On Mon, Jun 10, 2013 at 10:29 AM, Mr Jibbles <gog...@gmail.com> wrote: > Hi, > I am try to configure OSSEC to log the Windows EventID 10 (type > INFORMATION), which shows which user printed what. > I believe that all the information in the Windows System logs are bein sent > to the OSSEC manager but I need to create a rule to filter and report? > Below is a rule file I have created to look for this information: > > <var name="MS_FREQ">6</var> > <group name="windows,print,"> > <rule id="70000" level="0"> > <description>Windows Print Jobs grouped</description> > </rule>
This rule doesn't do anything. It doesn't look for anything, so it never matches. > <rule id="70001" level="3"> > <if_sid>70000</if_sid> > <id>^10$</id> > <description>Windows Print Job submitted.</description> > </rule> Since 70000 never matches, this won't either. Turn on the log all option on the server, restart the processes. Then create some test prints to give yourself sample logs in /var/ossec/logs/archives/archives.log. If you give us one of those samples we can better help. > </group> > <!-- EOF --> > I think that I should have more configured, tailing the audit.log file shows > no output while doing test prints. > Is it because the Windows Event Logs is logging the print jobs as > INFORMATION? > > Thanks in advance for reading and hopefully replying! > > Giles > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
