Hi daniel I will check those things tommorow morning.
Thanks, Ruurd \Van: [email protected] [mailto:[EMAIL PROTECTED] Namens Daniel Cid Verzonden: woensdag 26 juli 2006 17:16 Aan: [email protected] CC: [EMAIL PROTECTED] Onderwerp: [ossec-list] Re: windows logs Hi Ruurd, You can't give the path of the event log. You need to provide the log_format as event log and in the "location", the type of event log. For example, to monitor the security events, add the following lines to the config: <localfile> <location>Security</location> <log_format>eventlog</log_format> </localfile> However, it should be there by default. Just remember that Windows by default does not log a lot of things. You would need to go to the administrative panel and enable logging for policy changes, logins, logouts, etc... Regarding syscheck, if you go to ossec.log (generally under C:\program files\ossec-agent\), you will see if anything failed. Also, if you go to the ossec server, under /var/ossec/queue/syscheck/, you should have a file for your windows systems (based on the name and IP of the agent). If the file is there and it has a list of checksums/file names, it is because syscheck is working... Other way to check the connectivity is to look on the server at /var/ossec/queue/agent-info/ . It should have the "uname" of all your agents. *Just a note that syscheck by default only monitor the following directories: C:\WINDOWS and C:\Program Files . hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 7/26/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi > > We have a ossec server 0.9 running with several clients. > But the windows agents don't read from the eventlogs. > I tried editing the ossec.conf at the windows agent with the path directly > to the evnetlog something like: > > <localfile> > <log_format>system</log_format> > <location>c:\windows\system32\conf\***.evt</location> > </localfile> > > What is wrong did I missed something? > > Can I see if something is wrong with the syscheck? > > Thanks > > Ruurd > >
