Remember that by default windows do not log much. You probably need to go to the policy configuration and enable auditing of "logins", "logouts", etc...
-- Daniel B. Cid dcid ( at ) ossec.net On 8/10/06, Oyesanya, Femi <[EMAIL PROTECTED]> wrote:
Yes. It's processing syscheck for files but not for the event logs How can I check that the event log files actually made it to the server. Sample syscheck OSSEC HIDS Notification. 2006 Aug 10 02:23:13 Received From: (test002) 165.68.202.246->syscheck Rule: 13 fired (level 8) -> "Integrity checksum of file 'C:\WINDOWS/setupapi.log' has changed." Portion of the log(s): Integrity checksum changed for: 'C:\WINDOWS/setupapi.log' Size changed from '565551' to '566065' Old md5sum was: 'fc41eb657bb388d53b3bf90c5ed2e92f' New md5sum is : '5355965e4a3136a4625d8d1038a3939c' Old sha1sum was: '53ba069832a8f0d23b6ead429da99cfdb1135691' New sha1sum is : '8a17b102c6d6d758e68485e499e05d405945e491'
