I never did see an answer to Michael's question where he was trying to
monitor a Windows PrintService eventlog.
I have a similar issue where I am looking for any failed Windows Scheduled
Task jobs which should reside here:
"C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operationa
l.evtx"
I tried adding a localfile reference and assumed the log_format was
eventlog..
<localfile>
<location>C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4O
perational.evtx</location>
<log_format>eventlog</log_format>
</localfile>
However OSSEC exits during startup with the following errors:
2014/02/06 11:23:53 ossec-agent(1906): ERROR: Error parsing file:
'c:\windows\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operationa
l.evtx'.
2014/02/06 11:23:53 ossec-agent(1202): ERROR: Configuration error at
'ossec.conf'. Exiting.
2014/02/06 11:23:53 ossec-agent: Received exit signal.
Can the OSSEC Windows Agent handle eventlogs listed under Applications and
Service Logs Area of the Windows Event Viewer?
If so would the log_format be eventlog ?
Thanks,
James Whittington
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Milton
Sent: Tuesday, January 07, 2014 4:40 PM
To: [email protected]
Subject: [ossec-list] Unable to Audit Print Jobs with Windows Agent
Hi all,
I've scoured the internet and Google for a solution to this issue, but it
seems very few others have run into it. The issue is that I cannot for some
reason log any PrintService events by the Event Logger in Windows 7.
I'm running the OSSEC server on Ubuntu, OSSEC HIDS v2.7.1, and connecting to
the server with a Windows agent. I have enabled logall on my ossec.conf on
the server side, and all of the Application, Security, and System Windows
events are pouring through. I have attempted to add in
Microsoft-Windows-PrintService/Operational to the event log system, but
unfortunately either the OSSEC agent will not start properly (if using
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operationa
l), or it will access nothing at all (if using
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService Operational
or
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService/Operational
).
Has anyone been able to overcome this issue? Is there a different or easier
way to have Windows audit printing? I would need to see specific information
about the file printed, as in who printed it and what file was printed and
to what printer, not just that there was a file somewhere that possibly
printed.
Thank you in advance,
Michael
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
