On Thu, Feb 6, 2014 at 2:09 PM, James Whittington <[email protected]> wrote: > "Are these eventlog, or are they event channel? If they're actually this > event channel thing, I think support for it has been added to the current > code base." > > I really didn't know what an event channel was, however if I navigate to an > event in my target log (using event viewer) I do see a reference to Channel > Microsoft-Windows-TaskScheduler/Operational . > > So maybe I am asking if OSSEC can read Event Channels in Windows and if so > what would the syntax of that look like? >
Use the log_format eventchannel: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.localfile.html#element-log_format Remember, you'll have to use the latest code for this to work. > James Whittington > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, February 06, 2014 12:33 PM > To: [email protected] > Subject: Re: [ossec-list] Unable to Audit Print Jobs with Windows Agent > > On Thu, Feb 6, 2014 at 12:16 PM, James Whittington > <[email protected]> wrote: >> I never did see an answer to Michael's question where he was trying to >> monitor a Windows PrintService eventlog. >> >> I have a similar issue where I am looking for any failed Windows >> Scheduled Task jobs which should reside here: >> >> > "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operationa > l.evtx" >> >> >> >> I tried adding a localfile reference and assumed the log_format was >> eventlog.. >> >> >> >> <localfile> >> >> >> <location>C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskSchedu >> ler%4Operational.evtx</location> >> >> <log_format>eventlog</log_format> >> >> </localfile> >> >> >> >> However OSSEC exits during startup with the following errors: >> >> 2014/02/06 11:23:53 ossec-agent(1906): ERROR: Error parsing file: >> > 'c:\windows\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operationa > l.evtx'. >> >> 2014/02/06 11:23:53 ossec-agent(1202): ERROR: Configuration error at >> 'ossec.conf'. Exiting. >> >> 2014/02/06 11:23:53 ossec-agent: Received exit signal. >> >> >> >> Can the OSSEC Windows Agent handle eventlogs listed under Applications >> and Service Logs Area of the Windows Event Viewer? >> >> If so would the log_format be eventlog ? >> >> > > Are these eventlog, or are they event channel? If they're actually this > event channel thing, I think support for it has been added to the current > code base. > >> >> >> >> Thanks, >> >> >> >> James Whittington >> >> >> >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Michael Milton >> Sent: Tuesday, January 07, 2014 4:40 PM >> To: [email protected] >> Subject: [ossec-list] Unable to Audit Print Jobs with Windows Agent >> >> >> >> Hi all, >> >> I've scoured the internet and Google for a solution to this issue, but >> it seems very few others have run into it. The issue is that I cannot >> for some reason log any PrintService events by the Event Logger in Windows > 7. >> >> I'm running the OSSEC server on Ubuntu, OSSEC HIDS v2.7.1, and >> connecting to the server with a Windows agent. I have enabled logall >> on my ossec.conf on the server side, and all of the Application, >> Security, and System Windows events are pouring through. I have >> attempted to add in Microsoft-Windows-PrintService/Operational to the >> event log system, but unfortunately either the OSSEC agent will not >> start properly (if using >> %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Oper >> ational), or it will access nothing at all (if using >> %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService >> Operational or >> > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService/Operational > ). >> >> Has anyone been able to overcome this issue? Is there a different or >> easier way to have Windows audit printing? I would need to see >> specific information about the file printed, as in who printed it and >> what file was printed and to what printer, not just that there was a >> file somewhere that possibly printed. >> >> Thank you in advance, >> >> Michael >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
