Hello everybody,
I try to configure OSSEC Agent on machine with Windows 2012 in order to
sending some events to OSSEC server (2.8.1).
In the <ossec_config> section in the agent is:
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
I want to send events with Windows ID 4625 which is Logon Audit Failure, so
I did like this:
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
*<query>Event/System[EventID=4625]</query>*
</localfile>
or
<localfile>
<location>Security</location>
<log_format>*eventchannel*</log_format>
*<query>Event/System[EventID=4625]</query> *
</localfile>
and it doesn't work, how should be correct, what and where change?
regards,
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
