I've restarted ossec on the server several times. Are you refering to the Windows agent?
-- Ralph Durkee On 08/18/2015 11:46 AM, Santiago Bassett wrote: > Try restarting it manually and see if that works. > > On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected] > <mailto:[email protected]>> wrote: > > I'm trying to filter Windows events based on strings such as the > login type and workstation name, but as a starting point I tried > the configuration below to filter on EventID 4624. The > /var/ossec/etc/shared/agent.conf file contains: > > <agent_config> > <!-- Generic Agent configurations. --> > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=4624]</query> > </localfile> > > </agent_config> > > However I continue receiving all security events including > Security EventID 4624 and others. > I restarted the windows system agent via agent_control -R and > also restarted the OSSEC manager. > I don't have any errors in ossec.log with regard to the > shared/agent.conf file. > > Any suggestions on getting this working? > > Thanks, > > -- Ralph Durkee > > On 08/08/2015 01:32 PM, Santiago Bassett wrote: >> Hi, >> >> try using this configuration: >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4624]</query> >> </localfile> >> >> Best regards >> >> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> I have installed the new version of OSSEC v2.8.2. I have a >> windows ossec client. I would like to filter Windows event >> logs (Applications/Security/System/Application and Services >> Log) based on the event ids at ossec client (in order to >> reduce the logs forwarded to OSSEC manager). >> >> I have amended the client ossec.conf with the example from >> the OSSEC documentation. >> >> <localfile> >> <location>System</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=7001]</query> >> </localfile> *This WORKS >> * >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/Security[EventID=4624]</query> >> </localfile> *THIS DOESN'T WORK. If I remove the query >> field it does work but then it forwards all the logs coming >> out from Windows Security event log. I am getting similar >> issue when I try to filter based on "Applications and >> Services Logs". >> >> >> *If I try to give the whole path name in the location. The >> ossec client does not start and I get an error "Could not >> create bookmark". >> >> Am I doing something wrong here. Please advice. >> >> Kind Regards >> Swati >> -- >> >> --- >> You received this message because you are subscribed to the >> Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from >> it, send an email to [email protected] >> <mailto:[email protected]>. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the >> Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
