Does anyone know if this will work/how to make it work?
On Jul 2, 10:33 am, Heath <[email protected]> wrote: > Is anyone using ossec to monitor AppLocker logs on Windows 7? Is this > possible? > > The name of the event file I'm trying to monitor is C:\Windows > \System32\winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL > > I have tried two different configurations for ossec.conf - one with > just the name of the eventlog file and one with the full path: > > <localfile> > <location>Microsoft-Windows-AppLocker%4EXE and DLL</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>C:\Windows\System32\winevt\Logs\Microsoft-Windows- > AppLocker%4EXE and DLL</location> > <log_format>eventlog</log_format> > </localfile> > > Either way, i receive the following when i view the ossec logs > > 2010/07/02 10:12:35 ossec-agent(1906): ERROR: Error parsing file: > 'Microsoft-Windows-AppLocker%4EXE and DLL'. > > 2010/07/02 10:12:35 ossec-agent(1202): ERROR: Configuration error at > 'ossec.conf'. Exiting. > > 2010/07/02 10:12:35 ossec-agent: Received exit signal. > > 2010/07/02 10:12:35 ossec-agent: Exiting... > > 2010/07/02 10:12:35 ossec-agent(1202): ERROR: Configuration error at > 'ossec.conf'. Exiting. > > 2010/07/02 10:15:05 ossec-agent(1906): ERROR: Error parsing file: 'C: > \Windows\System32\winevt\Logs\Microsoft-Windows-AppLocker%4EXE and > DLL'. > > 2010/07/02 10:15:05 ossec-agent(1202): ERROR: Configuration error at > 'ossec.conf'. Exiting. > > 2010/07/02 10:15:05 ossec-agent: Received exit signal. > > 2010/07/02 10:15:05 ossec-agent: Exiting... > > Can ossec just not read the log format or do I have something > configured incorrectly? > > Thanks > Heath
