Is anyone using ossec to monitor AppLocker logs on Windows 7? Is this
possible?
The name of the event file I'm trying to monitor is C:\Windows
\System32\winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL
I have tried two different configurations for ossec.conf - one with
just the name of the eventlog file and one with the full path:
<localfile>
<location>Microsoft-Windows-AppLocker%4EXE and DLL</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>C:\Windows\System32\winevt\Logs\Microsoft-Windows-
AppLocker%4EXE and DLL</location>
<log_format>eventlog</log_format>
</localfile>
Either way, i receive the following when i view the ossec logs
2010/07/02 10:12:35 ossec-agent(1906): ERROR: Error parsing file:
'Microsoft-Windows-AppLocker%4EXE and DLL'.
2010/07/02 10:12:35 ossec-agent(1202): ERROR: Configuration error at
'ossec.conf'. Exiting.
2010/07/02 10:12:35 ossec-agent: Received exit signal.
2010/07/02 10:12:35 ossec-agent: Exiting...
2010/07/02 10:12:35 ossec-agent(1202): ERROR: Configuration error at
'ossec.conf'. Exiting.
2010/07/02 10:15:05 ossec-agent(1906): ERROR: Error parsing file: 'C:
\Windows\System32\winevt\Logs\Microsoft-Windows-AppLocker%4EXE and
DLL'.
2010/07/02 10:15:05 ossec-agent(1202): ERROR: Configuration error at
'ossec.conf'. Exiting.
2010/07/02 10:15:05 ossec-agent: Received exit signal.
2010/07/02 10:15:05 ossec-agent: Exiting...
Can ossec just not read the log format or do I have something
configured incorrectly?
Thanks
Heath
