Logcollector - Stop to send Microsoft-Windows-Windows Defender events

[cborla]

Wazuh version	Component	Install type	Install method	Platform
v4.7.2	Logcollector	Agent	Packages	Windows

Description.

Microsoft-Windows-Windows Defender events stop being sent by the agent randomly, and if the aget is restarted it starts working correctly.

Steps to reproduce it

The issue were reproduble in a Windows 11 and Wazuh Agent v4.7.4.

Steps

1. Set the centralized configuration:

<agent_config>

  <!-- Shared agent configuration here -->
  <localfile>
    <location>Microsoft-Windows-Windows Defender/Operational</location>
    <log_format>eventchannel</log_format>
  </localfile>
</agent_config>

2. Enable/disable Real-time protection and check the events generated in Event Viewer:

3. Events received by the manager:

[root@wazuh-server wazuh-user]# tail -f /var/ossec/logs/archives/archives.json | grep -iE "\"5000\"|\"5001\""
{"timestamp":"2024-06-13T17:04:43.738+0000","rule":{"level":3,"description":"Windows Defender: Antivirus real-time protection is enabled","id":"62151","firedtimes":1,"mail":false,"groups":["windows","windows_defender"],"pci_dss":["5.1","10.2.6","10.6.1"],"gpg13":["4.14","10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["SI.3","AU.14","AU.5","AU.6"],"tsc":["A1.2","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"vm-win11","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1718298283.619471","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"5000\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-06-13T17:04:42.7268455Z\",\"eventRecordID\":\"732\",\"processID\":\"3336\",\"threadID\":\"5180\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"vm-win11\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was enabled.\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.24050.7\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"5000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-06-13T17:04:42.7268455Z","eventRecordID":"732","processID":"3336","threadID":"5180","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"vm-win11","severityValue":"INFORMATION","message":"\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was enabled.\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.24050.7"}}},"location":"EventChannel"}
{"timestamp":"2024-06-13T17:06:45.147+0000","rule":{"level":5,"description":"Windows Defender: Antivirus real-time protection is disabled","id":"62152","firedtimes":1,"mail":false,"groups":["windows","windows_defender"],"pci_dss":["5.1","10.2.6","10.6.1"],"gpg13":["4.14","10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["SI.3","AU.14","AU.5","AU.6"],"tsc":["A1.2","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"vm-win11","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1718298405.636003","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"5001\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-06-13T17:06:44.1170447Z\",\"eventRecordID\":\"734\",\"processID\":\"3336\",\"threadID\":\"5180\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"vm-win11\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.24050.7\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"5001","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-06-13T17:06:44.1170447Z","eventRecordID":"734","processID":"3336","threadID":"5180","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"vm-win11","severityValue":"INFORMATION","message":"\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.24050.7"}}},"location":"EventChannel"}

4. Restart EventLog service:

PS C:\Users\vagrant> Restart-Service EventLog -Force

5. Generate new events. The events can be seen from Event Viewer but they are not received in the manager:

6. No error logs appeared in agent ossec.log:

7. Restart Wazuh Agent and generate new events:

8. The events are received by the manager:

{"timestamp":"2024-06-13T17:39:17.471+0000","rule":{"level":5,"description":"Windows Defender: Antivirus real-time protection is disabled","id":"62152","firedtimes":2,"mail":false,"groups":["windows","windows_defender"],"pci_dss":["5.1","10.2.6","10.6.1"],"gpg13":["4.14","10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["SI.3","AU.14","AU.5","AU.6"],"tsc":["A1.2","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"vm-win11","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1718300357.638520","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"5001\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-06-13T17:39:16.4235997Z\",\"eventRecordID\":\"740\",\"processID\":\"3336\",\"threadID\":\"8924\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"vm-win11\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.24050.7\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"5001","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-06-13T17:39:16.4235997Z","eventRecordID":"740","processID":"3336","threadID":"8924","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"vm-win11","severityValue":"INFORMATION","message":"\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.24050.7"}}},"location":"EventChannel"}
{"timestamp":"2024-06-13T17:39:21.941+0000","rule":{"level":3,"description":"Windows Defender: Antivirus real-time protection is enabled","id":"62151","firedtimes":2,"mail":false,"groups":["windows","windows_defender"],"pci_dss":["5.1","10.2.6","10.6.1"],"gpg13":["4.14","10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["SI.3","AU.14","AU.5","AU.6"],"tsc":["A1.2","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"vm-win11","ip":"10.0.2.15"},"manager":{"name":"wazuh-server"},"id":"1718300361.640383","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Windows Defender\",\"providerGuid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\",\"eventID\":\"5000\",\"version\":\"0\",\"level\":\"4\",\"task\":\"0\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-06-13T17:39:20.8716710Z\",\"eventRecordID\":\"741\",\"processID\":\"3336\",\"threadID\":\"8924\",\"channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"computer\":\"vm-win11\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was enabled.\\\"\"},\"eventdata\":{\"product Name\":\"Microsoft Defender Antivirus\",\"product Version\":\"4.18.24050.7\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Windows Defender","providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}","eventID":"5000","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-06-13T17:39:20.8716710Z","eventRecordID":"741","processID":"3336","threadID":"8924","channel":"Microsoft-Windows-Windows Defender/Operational","computer":"vm-win11","severityValue":"INFORMATION","message":"\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was enabled.\""},"eventdata":{"product Name":"Microsoft Defender Antivirus","product Version":"4.18.24050.7"}}},"location":"EventChannel"}

This behaviour seems to be related to Reconnect EventLog and EventChannel when service is restarted but there are no reconnection messages in the agent's log.