Thanks to everyone for the advice on testing eventlog rules. Unfortunately my ossec server is the EC2 Amazon Cloud right now and they are having major issues on the Northeast US datacenter :<(.. Thank goodness my production stuff is elsewhere :<)..
James Whittington -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Scott Klauminzer Sent: Monday, October 22, 2012 12:29 PM To: [email protected] Subject: Re: [ossec-list] What is the best way to test rules on Windows Event Logs? James, If you have the logall option set, then you should see all windows events (with event iDs) in the archive.log files I use these as a resource to pass to ossec-logtest. The first portion is the ossec appended value info, so you need to strip that. The Windows events begin with "WinEvtLog:" followed by the log source. (i.e. "Application:", "Security:" etc.) Hope this helps. Scott. > What is the best way to test rules on Windows Event Logs? > With syslog or weblog related stuff I know I can take a line from the > log and feed it to ossec-logtest. > However with Windows Event Logs what format is ossec expecting? > Can I just cut and paste the event as seen when double clicking on the > event in windows? > > Thanks, > > James Whittington >
