">
14
  <parent>login-attempt</parent>
15
  <regex>Failed</regex>
16
  <fts>name,user,srcip</fts>
17
</decoder>

Rule Engine Architecture#

Rule Definition Structure#

Wazuh rules are defined in XML format with specific matching criteria:

1
<group name="security,authentication">
2
  <!-- Default Rules -->
3
  <rule id="5500" level="3">
4
    <if_sid>5400</if_sid>
5
    <match>^authentication success</match>
6
    <description>User authentication success.</description>
7
    <group>authentication_success,</group>
8
  </rule>
9

10
  <!-- Custom Rules -->
11
  <rule id="100001" level="7">
12
    <if_sid>5400</if_sid>
13
    <match>^authentication failure</match>
14
    <same_source_ip />
15
    <frequency>5</frequency>
16
    <timeframe>300</timeframe>
17
    <description>Multiple authentication failures from same source.</description>
18
    <group>authentication_failures,multiple_failures,</group>
19
  </rule>
20

21
  <!-- Classification Rules -->
22
  <rule id="100002" level="10">
23
    <if_matched_sid>100001</if_matched_sid>
24
    <same_source_ip />
25
    <frequency>3</frequency>
26
    <timeframe>600</timeframe>
27
    <description>Persistent authentication attacks detected.</description>
28
    <group>authentication_attack,brute_force,</group>
29
  </rule>
30
</group>

Rule Types and Hierarchy#

Default Rules#

1
<!-- System default rules -->
2
<rule id="1001" level="1">
3
  <category>ids</category>
4
  <decoded_as>sshd</decoded_as>
5
  <description>SSH messages grouped.</description>
6
</rule>
7

8
<rule id="5700" level="8">
9
  <if_sid>5500</if_sid>
10
  <match>^Failed|^error|^bad|^invalid</match>
11
  <description>SSH authentication failure.</description>
12
  <group>authentication_failed,</group>
13
</rule>

Custom Rules with Advanced Logic#

1
<rule id="100100" level="12">
2
  <if_sid>5700</if_sid>
3
  <srcip>!^192.168.</srcip>
4
  <same_source_ip />
5
  <frequency>10</frequency>
6
  <timeframe>240</timeframe>
7
  <description>SSH brute force attack from external source.</description>
8
  <group>attack,brute_force,</group>
9
  <options>no_email_alert</options>
10
</rule>

Classification Rules for Event Correlation#

1
<rule id="100200" level="15">
2
  <if_matched_sid>100100</if_matched_sid>
3
  <same_source_ip />
4
  <description>Critical: Coordinated attack detected.</description>
5
  <group>attack,coordinated,critical,</group>
6
</rule>

Complete Ruleset Configuration#

A comprehensive ruleset configuration combines decoders and rules:

1
<?xml version="1.0" encoding="UTF-8"?>
2
<root>
3
  <!-- Decoders Section -->
4
  <decoder_section>
5
    <decoder name="json">
6
      <program_name>^json_app$</program_name>
7
      <plugin_decoder>JSON_Decoder</plugin_decoder>
8
    </decoder>
9

10
    <decoder name="dynamic-fields">
11
      <program_name>^app$</program_name>
12
      <regex>^(\S+)\s+(\S+)\s+(.+)$</regex>
13
      <order>timestamp,level,message</order>
14
    </decoder>
15

16
    <decoder name="sibling-auth">
17
      <program_name>^auth$</program_name>
18
      <regex>^(\w+)\s+(\S+)\s+(\S+)$</regex>
19
      <order>action,user,result</order>
20
    </decoder>
21

22
    <decoder name="custom-app">
23
      <program_name>^myapp$</program_name>
24
      <regex>^Event:\s+(\w+)\s+User:\s+(\S+)\s+IP:\s+(\S+)$</regex>
25
      <order>event_type,username,client_ip</order>
26
    </decoder>
27
  </decoder_section>
28

29
  <!-- Rules Section -->
30
  <rules_section>
31
    <!-- Default Rules -->
32
    <rule id="1000" level="0">
33
      <description>Generic rule for application events.</description>
34
    </rule>
35

36
    <rule id="1001" level="3">
37
      <if_sid>1000</if_sid>
38
      <program_name>^myapp$</program_name>
39
      <description>MyApp events.</description>
40
    </rule>
41

42
    <!-- Custom Rules -->
43
    <rule id="100001" level="7">
44
      <if_sid>1001</if_sid>
45
      <field name="event_type">^login_failure$</field>
46
      <description>Application login failure.</description>
47
      <group>authentication_failed,</group>
48
    </rule>
49

