I'm trying to filter Windows events based on strings such as the login
type and workstation name, but as a starting point I tried the
configuration below to filter on EventID 4624. The
/var/ossec/etc/shared/agent.conf file contains:
<agent_config>
<!-- Generic Agent configurations. -->
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
</agent_config>
However I continue receiving all security events including Security
EventID 4624 and others.
I restarted the windows system agent via agent_control -R and also
restarted the OSSEC manager.
I don't have any errors in ossec.log with regard to the
shared/agent.conf file.
Any suggestions on getting this working?
Thanks,
-- Ralph Durkee
On 08/08/2015 01:32 PM, Santiago Bassett wrote:
> Hi,
>
> try using this configuration:
>
> <localfile>
> <location>Security</location>
> <log_format>eventchannel</log_format>
> <query>Event/System[EventID=4624]</query>
> </localfile>
>
> Best regards
>
> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi,
>
> I have installed the new version of OSSEC v2.8.2. I have a windows
> ossec client. I would like to filter Windows event logs
> (Applications/Security/System/Application and Services Log) based
> on the event ids at ossec client (in order to reduce the logs
> forwarded to OSSEC manager).
>
> I have amended the client ossec.conf with the example from the
> OSSEC documentation.
>
> <localfile>
> <location>System</location>
> <log_format>eventchannel</log_format>
> <query>Event/System[EventID=7001]</query>
> </localfile> *This WORKS
> *
> <localfile>
> <location>Security</location>
> <log_format>eventchannel</log_format>
> <query>Event/Security[EventID=4624]</query>
> </localfile> *THIS DOESN'T WORK. If I remove the query field
> it does work but then it forwards all the logs coming out from
> Windows Security event log. I am getting similar issue when I try
> to filter based on "Applications and Services Logs".
>
>
> *If I try to give the whole path name in the location. The ossec
> client does not start and I get an error "Could not create bookmark".
>
> Am I doing something wrong here. Please advice.
>
> Kind Regards
> Swati
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected]
> <mailto:[email protected]>.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected]
> <mailto:[email protected]>.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
