The latest code off of github has the eventchannel issue fixed. See: https://github.com/ossec/ossec-hids/pull/457
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of chintan shah Sent: Tuesday, September 1, 2015 2:32 AM To: ossec-list <ossec-list@googlegroups.com> Subject: [ossec-list] OSSEC Windows Agent support for Event Trace Logs ( .etl ) format Hi Support team , We’ve been using OSSEC Hids on a commercial basis since quite some time . Amidst this , I wanted to bring to your notice , the issue in reading the event trace log (.etl ) log format in Windows OS . As of OSSEC windows agent version 2.8 , the agent is not able to support the Windows event trace logs ( .etl ) format generated by some of the services under “Applications and Services” in Windows Event Viewer . To expand the specific problem that we’ve been facing at the moment , we are using OSSEC windows agent to monitor the WMI-Activity on Windows Vista and above . These OS version ( precisely Vista and above ) generates the trace logs for WMI activity and these logs are in the .etl format which is currently not supported by OSSEC windows agent v2.8 . Following is the elaborated picture of the steps we have performed to come to this conclusion and the errors that we’ve seen : 1 . Modify the agent’s ossec.conf file on windows to monitor specific WMI event channel: <localfile> <location>Microsoft-Windows-WMI-Activity/Trace</location> <log_format>eventchannel</log_format> </localfile> 2 . Restarting the OSSEC Windows service gives following error in the ossec.log file: 2015/09/01 10:12:09 ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-WMI-Activity/Trace'. 2015/09/01 10:12:09 ossec-agent: Could not create bookmark from save (15008) 2015/09/01 10:12:09 ossec-agent: Subscription error: 50 2015/09/01 10:12:09 ossec-agent: INFO: Started (pid: 212). 3 . Modify the ossec.conf file again to include the “only-future-events” for the above event channel 15/09/01 10:18:08 ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-WMI-Activity/Trace'. 2015/09/01 10:18:08 ossec-agent: Subscription error: 50 2015/09/01 10:18:08 ossec-agent: INFO: Started (pid: 172) 4 . We have tried to use the “eventlog” instead of “eventchannel’ in this case but since the log format is not in the evt / evtx format , OSSEC Agent Version 2.8 is not able to pick up the logged events and send the messages to the OSSEC server. Above series of debug logs leads us to the conclusion that .etl format of logs is not being supported by windows agent . I would like to seek the assistance of the support team / Volunteers in resolving this issue . Please revert back in case of additional information . Regards Chintan -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com <mailto:ossec-list+unsubscr...@googlegroups.com> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