50
    <rule id="100002" level="10">
51
      <if_matched_sid>100001</if_matched_sid>
52
      <same_field>client_ip</same_field>
53
      <frequency>5</frequency>
54
      <timeframe>300</timeframe>
55
      <description>Multiple login failures from same IP.</description>
56
      <group>brute_force,authentication_attack,</group>
57
    </rule>
58

59
    <!-- Classification Rules -->
60
    <rule id="100003" level="12">
61
      <if_matched_sid>100002</if_matched_sid>
62
      <same_field>client_ip</same_field>
63
      <frequency>3</frequency>
64
      <timeframe>600</timeframe>
65
      <description>Persistent brute force attack detected.</description>
66
      <group>attack,persistent,critical,</group>
67
    </rule>
68
  </rules_section>
69
</root>

Snapshot Migration Procedures#

Migration Strategy Overview#

When migrating Wazuh data between clusters or performing system upgrades:

1
#!/bin/bash
2
# Wazuh Migration Script
3

4
SOURCE_MANAGER="192.168.1.100"
5
TARGET_MANAGER="192.168.1.200"
6
MIGRATION_DATE=$(date +%Y%m%d_%H%M%S)
7

8
# Phase 1: Pre-migration Assessment
9
echo "=== Phase 1: Assessment ==="
10
ssh root@$SOURCE_MANAGER "
11
  wazuh-control status
12
  du -sh /var/ossec/
13
  df -h /var/ossec/
14
"
15

16
# Phase 2: Create Snapshot
17
echo "=== Phase 2: Creating Snapshot ==="
18
ssh root@$SOURCE_MANAGER "
19
  /var/ossec/bin/wazuh-control stop
20
  tar -czf /tmp/wazuh-backup-$MIGRATION_DATE.tar.gz \
21
    -C /var/ossec/ \
22
    etc/ logs/ queue/ var/ ruleset/
23
  /var/ossec/bin/wazuh-control start
24
"
25

26
# Phase 3: Transfer Data
27
echo "=== Phase 3: Data Transfer ==="
28
scp root@$SOURCE_MANAGER:/tmp/wazuh-backup-$MIGRATION_DATE.tar.gz \
29
    /tmp/wazuh-backup-$MIGRATION_DATE.tar.gz
30

31
scp /tmp/wazuh-backup-$MIGRATION_DATE.tar.gz \
32
    root@$TARGET_MANAGER:/tmp/
33

34
# Phase 4: Restore on Target
35
echo "=== Phase 4: Restore ==="
36
ssh root@$TARGET_MANAGER "
37
  /var/ossec/bin/wazuh-control stop
38
  cd /var/ossec/
39
  tar -xzf /tmp/wazuh-backup-$MIGRATION_DATE.tar.gz
40
  chown -R wazuh:wazuh /var/ossec/
41
  /var/ossec/bin/wazuh-control start
42
"
43

44
# Phase 5: Validation
45
echo "=== Phase 5: Validation ==="
46
ssh root@$TARGET_MANAGER "
47
  /var/ossec/bin/wazuh-control status
48
  tail -f /var/ossec/logs/ossec.log
49
"

Agent Re-registration Script#

1
#!/bin/bash
2
# Agent re-registration for new manager
3

4
NEW_MANAGER_IP="192.168.1.200"
5
AGENT_CONFIG="/var/ossec/etc/ossec.conf"
6

7
# Backup current configuration
8
cp $AGENT_CONFIG ${AGENT_CONFIG}.backup
9

10
# Update manager IP
11
sed -i "s/<address>.*<\/address>/<address>$NEW_MANAGER_IP<\/address>/" $AGENT_CONFIG
12

13
# Remove agent key
14
rm -f /var/ossec/etc/client.keys
15

16
# Restart agent
17
systemctl restart wazuh-agent
18

19
# Check connection
20
tail -f /var/ossec/logs/ossec.log | grep -i "connected\|error"

Windows Monitoring with WMI#

WMI Configuration for Remote Monitoring#

Windows Target Configuration#

Enable WMI remote access on target Windows systems:

1
# Enable WMI through Windows Firewall
2
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
3

4
# Configure DCOM permissions
5
powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Ole' -Name 'EnableDCOM' -Value 'Y'"
6

7
# Disable Remote UAC filtering
8
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
9

10
# Restart WMI service
11
net stop winmgmt
12
net start winmgmt

Linux WMI Client Setup#

Install and configure WMI tools on Linux monitoring server:

1
# Install dependencies
2
sudo yum install -y gcc python3-devel libffi-devel openssl-devel
3

