On Thu, Feb 6, 2014 at 12:16 PM, James Whittington <[email protected]> wrote: > I never did see an answer to Michael's question where he was trying to > monitor a Windows PrintService eventlog. > > I have a similar issue where I am looking for any failed Windows Scheduled > Task jobs which should reside here: > > "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx" > > > > I tried adding a localfile reference and assumed the log_format was > eventlog.. > > > > <localfile> > > > <location>C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx</location> > > <log_format>eventlog</log_format> > > </localfile> > > > > However OSSEC exits during startup with the following errors: > > 2014/02/06 11:23:53 ossec-agent(1906): ERROR: Error parsing file: > 'c:\windows\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx'. > > 2014/02/06 11:23:53 ossec-agent(1202): ERROR: Configuration error at > 'ossec.conf'. Exiting. > > 2014/02/06 11:23:53 ossec-agent: Received exit signal. > > > > Can the OSSEC Windows Agent handle eventlogs listed under Applications and > Service Logs Area of the Windows Event Viewer? > > If so would the log_format be eventlog ? > >
Are these eventlog, or are they event channel? If they're actually this event channel thing, I think support for it has been added to the current code base. > > > > Thanks, > > > > James Whittington > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of Michael Milton > Sent: Tuesday, January 07, 2014 4:40 PM > To: [email protected] > Subject: [ossec-list] Unable to Audit Print Jobs with Windows Agent > > > > Hi all, > > I've scoured the internet and Google for a solution to this issue, but it > seems very few others have run into it. The issue is that I cannot for some > reason log any PrintService events by the Event Logger in Windows 7. > > I'm running the OSSEC server on Ubuntu, OSSEC HIDS v2.7.1, and connecting to > the server with a Windows agent. I have enabled logall on my ossec.conf on > the server side, and all of the Application, Security, and System Windows > events are pouring through. I have attempted to add in > Microsoft-Windows-PrintService/Operational to the event log system, but > unfortunately either the OSSEC agent will not start properly (if using > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operational), > or it will access nothing at all (if using > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService Operational > or > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService/Operational). > > Has anyone been able to overcome this issue? Is there a different or easier > way to have Windows audit printing? I would need to see specific information > about the file printed, as in who printed it and what file was printed and > to what printer, not just that there was a file somewhere that possibly > printed. > > Thank you in advance, > > Michael > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
