UTMStack
Alerts not working #624
-
|
Hello guys, I've set up a VM with UTMStack, using the official ISO and latest installer and everything ran smoothly with no errors during installation. I've then installed the Windows Agent on a Windows 11 workstation to test it out and tried to generate some logs in order to trigger an alert, but the alerts never come. I've looked at the correlation rules and ran commands on that workstation like turning off firewall, multiple login fails, etc.. I see the logs but no alerts generated. How can I test the alerts system and how could I debug this issue I'm dealing with? Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
|
I want to add that I have the Microsoft integration and those alerts do work but for some reason it seems like Windows 11 agent alerts doesn't work, does it only work on Windows Servers? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, @catalinchertes, first, check if the 'system' rules folder is present in the application, to do that, go to management rules right menu. Let us know the results, |
Beta Was this translation helpful? Give feedback.
-
|
Also, check the guides step by step, it is the better way to make it function as expected, otherwise you may face issues as you do. |
Beta Was this translation helpful? Give feedback.
-
|
The Correlation Rules folder exists on the server, monitor checks shows everything healthy. I installed the Windows Agent on the Active Directory server which is a Windows Server 2022, I can see the logs with event_id 4625 stating login failure, there's a bunch of them, but still no alerts, you can see in the picture the various alerts which originated from the same User with the same ID, but it doesn't trigger an alert.
I installed the Linux agent on a Ubuntu Server and it works as expected, but there's something with Windows alerts that doesn't work for me. |
Beta Was this translation helpful? Give feedback.
-
|
I ran the installer again and seems like this time everything is working fine. Thanks so much for the quick reply!! |
Beta Was this translation helpful? Give feedback.
Hi, @catalinchertes, first, check if the 'system' rules folder is present in the application, to do that, go to management rules right menu.
Then, if the folder is there, go to the log explorer top menu and select 'Windows', your logs should be there. After that, for example, generate 5 fail login attempts within 60 seconds, then in the log explorer -> 'Windows'. To raise for example a 'Password guessing alert' you must have at least 5 log records where 'logx.wineventlog.event_id' field's value is one of: 4625,529,530,531,532,533,534,535,536,537,539 and the value of field -> logx.wineventlog.event_data.TargetUserName is the same.
Let us know the results,
Best regards