4
# Install Python WMI libraries
5
pip3 install wmi-client-wrapper pywinrm
6

7
# Test WMI connectivity
8
python3 << EOF
9
import wmi
10
c = wmi.WMI(computer="192.168.1.27", user="Administrator", password="Password123")
11
for process in c.Win32_Process():
12
    print(f"PID: {process.ProcessId}, Name: {process.Name}")
13
EOF

Advanced WMI Queries#

System Information Queries#

1
#!/usr/bin/env python3
2
import wmi
3
import json
4
from datetime import datetime
5

6
class WindowsMonitor:
7
    def __init__(self, host, username, password):
8
        self.connection = wmi.WMI(
9
            computer=host,
10
            user=username,
11
            password=password
12
        )
13

14
    def get_system_info(self):
15
        """Get comprehensive system information"""
16
        try:
17
            # Operating System Details
18
            os_info = []
19
            for os in self.connection.Win32_OperatingSystem():
20
                os_info.append({
21
                    "caption": os.Caption,
22
                    "version": os.Version,
23
                    "build_number": os.BuildNumber,
24
                    "total_memory": int(os.TotalVisibleMemorySize) * 1024,
25
                    "free_memory": int(os.FreePhysicalMemory) * 1024,
26
                    "last_boot": os.LastBootUpTime
27
                })
28

29
            # CPU Information
30
            cpu_info = []
31
            for cpu in self.connection.Win32_Processor():
32
                cpu_info.append({
33
                    "name": cpu.Name,
34
                    "cores": cpu.NumberOfCores,
35
                    "logical_processors": cpu.NumberOfLogicalProcessors,
36
                    "load_percentage": cpu.LoadPercentage
37
                })
38

39
            # Disk Information
40
            disk_info = []
41
            for disk in self.connection.Win32_LogicalDisk():
42
                if disk.Size:
43
                    disk_info.append({
44
                        "drive": disk.Caption,
45
                        "filesystem": disk.FileSystem,
46
                        "size": int(disk.Size),
47
                        "free_space": int(disk.FreeSpace),
48
                        "used_percentage": round((1 - int(disk.FreeSpace) / int(disk.Size)) * 100, 2)
49
                    })
50

51
            return {
52
                "timestamp": datetime.now().isoformat(),
53
                "operating_system": os_info,
54
                "processors": cpu_info,
55
                "disks": disk_info
56
            }
57

58
        except Exception as e:
59
            return {"error": str(e)}
60

61
    def get_running_processes(self):
62
        """Get list of running processes"""
63
        processes = []
64
        try:
65
            for process in self.connection.Win32_Process():
66
                processes.append({
67
                    "process_id": process.ProcessId,
68
                    "name": process.Name,
69
                    "executable_path": process.ExecutablePath,
70
                    "command_line": process.CommandLine,
71
                    "working_set_size": process.WorkingSetSize
72
                })
73
            return {
74
                "timestamp": datetime.now().isoformat(),
75
                "processes": processes
76
            }
77
        except Exception as e:
78
            return {"error": str(e)}
79

80
    def get_security_events(self, hours=24):
81
        """Get Windows Security Event Log entries"""
82
        events = []
83
        try:
84
            query = f"""
85
            SELECT * FROM Win32_NTLogEvent
86
            WHERE Logfile = 'Security'
87
            AND TimeGenerated > '{(datetime.now() - timedelta(hours=hours)).strftime("%Y%m%d%H%M%S")}.000000+000'
88
            """
89

90
            for event in self.connection.query(query):
91
                events.append({
92
                    "event_id": event.EventCode,
93
                    "time_generated": event.TimeGenerated,
94
                    "source_name": event.SourceName,
95
                    "message": event.Message,
96
                    "user": event.User,
97
                    "computer_name": event.ComputerName
98
                })
99

100
            return {
101
                "timestamp": datetime.now().isoformat(),
102
                "events": events
103
            }
104
        except Exception as e:
105
            return {"error": str(e)}
106

107
# Usage example
108
if __name__ == "__main__":
109
    monitor = WindowsMonitor("192.168.1.27", "Administrator", "Password123")
110

111
    # Get system information
112
    system_info = monitor.get_system_info()
113
    print(json.dumps(system_info, indent=2))
114

115
    # Get running processes
116
    processes = monitor.get_running_processes()
117
    print(json.dumps(processes, indent=2))

Go-based WMI Monitoring#

Using the go-msrpc library for efficient WMI queries:

1
package main
2

3
import (
4
    "context"
5
    "encoding/json"
6
    "fmt"
7
    "log"
8
    "time"
9

10
    "github.com/oiweiwei/go-msrpc/msrpc/dcom/wmi"
11
    "github.com/oiweiwei/go-msrpc/msrpc/dcom"
12
)
13

