Try restarting it manually and see if that works. On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected]> wrote:
> I'm trying to filter Windows events based on strings such as the login > type and workstation name, but as a starting point I tried the > configuration below to filter on EventID 4624. The > /var/ossec/etc/shared/agent.conf file contains: > > <agent_config> > <!-- Generic Agent configurations. --> > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4624]</query> > </localfile> > > </agent_config> > > However I continue receiving all security events including Security > EventID 4624 and others. > I restarted the windows system agent via agent_control -R and also > restarted the OSSEC manager. > I don't have any errors in ossec.log with regard to the shared/agent.conf > file. > > Any suggestions on getting this working? > > Thanks, > > -- Ralph Durkee > > On 08/08/2015 01:32 PM, Santiago Bassett wrote: > > Hi, > > try using this configuration: > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4624]</query> > </localfile> > > Best regards > > On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]> wrote: > >> Hi, >> >> I have installed the new version of OSSEC v2.8.2. I have a windows ossec >> client. I would like to filter Windows event logs >> (Applications/Security/System/Application and Services Log) based on the >> event ids at ossec client (in order to reduce the logs forwarded to OSSEC >> manager). >> >> I have amended the client ossec.conf with the example from the OSSEC >> documentation. >> >> <localfile> >> <location>System</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=7001]</query> >> </localfile> >> * This WORKS * >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/Security[EventID=4624]</query> >> </localfile> >> >> >> * THIS DOESN'T WORK. If I remove the query field it does work but then >> it forwards all the logs coming out from Windows Security event log. I am >> getting similar issue when I try to filter based on "Applications and >> Services Logs". *If I try to give the whole path name in the location. >> The ossec client does not start and I get an error "Could not create >> bookmark". >> >> Am I doing something wrong here. Please advice. >> >> Kind Regards >> Swati >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
