I guess you want to remove these sections from the ossec.conf file in the
agent. Those are used to get all application, security and system events.
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
On Tue, Aug 18, 2015 at 12:13 PM, Ralph Durkee <[email protected]> wrote:
> The shared agent is as previously shared, copied below for reference:
>
> <agent_config>
> <!-- Generic Agent configurations. -->
>
> <localfile>
> <location>Security</location>
> <log_format>eventchannel</log_format>
> <query>Event/System[EventID=4624]</query>
> </localfile>
>
> </agent_config>
>
> *The Windows OSSEC after the comments starts with *(middle portion
> removed, and has no localfile entries. )
>
>
> <ossec_config>
>
> <!-- One entry for each file/Event log to monitor. -->
> <localfile>
> <location>Application</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>Security</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>System</location>
> <log_format>eventlog</log_format>
> </localfile>
>
>
> <!-- Rootcheck - Policy monitor config -->
> . . . SNIP . . .
>
>
> </ossec_config>
>
>
> <!-- END of Default Configuration. -->
>
>
> <ossec_config>
> <client>
> <server-hostname>xxx-ossec-srv1</server-hostname>
> </client>
> </ossec_config>
>
> -- Ralph Durkee
>
> On 08/18/2015 01:24 PM, Santiago Bassett wrote:
>
> Could you share your ossec.conf settings (from the agent) and also the
> shared/agent.conf ones. Those are probably located in C:\Program
> Files/ossec-agent
>
> I am guessing, but I think you probably are reading all Security events in
> some other place of the configuration (look for the different locations).
>
> Regards
>
> On Tue, Aug 18, 2015 at 10:17 AM, Ralph Durkee <[email protected]> wrote:
>
>> Tried stopping and starting the agent service on the windows system.
>> Still getting other security events from that system such as 4672 and 4634
>> in addition to the 4624. Any other suggestions?
>>
>> -- Ralph Durkee
>>
>>
>> On 08/18/2015 01:10 PM, Ralph Durkee wrote:
>>
>> I've restarted ossec on the server several times. Are you refering to
>> the Windows agent?
>>
>> -- Ralph Durkee
>>
>>
>> On 08/18/2015 11:46 AM, Santiago Bassett wrote:
>>
>> Try restarting it manually and see if that works.
>>
>> On Tue, Aug 18, 2015 at 7:23 AM, Ralph Durkee <[email protected]> wrote:
>>
>>> I'm trying to filter Windows events based on strings such as the login
>>> type and workstation name, but as a starting point I tried the
>>> configuration below to filter on EventID 4624. The
>>> /var/ossec/etc/shared/agent.conf file contains:
>>>
>>> <agent_config>
>>> <!-- Generic Agent configurations. -->
>>>
>>> <localfile>
>>> <location>Security</location>
>>> <log_format>eventchannel</log_format>
>>> <query>Event/System[EventID=4624]</query>
>>> </localfile>
>>>
>>> </agent_config>
>>>
>>> However I continue receiving all security events including Security
>>> EventID 4624 and others.
>>> I restarted the windows system agent via agent_control -R and also
>>> restarted the OSSEC manager.
>>> I don't have any errors in ossec.log with regard to the
>>> shared/agent.conf file.
>>>
>>> Any suggestions on getting this working?
>>>
>>> Thanks,
>>>
>>> -- Ralph Durkee
>>>
>>> On 08/08/2015 01:32 PM, Santiago Bassett wrote:
>>>
>>> Hi,
>>>
>>> try using this configuration:
>>>
>>> <localfile>
>>> <location>Security</location>
>>> <log_format>eventchannel</log_format>
>>> <query>Event/System[EventID=4624]</query>
>>> </localfile>
>>>
>>> Best regards
>>>
>>> On Thu, Aug 6, 2015 at 3:18 AM, Swati <[email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have installed the new version of OSSEC v2.8.2. I have a windows
>>>> ossec client. I would like to filter Windows event logs
>>>> (Applications/Security/System/Application and Services Log) based on the
>>>> event ids at ossec client (in order to reduce the logs forwarded to OSSEC
>>>> manager).
>>>>
>>>> I have amended the client ossec.conf with the example from the OSSEC
>>>> documentation.
>>>>
>>>> <localfile>
>>>> <location>System</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/System[EventID=7001]</query>
>>>> </localfile>
>>>> * This WORKS *
>>>> <localfile>
>>>> <location>Security</location>
>>>> <log_format>eventchannel</log_format>
>>>> <query>Event/Security[EventID=4624]</query>
>>>> </localfile>
>>>>
>>>>
>>>> * THIS DOESN'T WORK. If I remove the query field it does work but then
>>>> it forwards all the logs coming out from Windows Security event log. I am
>>>> getting similar issue when I try to filter based on "Applications and
>>>> Services Logs". *If I try to give the whole path name in the location.
>>>> The ossec client does not start and I get an error "Could not create
>>>> bookmark".
>>>>
>>>> Am I doing something wrong here. Please advice.
>>>>
>>>> Kind Regards
>>>> Swati
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