14
type WindowsMetrics struct {
15
    Timestamp time.Time `json:"timestamp"`
16
    Processes []Process `json:"processes"`
17
    System    SystemInfo `json:"system"`
18
}
19

20
type Process struct {
21
    ProcessID      uint32 `json:"process_id"`
22
    Name          string `json:"name"`
23
    ExecutablePath string `json:"executable_path"`
24
}
25

26
type SystemInfo struct {
27
    Caption        string `json:"caption"`
28
    Version        string `json:"version"`
29
    TotalMemory    uint64 `json:"total_memory"`
30
    FreeMemory     uint64 `json:"free_memory"`
31
}
32

33
func main() {
34
    config := &dcom.Config{
35
        Username: "Administrator",
36
        Password: "Password123",
37
        Domain:   "WORKGROUP",
38
        Server:   "192.168.1.27",
39
    }
40

41
    ctx := context.Background()
42

43
    // Connect to WMI
44
    conn, err := wmi.NewConnection(ctx, config)
45
    if err != nil {
46
        log.Fatal(err)
47
    }
48
    defer conn.Close()
49

50
    // Query running processes
51
    processQuery := "SELECT ProcessId, Name, ExecutablePath FROM Win32_Process"
52
    processResult, err := conn.Query(ctx, processQuery)
53
    if err != nil {
54
        log.Fatal(err)
55
    }
56

57
    var processes []Process
58
    for processResult.Next() {
59
        var p Process
60
        if err := processResult.Scan(&p.ProcessID, &p.Name, &p.ExecutablePath); err != nil {
61
            continue
62
        }
63
        processes = append(processes, p)
64
    }
65

66
    // Query system information
67
    systemQuery := "SELECT Caption, Version, TotalVisibleMemorySize, FreePhysicalMemory FROM Win32_OperatingSystem"
68
    systemResult, err := conn.Query(ctx, systemQuery)
69
    if err != nil {
70
        log.Fatal(err)
71
    }
72

73
    var system SystemInfo
74
    if systemResult.Next() {
75
        systemResult.Scan(&system.Caption, &system.Version, &system.TotalMemory, &system.FreeMemory)
76
    }
77

78
    // Create metrics object
79
    metrics := WindowsMetrics{
80
        Timestamp: time.Now(),
81
        Processes: processes,
82
        System:    system,
83
    }
84

85
    // Output as JSON
86
    output, _ := json.MarshalIndent(metrics, "", "  ")
87
    fmt.Println(string(output))
88
}

Icinga Integration#

Installing Check WMI Plus on Linux#

Comprehensive installation for agentless Windows monitoring:

1
#!/bin/bash
2
# Check WMI Plus Installation Script
3

4
# Install dependencies
5
sudo apt-get update
6
sudo apt-get install -y libconfig-inifiles-perl libdatetime-perl \
7
    libscalar-list-utils-perl libnumber-format-perl libjson-perl \
8
    libgetopt-long-descriptive-perl
9

10
# Download and install Check WMI Plus
11
cd /tmp
12
wget https://github.com/willixix/WMI-Plus/releases/latest/download/check_wmi_plus.tar.gz
13
tar -xzf check_wmi_plus.tar.gz
14

15
# Install plugin
16
sudo cp check_wmi_plus/check_wmi_plus.pl /usr/local/bin/
17
sudo cp -r check_wmi_plus/etc /etc/check_wmi_plus
18
sudo chmod +x /usr/local/bin/check_wmi_plus.pl
19

20
# Configure plugin paths
21
sudo sed -i 's|/usr/lib/nagios/plugins|/usr/local/lib/nagios/plugins|g' /usr/local/bin/check_wmi_plus.pl
22

23
# Test installation
24
/usr/local/bin/check_wmi_plus.pl -d -d | head -25

Icinga Configuration for Windows Monitoring#

Command Definitions#

1
object CheckCommand "check_wmi" {
2
    import "plugin-check-command"
3
    command = [ PluginDir + "/check_wmi_plus.pl" ]
4
    arguments = {
5
        "-H" = {
6
            value = "$host.address$"
7
            description = "Target host address"
8
        }
9
        "-u" = {
10
            value = "$wmi_username$"
11
            description = "WMI username"
12
        }
13
        "-p" = {
14
            value = "$wmi_password$"
15
            description = "WMI password"
16
        }
17
        "-m" = {
18
            value = "$check_mode$"
19
            description = "WMI check mode"
20
        }
21
        "-w" = {
22
            value = "$wmi_warn$"
23
            description = "Warning threshold"
24
        }
25
        "-c" = {
26
            value = "$wmi_crit$"
27
            description = "Critical threshold"
28
        }
29
        "-a" = {
30
            value = "$wmi_arg1$"
31
            description = "First argument"
32
        }
33
        "-o" = {
34
            value = "$wmi_arg2$"
35
            description = "Second argument"
36
        }
37
    }
38
}

