[ossec-list] Additional Windows Logs

Thu, 22 Nov 2012 05:45:46 -0800 

This appears to be a bit of a FAQ but I can't find anywhere that it's been 
answered.

I want to monitor additional Windows events logs, specifically the Windows 
print operational log.

I've added a new localfile directive:

<localfile>
    <location>Microsoft-Windows-PrintService Operational</location>
    <log_format>eventlog</log_format>
</localfile>

But don't seem to be getting anything in the archive log (logall being 
enabled).

I've tried a number of things in the <location> tag (restarting the agent 
after each change), including (with results)

*Microsoft-Windows-PrintSrvice Operational:*
The ossec agent log entry for this was "2012/11/22 13:09:17 
ossec-agent(1907): INFO: Non-standard event log set: 
'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintSrvice 
Operational'." but was followed with a later "2012/11/22 13:09:20 
ossec-agent(1951): INFO: Analyzing event log: 
'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintSrvice 
Operational'."

*Microsoft-Windows-PrintService%4Operational*
This gave the agent log entry: "2012/11/22 13:23:58 ossec-agent(1906): 
ERROR: Error parsing file: 'Microsoft-Windows-PrintService%4Operational'."

*
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operational
*
This gave the agent log entry: "2012/11/22 13:08:13 ossec-agent(1906): 
ERROR: Error parsing file: 
'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operational'."

*%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService 
Operational*
This gave the agent log entry: "2012/11/22 13:17:59 ossec-agent(1907): 
INFO: Non-standard event log set: 
'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintService 
Operational'." "2012/11/22 13:18:02 ossec-agent(1951): INFO: Analyzing 
event log: 'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintService 
Operational'."

In all cases no archive log entries were seen that matched up with entries 
in the corresponding Windows log (as seen by event view).  I seem to be 
lacking the appropriate incantations to get this working.  Has anyone had 
any joy with this sort of thing?

Regards,

Nick

Reply via email to