There aren't errors, all works fine, all events from eventlog from Windows
machine are sent to OSSEC, what I want to do, I want to send only selected
events, ex. like this one aformentioned in my post *EventID=4625*, this
event is created when user input wrong password to shared resources.
I have installed agent which was along with ossec server.
In agent I tried both combinations and they don't work. I didn't change
ossec.conf.
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
*<query>Event/System[EventID=4625]</query>*
</localfile>
or
<localfile>
<location>Security</location>
<log_format>*eventchannel*</log_format>
*<query>Event/System[EventID=4625]</query> *
</localfile>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