Service Templates#

1
# Windows service template
2
template Service "windows-service" {
3
    import "generic-service"
4
    check_command = "check_wmi"
5
    check_interval = 5m
6
    retry_interval = 1m
7
    vars.wmi_username = "monitoring"
8
    vars.wmi_password = "MonitoringPass123"
9
}

Service Definitions#

1
# CPU Utilization Check
2
apply Service "CPU Utilization" {
3
    import "windows-service"
4
    vars.check_mode = "checkcpu"
5
    vars.wmi_warn = "80"
6
    vars.wmi_crit = "90"
7
    assign where host.vars.os == "Windows"
8
}
9

10
# Memory Usage Check
11
apply Service "Memory Usage" {
12
    import "windows-service"
13
    vars.check_mode = "checkmem"
14
    vars.wmi_warn = "85"
15
    vars.wmi_crit = "95"
16
    assign where host.vars.os == "Windows"
17
}
18

19
# Disk Space Check
20
apply Service "Disk Space C:" {
21
    import "windows-service"
22
    vars.check_mode = "checkvolsize"
23
    vars.wmi_arg1 = "C:"
24
    vars.wmi_warn = "80"
25
    vars.wmi_crit = "90"
26
    assign where host.vars.os == "Windows"
27
}
28

29
# Windows Services Check
30
apply Service "Critical Services" {
31
    import "windows-service"
32
    vars.check_mode = "checkservice"
33
    vars.wmi_arg1 = "Spooler,BITS,Themes"
34
    assign where host.vars.os == "Windows"
35
}
36

37
# Event Log Monitoring
38
apply Service "Event Log - System" {
39
    import "windows-service"
40
    vars.check_mode = "checkeventlog"
41
    vars.wmi_arg1 = "system"
42
    vars.wmi_arg2 = "2"  # Hours to check
43
    vars.wmi_warn = "5"   # Warning events
44
    vars.wmi_crit = "10"  # Critical events
45
    assign where host.vars.os == "Windows"
46
}

Host Configuration#

1
object Host "windows-server-01" {
2
    import "generic-host"
3
    address = "192.168.1.27"
4
    vars.os = "Windows"
5
    vars.wmi_username = "monitoring"
6
    vars.wmi_password = "MonitoringPass123"
7
}

Remote Windows Management#

Advanced WinExe Usage#

Execute commands remotely on Windows systems:

1
#!/bin/bash
2
# Windows Remote Management Script
3

4
TARGET_HOST="192.168.1.27"
5
USERNAME="Administrator"
6
PASSWORD="Password123"
7
CREDENTIALS="$USERNAME%$PASSWORD"
8

9
# System Information Gathering
10
echo "=== System Information ==="
11
winexe -U "$CREDENTIALS" //$TARGET_HOST "systeminfo"
12

13
# Process Monitoring
14
echo "=== Running Processes ==="
15
winexe -U "$CREDENTIALS" //$TARGET_HOST "tasklist /fo csv"
16

17
# Service Status
18
echo "=== Service Status ==="
19
winexe -U "$CREDENTIALS" //$TARGET_HOST "sc query type= service state= all"
20

21
# Network Configuration
22
echo "=== Network Configuration ==="
23
winexe -U "$CREDENTIALS" //$TARGET_HOST "ipconfig /all"
24

25
# Event Log Analysis
26
echo "=== Recent Security Events ==="
27
winexe -U "$CREDENTIALS" //$TARGET_HOST "wevtutil qe Security /c:10 /rd:true /f:text"
28

29
# Performance Counters
30
echo "=== Performance Metrics ==="
31
winexe -U "$CREDENTIALS" //$TARGET_HOST "typeperf \"\\Processor(_Total)\\% Processor Time\" \"\\Memory\\Available MBytes\" -sc 1"
32

33
# Registry Queries
34
echo "=== Registry Information ==="
35
winexe -U "$CREDENTIALS" //$TARGET_HOST "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion /v ProductName"
36

37
# File System Information
38
echo "=== Disk Usage ==="
39
winexe -U "$CREDENTIALS" //$TARGET_HOST "dir C:\\ /-c"
40

41
# Windows Updates
42
echo "=== Installed Updates ==="
43
winexe -U "$CREDENTIALS" //$TARGET_HOST "wmic qfe list brief"
44

45
# Security Configuration
46
echo "=== Security Policies ==="
47
winexe -U "$CREDENTIALS" //$TARGET_HOST "secedit /export /cfg C:\\temp\\secpol.inf && type C:\\temp\\secpol.inf"

