Hi.
I am trying to set a rule to check the application log in windows.
If for example, the server service is stoppped, event id 7036 is generated
in the application log.
I have this in the local_rules.xml:
<rule id="100500" level="9">
<id>^7036</id>
<description>Server service stopped</description>
</rule>
I also have the following in the ossec.conf file:
<email_alerts>
<email_to>supp...@xxx</email_to>
<rule_id>18110, 18111, 18112, 18116, 18127, 18142, 100500</rule_id>
<do_not_delay />
<do_not_group />
</email_alerts>
The existing rule in the 18000 (windows security log) work fine... But the
10500 does not.
Thanks for your help.
