I have gfi installed on the same machine and have audit policy on. Was the agent tested on windows 2003. I noticed the documentation said 2000 and XP ?
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Thursday, August 10, 2006 12:53 PM To: [email protected] Subject: [ossec-list] Re: Windows Event Log Remember that by default windows do not log much. You probably need to go to the policy configuration and enable auditing of "logins", "logouts", etc... -- Daniel B. Cid dcid ( at ) ossec.net On 8/10/06, Oyesanya, Femi <[EMAIL PROTECTED]> wrote: > > Yes. It's processing syscheck for files but not for the event logs > How can I check that the event log files actually made it to the server. > > > > Sample syscheck > > > OSSEC HIDS Notification. > 2006 Aug 10 02:23:13 > > Received From: (test002) 165.68.202.246->syscheck > Rule: 13 fired (level 8) -> "Integrity checksum of file > 'C:\WINDOWS/setupapi.log' has changed." > Portion of the log(s): > > Integrity checksum changed for: 'C:\WINDOWS/setupapi.log' > Size changed from '565551' to '566065' > Old md5sum was: 'fc41eb657bb388d53b3bf90c5ed2e92f' > New md5sum is : '5355965e4a3136a4625d8d1038a3939c' > Old sha1sum was: '53ba069832a8f0d23b6ead429da99cfdb1135691' > New sha1sum is : '8a17b102c6d6d758e68485e499e05d405945e491'
