Jens-
The snippet from my conf that applies is:
###
<localfile>
<location>C:\Documents and Settings\All Users\Application
Data\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Logs\%m%d20%y.log</location>
<log_format>syslog</log_format>
</localfile>
###
The log format is set to "syslog" on my systems. Have you tried that yet?
-MdMonk (Chuck)
On 6/6/07, Harsem, Jens <[EMAIL PROTECTED]> wrote:
>
> Hello guys,
>
> I have successfully been able to build an OSSEC Server with having a Pix & a
> Windows Server reporting back to it. Now I would like to also have OSSEC
> check my Symantec Anti-Virus log file. I can see from the ossec web that
> this should be possible. However I do not know where I need to do this.
>
>
>
> I thought I had to modify the ossec.conf in C:\Program Files\ossec-agent by
> simply putting in:
>
>
>
> <localfile>
>
> <location> C:\Documents and Settings\All Users\Application
> Data\Symantec\Symantec AntiVirus Corporate
> Edition\7.5\Logs\%m%d20%y.log</location>
>
> <log_format>Symantec-av</log_format>
>
> </localfile>
>
>
>
> however when I do this I get the following entry in the ossec.log file on
> the windows machine:
>
>
>
> ossec-agent(1235): Invalid value for element 'log_format': "symantec-av"
>
>
>
> Hence I can see that is does not like my log_format – yet I got that from
> the decoders.xml
>
>
>
> Does anyone know what I am doing wrong? I am running the latest version of
> OSSEC both on the Linux & windows Server. I would appreciate it if someone
> could point me in the right direction.
>
>
>
>
>
>
>
> Regards,
>
>
>
> Jens
>
>
>
> Confidentiality Notice This email is intended only for the individual/s to
> whom it is addressed and may contain information that is confidential or
> privileged. If you are not the intended recipient/s, or the employee or
> person responsible for delivering it to the intended recipient/s you are
> hereby notified that any dissemination, distribution, copying or use is
> strictly prohibited. If you have received this communication in error,
> please notify the sender immediately by telephone and return the original
> email to the sender.
>
>
>
>
>
>
