Thank you Santiago! It is working now. Kind Regards Swati
On Saturday, 8 August 2015 18:32:44 UTC+1, Santiago Bassett wrote: > Hi, > > try using this configuration: > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4624]</query> > </localfile> > > Best regards > > On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected] <javascript:>> > wrote: > >> Hi, >> >> I have installed the new version of OSSEC v2.8.2. I have a windows ossec >> client. I would like to filter Windows event logs >> (Applications/Security/System/Application and Services Log) based on the >> event ids at ossec client (in order to reduce the logs forwarded to OSSEC >> manager). >> >> I have amended the client ossec.conf with the example from the OSSEC >> documentation. >> >> <localfile> >> <location>System</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=7001]</query> >> </localfile> >> * This WORKS* >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/Security[EventID=4624]</query> >> </localfile> >> >> >> * THIS DOESN'T WORK. If I remove the query field it does work but then >> it forwards all the logs coming out from Windows Security event log. I am >> getting similar issue when I try to filter based on "Applications and >> Services Logs".*If I try to give the whole path name in the location. >> The ossec client does not start and I get an error "Could not create >> bookmark". >> >> Am I doing something wrong here. Please advice. >> >> Kind Regards >> Swati >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
