Hi,
try using this configuration:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
Best regards
On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]> wrote:
> Hi,
>
> I have installed the new version of OSSEC v2.8.2. I have a windows ossec
> client. I would like to filter Windows event logs
> (Applications/Security/System/Application and Services Log) based on the
> event ids at ossec client (in order to reduce the logs forwarded to OSSEC
> manager).
>
> I have amended the client ossec.conf with the example from the OSSEC
> documentation.
>
> <localfile>
> <location>System</location>
> <log_format>eventchannel</log_format>
> <query>Event/System[EventID=7001]</query>
> </localfile>
> * This WORKS*
> <localfile>
> <location>Security</location>
> <log_format>eventchannel</log_format>
> <query>Event/Security[EventID=4624]</query>
> </localfile>
>
>
> * THIS DOESN'T WORK. If I remove the query field it does work but then it
> forwards all the logs coming out from Windows Security event log. I am
> getting similar issue when I try to filter based on "Applications and
> Services Logs".*If I try to give the whole path name in the location. The
> ossec client does not start and I get an error "Could not create bookmark".
>
> Am I doing something wrong here. Please advice.
>
> Kind Regards
> Swati
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
