I am collecting AppLocker events in OSSEC, and the rules work as expected.
Though AppLocker events are logged by OSSEC, and Graylog is dropping them
silently.
Sample json event below: (Values in Red are sanitized).
{"rule":{"level":2,"comment":"Windows - AppLocker allowed program to run in
audit
mode.","sidid":18303,"firedtimes":1,"groups":["windows","applocker","pci_dss_10.6.1"],"PCI_DSS":["10.6.1"]},"dstuser":"
UserName","full_log":"2016 Sep 13 04:09:08 WinEvtLog:
Microsoft-Windows-AppLocker/EXE and DLL: WARNING(8003):
Microsoft-Windows-AppLocker: UserName: DESKTOP: SystemName:
%PROGRAMFILES%\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE was allowed to run
but would have been prevented from running if the AppLocker policy were
enforced.","id":"8003","status":"WARNING","data":"Microsoft-Windows-AppLocker","systemname":"
SystemName","decoder":{"name":"windows"},"hostname":"hostname","agentip":"
XXX.XXX.XXX.XXX","timestamp":"2016 Sep 13 04:09:18","location":"WinEvtLog"}
What do I need to do to get AppLocker (and other collected non-standard)
Windows event logs from OSSEC into Graylog?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/ab8492d9-2cc8-4fbb-97c1-50b9c3d4b092%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
