Hi,
Indeed the eventchannel log format is newer and more powerful than eventlog,
but it may lead to report too much events and even flood your network without a
proper query.
If you enabled Windows Firewall and Windows Event Platform logs, they produce a
large amount of events that will be sent to the manager. You will be able to
see them if you enable archives (option <logall>yes</logall>) in the manager.
I would recommend you to skip certain logs that are produced very frequently
and don’t suppose a security issue, such events 5145 and 5157 (that are
generated when Windows detected new network devices and is querying them for
shared folders or printers) or 5447 (that is often produced when the Firewall
allows a connection and may be related to a OSSEC message and lead to a vicious
circle).
So I recommend yo to use a configuration like this:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID !=
5447]</query>
</localfile>
This should prevent your agent from overload disk and network I/O. If the
problem persists please enable archives at manager and take a look to the
received events.
Hope it help.
Best regards.
> On May 26, 2017, at 11:50 AM, LGuerra <aza...@gmail.com> wrote:
>
> Hi,
>
>
> I think I just found out.
>
> Since Im running OSSEC on Server 2012 and in order to correctly view Event
> Viewer logs, I switched "eventlog" to "eventchannel" on ossec.conf event
> viewer settings. Witch, according to the OSSEC documentation, uses the "new"
> Event API for log translation.
>
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html
>
> Now, for troubleshooting I rolled back and it started working normally with
> normal disk consumption.
>
> I guess it’s this setting. However, I really needed it K otherwise I won’t be
> able to retrieve all the information from the event viewer logs.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com
> <mailto:ossec-list+unsubscr...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
