On Mon, Oct 22, 2012 at 12:17 PM, James Whittington <[email protected]> wrote: > What is the best way to test rules on Windows Event Logs? > With syslog or weblog related stuff I know I can take a line from the log > and feed it to ossec-logtest. > However with Windows Event Logs what format is ossec expecting? > Can I just cut and paste the event as seen when double clicking on the event > in windows? > > Thanks, > > James Whittington >
I turn on the log all option on the OSSEC server, take the entry from archives.log and remove OSSEC's header.
