Hi,
I have done the following changes in my configuration files as follows:
<localfile>
<location>OAlerts</location>
<log_format>eventchannel</log_format>
</localfile>
Logs are being pushed to ossec.log on server as follows:
2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun
14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16
Alerts: (no user): no domain: IT-IR.Emtel.Org <http://it-ir.emtel.org/>:
Microsoft Outlook Everything in the "Junk E-mail" folder will be
permanently deleted. Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun
14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16
Alerts: (no user): no domain: IT-IR.Emtel.Org <http://it-ir.emtel.org/>:
Microsoft Outlook Everything in the "Junk E-mail" folder will be
permanently deleted. Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
But these are not be logged on the GUI.
I have read on the net that these are informational events and not being
logged. How to enable those?
Grateful to help and provide me the steps in doing so.
Thanks
On Thursday, June 1, 2017 at 1:04:41 PM UTC+4, Jesus Linares wrote:
>
> Hi Irshad,
>
> sorry, I thought was the same problem than Akash.
>
> I would like to be able to retrieve logs from windows machine to my OSSIM
>
>
> Do you meand OSSEC, right?.
>
> Review the ossec.log of your agent. Maybe the location is wrong or there
> are no events.
>
> I hope it helps.
> Regards.
>
>
> On Thursday, June 1, 2017 at 6:51:14 AM UTC+2, Irshad Rahimbux wrote:
>>
>> ANy one can provide some help? @Jesus Linares... the link you provided is
>> not helping much. It's for another issue.
>>
>> On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote:
>>>
>>> https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo
>>>
>>> On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote:
>>>>
>>>>
>>>> Hi All,
>>>>
>>>> I am also facing the same problem.I am not getting alert of
>>>> creation/deletion of file from windows agent
>>>> to my manager(linux). Agent show connected and active, I only get alert
>>>> from agent(win) is agent start/restart/change in ossec.conf(agent).
>>>> To monitor D:\ drive, I have done the following changes in ossec.conf
>>>> on manager:
>>>>
>>>> <directories report_changes="yes" realtime="yes"
>>>> check_all="yes">C:.,D:.</directories>
>>>>
>>>> But i don't get any alerts on my manager.
>>>>
>>>> Can you please help me out.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
