Hi Tom, If you need to monitor a file (changes, permissions) you must to use syscheck <http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/index.html>. You *can't* know who made the change.
In case you need to generate an alert according to each new line added to a file (event), you need log monitoring <http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/index.html>. So, you will need to create: - decoders: The goal of decoding is to extract information from the events that you can use in the rules. If your log has a field with the user or the IP you can extract it here to use it in the rules. - rules: The goal is convert an event (archives.log) in an alert. Share here the events and we can help you to create some decoders and rules. I hope it helps. On Thursday, June 23, 2016 at 3:11:14 AM UTC+2, Tom ONeil wrote: > > Sorry for the slow response, finally slept for a decent length. > > > > We are getting everything from the Windows Event logs by default just fine > where they should be. > > Logall is grabbing everything else into archives. > > > > What I need is the contents of the mentioned text files into, especially > changes in role or configuration and the user that made them. > > > > What I cannot get a handle on is why they don't show up at all. > > I have read the docs, and tried to modify local_rules.xml to grab all the > content from those and it fails config check with not enough explanations > as to why. > > > > <group name="QlikSense Roles"> > > <rule id="100001" level="7"> > > <srcip>192.168.2.10</srcip> > > <description>Example of rule that will grab role changes</description> > > <description>Role Change from IP 192.168.2.10</description> > > </rule> > > On Wednesday, June 22, 2016 at 7:34:21 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Jun 22, 2016 at 7:42 AM, Tom ONeil <thomas.j...@gmail.com> >> wrote: >> > Just trying to get a simple configuration to pickup the text log files >> from >> > a Windows 2012R2 server. >> > Been over every doc, reinstalled, worked all night and ZIP. >> > Blood running in my eyes from smashing forehead on keyboard. >> > >> > I have everything going to logall just to see if it's working but I am >> lost >> > on how to setup the XXXX_rules.xml files >> > Is there some examples or clearer docs on this anywhere? >> > >> >> So what is working? >> Are the logs being shipped to the OSSEC server? >> >> There are plenty of examples of rules in /var/ossec/rules. I believe >> there is a page in the documentation on writing rules (and decoders) >> as well. >> What are you having trouble with specifically? >> >> > Simple config snippet >> > >> >> This is on the Windows agent in its ossec.conf, correct? >> >> > <!-- One entry for each file/Event log to monitor. --> >> > <localfile> >> > >> > >> > >> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location> >> >> >> > >> > <log_format>syslog</log_format> >> > >> > </localfile> >> > >> > <localfile> >> > >> > >> > >> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location> >> >> >> > >> > <log_format>syslog</log_format> >> > >> > </localfile> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.