PowerShell Remote Execution#

1
# Execute PowerShell commands remotely
2
winexe -U "$CREDENTIALS" //$TARGET_HOST "powershell -Command \"Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 | Format-Table -AutoSize\""
3

4
# Get Windows features
5
winexe -U "$CREDENTIALS" //$TARGET_HOST "powershell -Command \"Get-WindowsFeature | Where-Object {\\$_.InstallState -eq 'Installed'} | Select-Object Name,InstallState\""
6

7
# Check Windows Defender status
8
winexe -U "$CREDENTIALS" //$TARGET_HOST "powershell -Command \"Get-MpComputerStatus | Select-Object AntivirusEnabled,RealTimeProtectionEnabled,IoavProtectionEnabled\""

Advanced Querying Techniques#

Complex WQL Queries#

Advanced Windows Management Instrumentation Query Language examples:

1
-- Monitor process creation events
2
SELECT * FROM Win32_ProcessStartTrace
3

4
-- Query processes with high CPU usage
5
SELECT ProcessId, Name, PercentProcessorTime
6
FROM Win32_PerfRawData_PerfProc_Process
7
WHERE Name <> '_Total'
8
AND Name <> 'Idle'
9

10
-- Check for specific security events
11
SELECT * FROM Win32_NTLogEvent
12
WHERE Logfile = 'Security'
13
AND EventCode IN (4624, 4625, 4648, 4720, 4722, 4724, 4725, 4726, 4728, 4732, 4756)
14
AND TimeGenerated > '20250128000000.000000+000'
15

16
-- Monitor file system changes
17
SELECT * FROM Win32_VolumeChangeEvent
18

19
-- Query installed software
20
SELECT Name, Version, InstallDate
21
FROM Win32_Product
22
WHERE Name LIKE '%Microsoft%'
23

24
-- Check network connections
25
SELECT LocalAddress, LocalPort, RemoteAddress, RemotePort, State
26
FROM Win32_PerfRawData_Tcpip_NetworkInterface
27

28
-- Monitor service status changes
29
SELECT * FROM Win32_ServiceControlEvent
30

31
-- Query system performance
32
SELECT Name, Frequency, LoadPercentage, NumberOfCores, NumberOfLogicalProcessors
33
FROM Win32_Processor
34

35
-- Check disk performance
36
SELECT Name, DiskReadBytesPerSec, DiskWriteBytesPerSec, CurrentDiskQueueLength
37
FROM Win32_PerfRawData_PerfDisk_PhysicalDisk
38
WHERE Name <> '_Total'
39

40
-- Monitor memory usage
41
SELECT TotalVisibleMemorySize, FreePhysicalMemory, TotalVirtualMemorySize, FreeVirtualMemory
42
FROM Win32_OperatingSystem

Automated Monitoring Script#

1
#!/usr/bin/env python3
2
"""
3
Comprehensive Windows monitoring with Wazuh integration
4
"""
5

6
import json
7
import wmi
8
import time
9
import logging
10
import argparse
11
from datetime import datetime, timedelta
12
from pathlib import Path
13

14
class WazuhWindowsMonitor:
15
    def __init__(self, host, username, password, output_dir="/var/ossec/logs/wmi"):
16
        self.host = host
17
        self.username = username
18
        self.password = password
19
        self.output_dir = Path(output_dir)
20
        self.output_dir.mkdir(parents=True, exist_ok=True)
21

22
        # Setup logging
23
        logging.basicConfig(
24
            level=logging.INFO,
25
            format='%(asctime)s - %(levelname)s - %(message)s',
26
            handlers=[
27
                logging.FileHandler(self.output_dir / 'wmi_monitor.log'),
28
                logging.StreamHandler()
29
            ]
30
        )
31
        self.logger = logging.getLogger(__name__)
32

33
        try:
34
            self.connection = wmi.WMI(
35
                computer=host,
36
                user=username,
37
                password=password
38
            )
39
            self.logger.info(f"Connected to {host}")
40
        except Exception as e:
41
            self.logger.error(f"Failed to connect to {host}: {e}")
42
            raise
43

44
    def collect_metrics(self):
45
        """Collect comprehensive Windows metrics"""
46
        metrics = {
47
            "timestamp": datetime.now().isoformat(),
48
            "host": self.host,
49
            "wazuh_integration": True
50
        }
51

52
        try:
53
            # System Information
54
            metrics["system"] = self._get_system_info()
55

56
            # Process Information
57
            metrics["processes"] = self._get_process_info()
58

59
            # Service Status
60
            metrics["services"] = self._get_service_status()
61

