Could you share your ossec.conf settings (from the agent) and also the shared/agent.conf ones. Those are probably located in C:\Program Files/ossec-agent
I am guessing, but I think you probably are reading all Security events in some other place of the configuration (look for the different locations). Regards On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected]> wrote: > Tried stopping and starting the agent service on the windows system. Still > getting other security events from that system such as 4672 and 4634 in > addition to the 4624. Any other suggestions? > > -- Ralph Durkee > > > On 08/18/2015 01:10 PM, Ralph Durkee wrote: > > I've restarted ossec on the server several times. Are you refering to the > Windows agent? > > -- Ralph Durkee > > > On 08/18/2015 11:46 AM, Santiago Bassett wrote: > > Try restarting it manually and see if that works. > > On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected]> wrote: > >> I'm trying to filter Windows events based on strings such as the login >> type and workstation name, but as a starting point I tried the >> configuration below to filter on EventID 4624. The >> /var/ossec/etc/shared/agent.conf file contains: >> >> <agent_config> >> <!-- Generic Agent configurations. --> >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4624]</query> >> </localfile> >> >> </agent_config> >> >> However I continue receiving all security events including Security >> EventID 4624 and others. >> I restarted the windows system agent via agent_control -R and also >> restarted the OSSEC manager. >> I don't have any errors in ossec.log with regard to the shared/agent.conf >> file. >> >> Any suggestions on getting this working? >> >> Thanks, >> >> -- Ralph Durkee >> >> On 08/08/2015 01:32 PM, Santiago Bassett wrote: >> >> Hi, >> >> try using this configuration: >> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=4624]</query> >> </localfile> >> >> Best regards >> >> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]> wrote: >> >>> Hi, >>> >>> I have installed the new version of OSSEC v2.8.2. I have a windows ossec >>> client. I would like to filter Windows event logs >>> (Applications/Security/System/Application and Services Log) based on the >>> event ids at ossec client (in order to reduce the logs forwarded to OSSEC >>> manager). >>> >>> I have amended the client ossec.conf with the example from the OSSEC >>> documentation. >>> >>> <localfile> >>> <location>System</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/System[EventID=7001]</query> >>> </localfile> >>> * This WORKS * >>> <localfile> >>> <location>Security</location> >>> <log_format>eventchannel</log_format> >>> <query>Event/Security[EventID=4624]</query> >>> </localfile> >>> >>> >>> * THIS DOESN'T WORK. If I remove the query field it does work but then >>> it forwards all the logs coming out from Windows Security event log. I am >>> getting similar issue when I try to filter based on "Applications and >>> Services Logs". *If I try to give the whole path name in the location. >>> The ossec client does not start and I get an error "Could not create >>> bookmark". >>> >>> Am I doing something wrong here. Please advice. >>> >>> Kind Regards >>> Swati >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
