You're right - this did in fact work for me: <id>^19$</id>
My head wasn't on tight when I was testing before. Thanks guys. On Jan 6, 1:38 pm, BP9906 <[email protected]> wrote: > Dan is right, I've found that <id>##</id> wont work as well as > <id>^##</id> or <id>^##$</id>. > > (## = windows event id) > > On Jan 6, 6:15 am, "dan (ddp)" <[email protected]> wrote: > > > > > > > > > Try: > > <id>^19$</id> > > > On Fri, Jan 6, 2012 at 8:34 AM, banjer <[email protected]> wrote: > > > Hi, I'm trying to log Windows update events, which in Windows is Event > > > ID 19. I have had success with this rule: > > > > <rule id="100034" level="1"> > > > <if_sid>18101</if_sid> > > > <status>^INFORMATION</status> > > > <id>19</id> > > > <description>Windows Update successfully installed.</description> > > > </rule> > > > > OSSEC will now log typical update events such as this: > > > > WinEvtLog: System: INFORMATION(19): Microsoft-Windows- > > > WindowsUpdateClient: SYSTEM: NT AUTHORITY: myserver.domain.foo.com: > > > Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista > > > SP2 and Windows Server 2008 SP2 for x64 (KB2656362) {7ECDE510- > > > CD10-478B-89EC-1D7B255C3419} 104 > > > > However, it also log and informational events with 19 in the event ID, > > > such as: > > > > WinEvtLog: Application: INFORMATION(3198): MSSQL$CAST: SYSTEM: NT > > > AUTHORITY: SEDNA.omni.imsweb.com: I/O was resumed on database > > > castmain60-vt-report_test_updated. No user action is required. > > > > Is it possible to log an event id that is EXACTLY 19? Thanks!