62
            # Security Events
63
            metrics["security_events"] = self._get_security_events()
64

65
            # Performance Metrics
66
            metrics["performance"] = self._get_performance_metrics()
67

68
            # Network Information
69
            metrics["network"] = self._get_network_info()
70

71
            return metrics
72

73
        except Exception as e:
74
            self.logger.error(f"Error collecting metrics: {e}")
75
            return {"error": str(e), "timestamp": datetime.now().isoformat()}
76

77
    def _get_system_info(self):
78
        """Get system information"""
79
        try:
80
            os_info = self.connection.Win32_OperatingSystem()[0]
81
            computer_info = self.connection.Win32_ComputerSystem()[0]
82

83
            return {
84
                "os_name": os_info.Caption,
85
                "os_version": os_info.Version,
86
                "build_number": os_info.BuildNumber,
87
                "computer_name": computer_info.Name,
88
                "domain": computer_info.Domain,
89
                "total_memory": int(os_info.TotalVisibleMemorySize) * 1024,
90
                "free_memory": int(os_info.FreePhysicalMemory) * 1024,
91
                "uptime": os_info.LastBootUpTime
92
            }
93
        except Exception as e:
94
            self.logger.error(f"Error getting system info: {e}")
95
            return {"error": str(e)}
96

97
    def _get_process_info(self):
98
        """Get running process information"""
99
        try:
100
            processes = []
101
            for process in self.connection.Win32_Process():
102
                processes.append({
103
                    "pid": process.ProcessId,
104
                    "name": process.Name,
105
                    "executable": process.ExecutablePath,
106
                    "command_line": process.CommandLine
107
                })
108
            return processes[:50]  # Limit to top 50 processes
109
        except Exception as e:
110
            self.logger.error(f"Error getting process info: {e}")
111
            return {"error": str(e)}
112

113
    def _get_service_status(self):
114
        """Get Windows service status"""
115
        try:
116
            services = []
117
            critical_services = [
118
                "Spooler", "BITS", "Themes", "Dhcp", "Dnscache",
119
                "EventLog", "PlugPlay", "RpcSs", "Schedule", "W32Time"
120
            ]
121

122
            for service in self.connection.Win32_Service():
123
                if service.Name in critical_services:
124
                    services.append({
125
                        "name": service.Name,
126
                        "display_name": service.DisplayName,
127
                        "state": service.State,
128
                        "start_mode": service.StartMode,
129
                        "status": service.Status
130
                    })
131
            return services
132
        except Exception as e:
133
            self.logger.error(f"Error getting service status: {e}")
134
            return {"error": str(e)}
135

136
    def _get_security_events(self, hours=1):
137
        """Get recent security events"""
138
        try:
139
            events = []
140
            cutoff_time = (datetime.now() - timedelta(hours=hours)).strftime("%Y%m%d%H%M%S")
141

142
            query = f"""
143
            SELECT EventCode, TimeGenerated, SourceName, Message, User
144
            FROM Win32_NTLogEvent
145
            WHERE Logfile = 'Security'
146
            AND EventCode IN (4624, 4625, 4648, 4720, 4722)
147
            AND TimeGenerated > '{cutoff_time}.000000+000'
148
            """
149

150
            for event in self.connection.query(query):
151
                events.append({
152
                    "event_id": event.EventCode,
153
                    "time": event.TimeGenerated,
154
                    "source": event.SourceName,
155
                    "user": event.User,
156
                    "message": event.Message[:200] if event.Message else None
157
                })
158

159
            return events[:20]  # Limit to last 20 events
160
        except Exception as e:
161
            self.logger.error(f"Error getting security events: {e}")
162
            return {"error": str(e)}
163

164
    def _get_performance_metrics(self):
165
        """Get system performance metrics"""
166
        try:
167
            # CPU Information
168
            cpu_info = self.connection.Win32_Processor()[0]
169

170
            # Memory Information
171
            os_info = self.connection.Win32_OperatingSystem()[0]
172

173
            # Disk Information
174
            disks = []
175
            for disk in self.connection.Win32_LogicalDisk():
176
                if disk.Size:
177
                    disks.append({
178
                        "drive": disk.Caption,
179
                        "total_size": int(disk.Size),
180
                        "free_space": int(disk.FreeSpace),
181
                        "used_percent": round((1 - int(disk.FreeSpace) / int(disk.Size)) * 100, 2)
182
                    })
183

