Hi Oyesanya,You may try to trip the wire by adding new user or having multiple (6 at least) logon failure.
Rgds. Martin Oyesanya, Femi wrote:
Yes. It's processing syscheck for files but not for the event logs How can I check that the event log files actually made it to the server.Sample syscheckOSSEC HIDS Notification. 2006 Aug 10 02:23:13 Received From: (test002) 165.68.202.246->syscheck Rule: 13 fired (level 8) -> "Integrity checksum of file 'C:\WINDOWS/setupapi.log' has changed." Portion of the log(s): Integrity checksum changed for: 'C:\WINDOWS/setupapi.log' Size changed from '565551' to '566065' Old md5sum was: 'fc41eb657bb388d53b3bf90c5ed2e92f' New md5sum is : '5355965e4a3136a4625d8d1038a3939c' Old sha1sum was: '53ba069832a8f0d23b6ead429da99cfdb1135691' New sha1sum is : '8a17b102c6d6d758e68485e499e05d405945e491' --END OF NOTIFICATION -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Ahmet Ozturk Sent: Thursday, August 10, 2006 10:02 AM To: [email protected] Subject: [ossec-list] Re: Windows Event Log Hi again, Did you start the OSSEC Hids service on windows agent after installation? (Control Panel->Admin Tools->Services) Is it running already? Regards, Ahmet Ozturk. Oyesanya, Femi wrote:msauth_rules.xml rules already ships with the server-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Ahmet Ozturk Sent: Thursday, August 10, 2006 9:23 AM To: [email protected] Subject: [ossec-list] Re: Windows Event Log Hi, Just install server and windows agent as described in the manual (http://www.ossec.net/en/manual.html#windows) Then please be sure that windows_rules.xml file is included in ossec.conf file. That's all you need to do to process your windows agent's event logs on the server. Regards, Ahmet Ozturk. Oyesanya, Femi wrote:windowsHello:Does anyone know what I need to do to have ossec server processevent logs and send alerts ?Thanks
smime.p7s
Description: S/MIME Cryptographic Signature
