Hello Jack,
I realize this is a rather dated thread but I wanted to provide an answer
for those that may land here through their search engine of preference.
In order to collect events from Windows Defenders you may use the following
configuration:
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
This will collect all logs from Windows Defender without needing to query
for specific events.
I hope this helps you.
Best Regards,
Juan Carlos Tello
On Monday, October 28, 2019 at 10:17:51 PM UTC+1, Jack Porter wrote:
>
> Hi,
>
> Is there any way of configuring Ossec to monitor Windows Defender
> Operational logs located in the applications and services event group?
>
> I have attempted to use the following permutations in my Windows agents
> ossec.conf file (please see attached text file).
>
> But encounter the following error message when looking at the logs on my
> Windows Ossec agent:
>
> *2019/10/28 16:20:51 ossec-logcollector: ERROR: Could not EvtSubscribe()
> for (Microsoft-Windows-Windows Defender/Operational) which returned (15001)*
>
> I am pointing to the log name outlined in event viewer for the location,
> using the event channel log format and event id's outlined in Microsoft's
> documentation
> https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
>
> Kind regards,
> Jack Porter
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/deabf117-c693-4b75-8037-02ae08406eedo%40googlegroups.com.
