Hi,
I have installed the new version of OSSEC v2.8.2. I have a windows ossec
client. I would like to filter Windows event logs
(Applications/Security/System/Application and Services Log) based on the
event ids at ossec client (in order to reduce the logs forwarded to OSSEC
manager).
I have amended the client ossec.conf with the example from the OSSEC
documentation.
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=7001]</query>
</localfile>
* This WORKS*
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/Security[EventID=4624]</query>
</localfile>
* THIS DOESN'T WORK. If I remove the query field it does work but then it
forwards all the logs coming out from Windows Security event log. I am
getting similar issue when I try to filter based on "Applications and
Services Logs".*If I try to give the whole path name in the location. The
ossec client does not start and I get an error "Could not create bookmark".
Am I doing something wrong here. Please advice.
Kind Regards
Swati
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
