"Are these eventlog, or are they event channel? If they're actually this event channel thing, I think support for it has been added to the current code base."
I really didn't know what an event channel was, however if I navigate to an event in my target log (using event viewer) I do see a reference to Channel Microsoft-Windows-TaskScheduler/Operational . So maybe I am asking if OSSEC can read Event Channels in Windows and if so what would the syntax of that look like? James Whittington -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, February 06, 2014 12:33 PM To: [email protected] Subject: Re: [ossec-list] Unable to Audit Print Jobs with Windows Agent On Thu, Feb 6, 2014 at 12:16 PM, James Whittington <[email protected]> wrote: > I never did see an answer to Michael's question where he was trying to > monitor a Windows PrintService eventlog. > > I have a similar issue where I am looking for any failed Windows > Scheduled Task jobs which should reside here: > > "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operationa l.evtx" > > > > I tried adding a localfile reference and assumed the log_format was > eventlog.. > > > > <localfile> > > > <location>C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskSchedu > ler%4Operational.evtx</location> > > <log_format>eventlog</log_format> > > </localfile> > > > > However OSSEC exits during startup with the following errors: > > 2014/02/06 11:23:53 ossec-agent(1906): ERROR: Error parsing file: > 'c:\windows\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operationa l.evtx'. > > 2014/02/06 11:23:53 ossec-agent(1202): ERROR: Configuration error at > 'ossec.conf'. Exiting. > > 2014/02/06 11:23:53 ossec-agent: Received exit signal. > > > > Can the OSSEC Windows Agent handle eventlogs listed under Applications > and Service Logs Area of the Windows Event Viewer? > > If so would the log_format be eventlog ? > > Are these eventlog, or are they event channel? If they're actually this event channel thing, I think support for it has been added to the current code base. > > > > Thanks, > > > > James Whittington > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Michael Milton > Sent: Tuesday, January 07, 2014 4:40 PM > To: [email protected] > Subject: [ossec-list] Unable to Audit Print Jobs with Windows Agent > > > > Hi all, > > I've scoured the internet and Google for a solution to this issue, but > it seems very few others have run into it. The issue is that I cannot > for some reason log any PrintService events by the Event Logger in Windows 7. > > I'm running the OSSEC server on Ubuntu, OSSEC HIDS v2.7.1, and > connecting to the server with a Windows agent. I have enabled logall > on my ossec.conf on the server side, and all of the Application, > Security, and System Windows events are pouring through. I have > attempted to add in Microsoft-Windows-PrintService/Operational to the > event log system, but unfortunately either the OSSEC agent will not > start properly (if using > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Oper > ational), or it will access nothing at all (if using > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService > Operational or > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService/Operational ). > > Has anyone been able to overcome this issue? Is there a different or > easier way to have Windows audit printing? I would need to see > specific information about the file printed, as in who printed it and > what file was printed and to what printer, not just that there was a > file somewhere that possibly printed. > > Thank you in advance, > > Michael > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
