Hello MdMonk (Chuck), thank you very much for this - it worked perfectly!
Regards, Jens C Harsem I Regional MIS Manager I MICROS-Fidelio Asia Pacific I Suite 7, 13 Narabang Way I Belrose , NSW 2085 I Australia +612 9485 1005( I +612 9485 1099 3 I [EMAIL PROTECTED] * I www.micros.com Confidentiality Notice This email is intended only for the individual/s to whom it is addressed and may contain information that is confidential or privileged. If you are not the intended recipient/s, or the employee or person responsible for delivering it to the intended recipient/s you are hereby notified that any dissemination, distribution, copying or use is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone and return the original email to the sender. -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of MdMonk Sent: Thursday, 7 June 2007 5:36 AM To: [email protected] Subject: [ossec-list] Re: Symantec Anti-Virus log checkingq Jens- The snippet from my conf that applies is: ### <localfile> <location>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\%m%d20%y.log</location> <log_format>syslog</log_format> </localfile> ### The log format is set to "syslog" on my systems. Have you tried that yet? -MdMonk (Chuck) On 6/6/07, Harsem, Jens <[EMAIL PROTECTED]> wrote: > > Hello guys, > > I have successfully been able to build an OSSEC Server with having a Pix & a > Windows Server reporting back to it. Now I would like to also have OSSEC > check my Symantec Anti-Virus log file. I can see from the ossec web that > this should be possible. However I do not know where I need to do this. > > > > I thought I had to modify the ossec.conf in C:\Program Files\ossec-agent by > simply putting in: > > > > <localfile> > > <location> C:\Documents and Settings\All Users\Application > Data\Symantec\Symantec AntiVirus Corporate > Edition\7.5\Logs\%m%d20%y.log</location> > > <log_format>Symantec-av</log_format> > > </localfile> > > > > however when I do this I get the following entry in the ossec.log file on > the windows machine: > > > > ossec-agent(1235): Invalid value for element 'log_format': "symantec-av" > > > > Hence I can see that is does not like my log_format - yet I got that from > the decoders.xml > > > > Does anyone know what I am doing wrong? I am running the latest version of > OSSEC both on the Linux & windows Server. I would appreciate it if someone > could point me in the right direction. > > > > > > > > Regards, > > > > Jens > > > > Confidentiality Notice This email is intended only for the individual/s to > whom it is addressed and may contain information that is confidential or > privileged. If you are not the intended recipient/s, or the employee or > person responsible for delivering it to the intended recipient/s you are > hereby notified that any dissemination, distribution, copying or use is > strictly prohibited. If you have received this communication in error, > please notify the sender immediately by telephone and return the original > email to the sender. > > > > > >
