The shared agent is as previously shared, copied below for reference:
<agent_config>
<!-- Generic Agent configurations. -->
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=4624]</query>
</localfile>
</agent_config>
*The Windows OSSEC after the comments starts with *(middle portion
removed, and has no localfile entries. )
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
. . . SNIP . . .
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-hostname>xxx-ossec-srv1</server-hostname>
</client>
</ossec_config>
-- Ralph Durkee
On 08/18/2015 01:24 PM, Santiago Bassett wrote:
> Could you share your ossec.conf settings (from the agent) and also the
> shared/agent.conf ones. Those are probably located in C:\Program
> Files/ossec-agent
>
> I am guessing, but I think you probably are reading all Security
> events in some other place of the configuration (look for the
> different locations).
>
> Regards
>
> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected]
> <mailto:[email protected]>> wrote:
>
> Tried stopping and starting the agent service on the windows
> system. Still getting other security events from that system such
> as 4672 and 4634 in addition to the 4624. Any other suggestions?
>
> -- Ralph Durkee
>
> On 08/18/2015 01:10 PM, Ralph Durkee wrote:
>> I've restarted ossec on the server several times. Are you
>> refering to the Windows agent?
>>
>> -- Ralph Durkee
>>
>> On 08/18/2015 11:46 AM, Santiago Bassett wrote:
>>> Try restarting it manually and see if that works.
>>>
>>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee
>>> <[email protected] <mailto:[email protected]>> wrote:
>>>
>>> I'm trying to filter Windows events based on strings such as
>>> the login type and workstation name, but as a starting point
>>> I tried the configuration below to filter on EventID 4624.
>>> The /var/ossec/etc/shared/agent.conf file contains:
>>>
>>> <agent_config>
>>> <!-- Generic Agent configurations. -->
>>>
>>> <localfile>
>>> <location>Security</location>
>>> <log_format>eventchannel</log_format>
>>> <query>Event/System[EventID=4624]</query>
>>> </localfile>
>>>
>>> </agent_config>
>>>
>>> However I continue receiving all security events including
>>> Security EventID 4624 and others.
>>> I restarted the windows system agent via agent_control -R
>>> and also restarted the OSSEC manager.
>>> I don't have any errors in ossec.log with regard to the
>>> shared/agent.conf file.
>>>
>>> Any suggestions on getting this working?
>>>
>>> Thanks,
>>>
>>> -- Ralph Durkee
>>>
>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote:
>>>> Hi,
>>>>
>>>> try using this configuration:
>>>>
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/System[EventID=4624]</query>
>>>> </localfile>
>>>>
>>>> Best regards
>>>>
>>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]
>>>> <mailto:[email protected]>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have installed the new version of OSSEC v2.8.2. I
>>>> have a windows ossec client. I would like to filter
>>>> Windows event logs
>>>> (Applications/Security/System/Application and Services
>>>> Log) based on the event ids at ossec client (in order
>>>> to reduce the logs forwarded to OSSEC manager).
>>>>
>>>> I have amended the client ossec.conf with the example
>>>> from the OSSEC documentation.
>>>>
>>>> <localfile>
>>>> <location>System</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/System[EventID=7001]</query>
>>>> </localfile> *This WORKS
>>>> *
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/Security[EventID=4624]</query>
>>>> </localfile> *THIS DOESN'T WORK. If I remove the
>>>> query field it does work but then it forwards all the
>>>> logs coming out from Windows Security event log. I am
>>>> getting similar issue when I try to filter based on
>>>> "Applications and Services Logs".
>>>>
>>>>
>>>> *If I try to give the whole path name in the location.
>>>> The ossec client does not start and I get an error
>>>> "Could not create bookmark".
>>>>
>>>> Am I doing something wrong here. Please advice.
>>>>
>>>> Kind Regards
>>>> Swati
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to
>>>> the Google Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving
>>>> emails from it, send an email to
>>>> [email protected]
>>>> <mailto:[email protected]>.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the
>>>> Google Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails
>>>> from it, send an email to
>>>> [email protected]
>>>> <mailto:[email protected]>.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails
>>> from it, send an email to
>>> [email protected]
>>> <mailto:[email protected]>.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the
>>> Google Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from
>>> it, send an email to [email protected]
>>> <mailto:[email protected]>.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected]
> <mailto:[email protected]>.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected]
> <mailto:[email protected]>.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
