I’m working on a lab environment for my MSc dissertation, focusing on offensive attack simulations and defensive log monitoring using Wazuh.
Current Setup:
Wazuh Manager: Running on Ubuntu server (192.168.100.40)
Windows 10 client (192.168.100.20): Used to simulate attacks with tools like Mimikatz and SharpHound.
Sysmon installed and configured with a custom sysmonconfig.xml to capture process creation, network connections, etc.
Wazuh agent properly configured on the Windows client (with confirmed logs for PowerShell activity appearing in Wazuh).
Problem:
When I run PowerSploit attacks (e.g., Invoke-Kerberoast), I see logs in Wazuh for suspicious PowerShell activity.
However, when I run Mimikatz.exe or SharpHound.exe attacks, I see the expected Sysmon logs in the Windows Event Viewer (Event ID 1 for process creation, correct paths, etc.), but these logs do not show up in the Wazuh Dashboard.
My local_rules.xml has rules for detecting these tools by matching the win.eventdata.Image and CommandLine fields (e.g., Mimikatz path, SharpHound.exe).
I confirmed Wazuh agent logs (/var/ossec/logs/ossec.log) do not report errors for event collection.
The local rules seem correct, as PowerSploit PowerShell activity is detected.
What I suspect:
Possible misconfiguration in the ossec.conf (manager side) or agent-side file monitoring.
Or an issue with event channel configuration for Sysmon events.
What I’ve done:
Verified that Sysmon events are visible in Event Viewer on Windows 10.
Recreated and validated local rules (I’ll attach them in a zip along with relevant config files & screenshots).
Confirmed that the Wazuh Manager restarts without config errors after adjusting ossec.conf.
Request:
I’d appreciate any guidance on why these Sysmon events (Mimikatz and SharpHound process creation) are not appearing in Wazuh, while other logs (like PowerSploit PowerShell events) work fine.
Is there something I need to tweak in the ossec.conf, Sysmon config, or elsewhere?