Hi Dmitrii, You need to pass the event log name (like Application or Security) to the "location" tag, instead of the real location of the event log. That's why "Application" works and "C:\WINDOWS\System32\config\AppEvent.Evt" fails.
For NTDS, I am afraid that ossec will not support it properly, since we hard-coded a validator looking for "Security", "Application" or "System"... I will see if I can fix it for the next snapshot. Is there any more event log "sources" that we may need to add? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/26/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Hello! > I'm trying to add extended event logging to windows agents on Windows Server > 2003 domain controller. > There is event log C:\WINDOWS\system32\config\NTDS.evt > but when i try to add string like this: > <localfile> > > <location>C:\WINDOWS\system32\config\NTDS.evt</location> > <log_format>eventlog</log_format> > </localfile> > it exits with error: > 2007/06/26 10:47:26 ossec-agent: DEBUG: Reading logcollector configuration. > > 2007/06/26 10:47:26 ossec-agent(1903): Invalid event log: > 'C:\WINDOWS\System32\config\NTDS.Evt'. > > 2007/06/26 10:47:26 ossec-agent(1202): Configuration error at 'ossec.conf'. > Exiting. > > Tried to change location to NTDS. Unsuccessfull. > Does anyone solved this problem? > > > P.S. > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > works, but when i try to change location like this > <location>C:\WINDOWS\System32\config\AppEvent.Evt</location> > it crashes with error. > > Thanks. > Dmitrii Chebotarev, Russia. > >
