Tried stopping and starting the agent service on the windows system. Still getting other security events from that system such as 4672 and 4634 in addition to the 4624. Any other suggestions?
-- Ralph Durkee On 08/18/2015 01:10 PM, Ralph Durkee wrote: > I've restarted ossec on the server several times. Are you refering to > the Windows agent? > > -- Ralph Durkee > > On 08/18/2015 11:46 AM, Santiago Bassett wrote: >> Try restarting it manually and see if that works. >> >> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected] >> <mailto:[email protected]>> wrote: >> >> I'm trying to filter Windows events based on strings such as the >> login type and workstation name, but as a starting point I tried >> the configuration below to filter on EventID 4624. The >> /var/ossec/etc/shared/agent.conf file contains: >> >> <agent_config> >> <!-- Generic Agent configurations. --> >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4624]</query> >> </localfile> >> >> </agent_config> >> >> However I continue receiving all security events including >> Security EventID 4624 and others. >> I restarted the windows system agent via agent_control -R and >> also restarted the OSSEC manager. >> I don't have any errors in ossec.log with regard to the >> shared/agent.conf file. >> >> Any suggestions on getting this working? >> >> Thanks, >> >> -- Ralph Durkee >> >> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >>> Hi, >>> >>> try using this configuration: >>> >>> <localfile> >>> <location>Security</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/System[EventID=4624]</query> >>> </localfile> >>> >>> Best regards >>> >>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi, >>> >>> I have installed the new version of OSSEC v2.8.2. I have a >>> windows ossec client. I would like to filter Windows event >>> logs (Applications/Security/System/Application and Services >>> Log) based on the event ids at ossec client (in order to >>> reduce the logs forwarded to OSSEC manager). >>> >>> I have amended the client ossec.conf with the example from >>> the OSSEC documentation. >>> >>> <localfile> >>> <location>System</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/System[EventID=7001]</query> >>> </localfile> *This WORKS >>> * >>> <localfile> >>> <location>Security</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/Security[EventID=4624]</query> >>> </localfile> *THIS DOESN'T WORK. If I remove the query >>> field it does work but then it forwards all the logs coming >>> out from Windows Security event log. I am getting similar >>> issue when I try to filter based on "Applications and >>> Services Logs". >>> >>> >>> *If I try to give the whole path name in the location. The >>> ossec client does not start and I get an error "Could not >>> create bookmark". >>> >>> Am I doing something wrong here. Please advice. >>> >>> Kind Regards >>> Swati >>> -- >>> >>> --- >>> You received this message because you are subscribed to the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails >>> from it, send an email to >>> [email protected] >>> <mailto:[email protected]>. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from >>> it, send an email to [email protected] >>> <mailto:[email protected]>. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the >> Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
