So I've actually figured out a few things myself just continuing to hack away at it. Posting in case anybody else runs into this problem.
First, you have to copy the files (as Administrator normally) to C:\Windows\System32\winevt\Logs\. They should automatically inherit the permissions for that dir, but worst case you may have to set them to Full Control by Local Service. Second, using PowerShell as Administrator, create a new event log with the same name as that filename (minus the .evtx). If you review the file with Event Viewer first you can probably see what source to assign. Ex: New-EventLog -LogName CustomApp -Source "Enterprise Library Logging Service". You should now see the file show up as an Application channel in Event Viewer. Third, you create a localfile setting for the OSSEC agent to read from that event channel. Restart the agent and watch the logs to be sure that it subscribes to that channel. Finally, the agent may not read the existing logs in the file and may start at the end. If that happens, stop the agent, find the bookmark file for it (normally in C:\Program Files (x86)\ossec-agent\bookmarks), and edit it with something Unicode safe. Change the RecordId back to 0. Save and restart. The problem I'm seeing now is that the events are coming through to my OSSEC server (in logall mode) with many of the fields blank or showing the literal "none". I'm not sure why, but I suspect that it has to do with Windows reading from events that were not generated locally on that system. I'm not a Windows Event Log expert, though, so if anybody has any information I'd appreciate it. On Sunday, January 25, 2015 at 5:18:56 PM UTC-5, [email protected] wrote: > > I was given several Windows Event Log (.evtx) files exported by a client > of mine, and I need to find a way to get OSSEC to read them. I do not have > access into their environment and they do not have these systems running > OSSEC agents yet, so I cannot request an archive (logall) dump of the data. > Is there any way to get an OSSEC agent to read the files? I'm guessing > that there may be some way to insert them into the eventchannel > configuration of a different Windows system and read them from there, but > my testing so far hasn't succeeded. Does anybody have any methods for > getting the WinEvtLog messages normally logged by an OSSEC agent out of an > .evtx export file? Thanks! > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
