timestamp of wazuh agent windows events

[bfca667]

Hi, I recently realized that the timestamp of windows events that come from a wazuh agent are set to the time when the events arrive to the SO manager. I would like it to be set to the systemTime field (when the event actually happened). How do I do so? Thanks

[weslambert]

We'll have to add an issue for this to be corrected, but in the meantime, you could do something similar to whats in the zeek.common pipeline:

https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/elasticsearch/files/ingest/zeek.common#L4-L21 (Lines 4,5,21)

[bfca667]

Thank you for your response. Some follow up questions come to mind:
1 - I assume that an elasticsearch ingestion configuration file should be edited to make that work, right? Would that file be /opt/so/conf/elasticsearch/ingest/ossec ? If not, what file?

2 - Then I would have to add a line similar to:
{ "date": { "field": "systemTime", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } },
Is this correct? ( Help on the right format to be used in this case is more than welcome :) ).

Thanks!

[weslambert]

• You'll want to copy /opt/so/saltstack/default/salt/elasticsearch/files/ingest/<file>, to /opt/so/saltstack/local/salt/elasticsearch/files/ingest/<file>
• You'll want to first rename @timestamp to ingest.timestamp, then add your addition.

[weslambert]

You'll want to accommodate for if that field is not present as well, so keep that in mind.