[ossec-list] monitoring Windows event logs under "Applications and Services Logs"

[Nathaniel Bentzinger]

We are looking to monitoring additional event logs under the Applications and 
Services Logs for Windows 2008 R2 servers. I've tried the following settings:

  <localfile>
    <location>Applications and Services Logs\Mitoken</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Mitoken</location> (Actual file name)
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Applications and Services Logs\Mi-token 
(Authentication)</location> (visual path and name displayed in the event viewer 
)
    <log_format>eventlog</log_format>
  </localfile>

then unsuccessfully login into my VPN solution. I see the events written to the 
Mi-Token event logs but nothing gets passed to the OSSEC server, I'm checking 
by  ossec/logs/alerts & archive logs as well as the web gui.

Am I incorrectly setting this up or is it just not possible to do this?

Nathaniel Bentzinger                    
nbentzin...@archer-group.com<mailto:nbentzin...@archer-group.com>
Systems Administrator                   302-429-9120 x220
The Archer Group                        http://www.archer-group.com