184
            return {
185
                "cpu_cores": cpu_info.NumberOfCores,
186
                "cpu_logical_processors": cpu_info.NumberOfLogicalProcessors,
187
                "memory_total": int(os_info.TotalVisibleMemorySize) * 1024,
188
                "memory_free": int(os_info.FreePhysicalMemory) * 1024,
189
                "memory_used_percent": round((1 - int(os_info.FreePhysicalMemory) / int(os_info.TotalVisibleMemorySize)) * 100, 2),
190
                "disks": disks
191
            }
192
        except Exception as e:
193
            self.logger.error(f"Error getting performance metrics: {e}")
194
            return {"error": str(e)}
195

196
    def _get_network_info(self):
197
        """Get network configuration"""
198
        try:
199
            adapters = []
200
            for adapter in self.connection.Win32_NetworkAdapterConfiguration():
201
                if adapter.IPAddress:
202
                    adapters.append({
203
                        "description": adapter.Description,
204
                        "ip_addresses": adapter.IPAddress,
205
                        "subnet_masks": adapter.IPSubnet,
206
                        "default_gateways": adapter.DefaultIPGateway,
207
                        "dns_servers": adapter.DNSServerSearchOrder,
208
                        "dhcp_enabled": adapter.DHCPEnabled
209
                    })
210
            return adapters
211
        except Exception as e:
212
            self.logger.error(f"Error getting network info: {e}")
213
            return {"error": str(e)}
214

215
    def generate_wazuh_log(self, metrics):
216
        """Generate Wazuh-compatible log entry"""
217
        log_entry = {
218
            "wazuh": {
219
                "agent": {
220
                    "name": self.host,
221
                    "ip": self.host
222
                }
223
            },
224
            "windows": metrics,
225
            "@timestamp": datetime.now().isoformat()
226
        }
227

228
        # Write to Wazuh log format
229
        log_file = self.output_dir / f"windows_wmi_{datetime.now().strftime('%Y%m%d')}.json"
230
        with open(log_file, 'a') as f:
231
            f.write(json.dumps(log_entry) + '\n')
232

233
        return log_entry
234

235
    def run_monitoring(self, interval=300):
236
        """Run continuous monitoring"""
237
        self.logger.info(f"Starting monitoring for {self.host} with {interval}s interval")
238

239
        while True:
240
            try:
241
                metrics = self.collect_metrics()
242
                log_entry = self.generate_wazuh_log(metrics)
243

244
                # Print summary
245
                if "system" in metrics:
246
                    self.logger.info(
247
                        f"Metrics collected - Memory: {metrics['performance']['memory_used_percent']:.1f}% "
248
                        f"Processes: {len(metrics['processes'])} "
249
                        f"Security Events: {len(metrics['security_events'])}"
250
                    )
251

252
                time.sleep(interval)
253

254
            except KeyboardInterrupt:
255
                self.logger.info("Monitoring stopped by user")
256
                break
257
            except Exception as e:
258
                self.logger.error(f"Monitoring error: {e}")
259
                time.sleep(60)  # Wait before retrying
260

261
def main():
262
    parser = argparse.ArgumentParser(description='Wazuh Windows WMI Monitor')
263
    parser.add_argument('--host', required=True, help='Target Windows host')
264
    parser.add_argument('--username', required=True, help='Windows username')
265
    parser.add_argument('--password', required=True, help='Windows password')
266
    parser.add_argument('--interval', type=int, default=300, help='Monitoring interval in seconds')
267
    parser.add_argument('--output-dir', default='/var/ossec/logs/wmi', help='Output directory')
268
    parser.add_argument('--one-shot', action='store_true', help='Run once and exit')
269

270
    args = parser.parse_args()
271

272
    monitor = WazuhWindowsMonitor(
273
        host=args.host,
274
        username=args.username,
275
        password=args.password,
276
        output_dir=args.output_dir
277
    )
278

279
    if args.one_shot:
280
        metrics = monitor.collect_metrics()
281
        log_entry = monitor.generate_wazuh_log(metrics)
282
        print(json.dumps(log_entry, indent=2))
283
    else:
284
        monitor.run_monitoring(args.interval)
285

286
if __name__ == "__main__":
287
    main()

Conclusion#

This comprehensive guide covers the essential aspects of Wazuh data analysis, rule engine configuration, snapshot migration, and Windows monitoring integration. The combination of these technologies provides a robust security monitoring solution with:

Complete data flow visibility from log collection to alert generation
Flexible rule engine supporting default, custom, and classification rules
Reliable migration procedures for system upgrades and data transfer
Comprehensive Windows monitoring using WMI and remote management tools
Seamless integration with monitoring platforms like Icinga

For production deployments, ensure proper security configurations, regular backups, and comprehensive monitoring of all components. Regular testing of migration procedures and monitoring capabilities helps maintain system reliability and security effectiveness.

Remember to adapt configurations to your specific environment requirements and security policies.