James, If you have the logall option set, then you should see all windows events (with event iDs) in the archive.log files
I use these as a resource to pass to ossec-logtest. The first portion is the ossec appended value info, so you need to strip that. The Windows events begin with "WinEvtLog:" followed by the log source. (i.e. "Application:", "Security:" etc.) Hope this helps. Scott. > What is the best way to test rules on Windows Event Logs? > With syslog or weblog related stuff I know I can take a line from the log > and feed it to ossec-logtest. > However with Windows Event Logs what format is ossec expecting? > Can I just cut and paste the event as seen when double clicking on the event > in windows? > > Thanks, > > James Whittington >
