Ok.. I'll try that -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Leung Sent: Thursday, August 10, 2006 10:57 AM To: [email protected] Subject: [ossec-list] Re: Windows Event Log
Hi Oyesanya, You may try to trip the wire by adding new user or having multiple (6 at least) logon failure. Rgds. Martin Oyesanya, Femi wrote: > Yes. It's processing syscheck for files but not for the event logs > How can I check that the event log files actually made it to the server. > > > > Sample syscheck > > > OSSEC HIDS Notification. > 2006 Aug 10 02:23:13 > > Received From: (test002) 165.68.202.246->syscheck > Rule: 13 fired (level 8) -> "Integrity checksum of file > 'C:\WINDOWS/setupapi.log' has changed." > Portion of the log(s): > > Integrity checksum changed for: 'C:\WINDOWS/setupapi.log' > Size changed from '565551' to '566065' > Old md5sum was: 'fc41eb657bb388d53b3bf90c5ed2e92f' > New md5sum is : '5355965e4a3136a4625d8d1038a3939c' > Old sha1sum was: '53ba069832a8f0d23b6ead429da99cfdb1135691' > New sha1sum is : '8a17b102c6d6d758e68485e499e05d405945e491' > > > > --END OF NOTIFICATION > > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] > On Behalf Of Ahmet Ozturk > Sent: Thursday, August 10, 2006 10:02 AM > To: [email protected] > Subject: [ossec-list] Re: Windows Event Log > > > Hi again, > > Did you start the OSSEC Hids service on windows > agent after installation? > (Control Panel->Admin Tools->Services) > Is it running already? > > Regards, > > Ahmet Ozturk. > > Oyesanya, Femi wrote: >> msauth_rules.xml rules already ships with the server >> >> -----Original Message----- >> From: [email protected] [mailto:[EMAIL PROTECTED] >> On Behalf Of Ahmet Ozturk >> Sent: Thursday, August 10, 2006 9:23 AM >> To: [email protected] >> Subject: [ossec-list] Re: Windows Event Log >> >> >> Hi, >> >> Just install server and windows agent as described in the manual >> (http://www.ossec.net/en/manual.html#windows) >> Then please be sure that windows_rules.xml file is included >> in ossec.conf file. >> That's all you need to do to process your windows agent's event >> logs on the server. >> >> Regards, >> >> Ahmet Ozturk. >> >> Oyesanya, Femi wrote: >>> >>> >>> >>> >>> Hello: >>> >>> >>> >>> Does anyone know what I need to do to have ossec server process >> windows >>> event logs and send alerts ? >>> >>> >>> >>> Thanks >>> >
