Yes, there are many other log files, maybe only hard-coding is too...hard. NtFrs.Evt, NTDS.Evt, Internet Explorer.evt, DnsEvent.Evt
----- Original Message ----- From: "Daniel Cid" <[EMAIL PROTECTED]> > > Hi Dmitrii, > > You need to pass the event log name (like Application or Security) to > the "location" > tag, instead of the real location of the event log. That's why > "Application" works and > "C:\WINDOWS\System32\config\AppEvent.Evt" fails. > > For NTDS, I am afraid that ossec will not support it properly, since > we hard-coded > a validator looking for "Security", "Application" or "System"... I > will see if I can fix it > for the next snapshot. Is there any more event log "sources" that we may need to > add? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 6/26/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > > Hello! > > I'm trying to add extended event logging to windows agents on Windows Server > > 2003 domain controller. > > There is event log C:\WINDOWS\system32\config\NTDS.evt > > but when i try to add string like this: > > <localfile> > > > > <location>C:\WINDOWS\system32\config\NTDS.evt</location> > > <log_format>eventlog</log_format> > > </localfile> > > it exits with error: > > 2007/06/26 10:47:26 ossec-agent: DEBUG: Reading logcollector configuration. > > > > 2007/06/26 10:47:26 ossec-agent(1903): Invalid event log: > > 'C:\WINDOWS\System32\config\NTDS.Evt'. > > > > 2007/06/26 10:47:26 ossec-agent(1202): Configuration error at 'ossec.conf'. > > Exiting. > > > > Tried to change location to NTDS. Unsuccessfull. > > Does anyone solved this problem? > > > > > > P.S. > > <localfile> > > <location>Application</location> > > <log_format>eventlog</log_format> > > </localfile> > > works, but when i try to change location like this > > <location>C:\WINDOWS\System32\config\AppEvent.Evt</location> > > it crashes with error. > > > > Thanks. > > Dmitrii Chebotarev, Russia. > > > >
