- <file:///C:/Users/dabake/AppData/Local/Temp/tmpD0BF.xml#> <Event xmlns=" *http://schemas.microsoft.com/win/2004/08/events/event*";> - <file:///C:/Users/dabake/AppData/Local/Temp/tmpD0BF.xml#> <System> <Provider Name="*Microsoft-Windows-Eventlog*" Guid=" *{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}*" /> <EventID>1100</EventID> <Version>0</Version> <Level>4</Level> <Task>103</Task> <Opcode>0</Opcode> <Keywords>0x4020000000000000</Keywords> <TimeCreated SystemTime="*2015-10-05T13:44:32.036118000Z*" /> <EventRecordID>2719810</EventRecordID> <Correlation /> <Execution ProcessID="*744*" ThreadID="*11616*" /> <Channel>Security</Channel> <Computer>Security-Test</Computer> <Security /> </System> - <file:///C:/Users/dabake/AppData/Local/Temp/tmpD0BF.xml#> <UserData> <ServiceShutdown xmlns=" *http://manifests.microsoft.com/win/2004/08/windows/eventlog*"; /> </UserData> </Event>
On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote: > > > On Oct 5, 2015 12:23 PM, "Daniel Baker" <msu.d...@gmail.com <javascript:>> > wrote: > > > > > > > > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote: > >> > >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service > Shutdown in Windows. > > > > > > This is what I'm trying to add to the local_rules.xml file: > > > > <rule id="1100000" level="12"> > > <if_sid>18104</id> > > <id>^1100$</id> > > <description>Windows Service Stopped</description> > > </rule> > > > > Do you have a log we can test with? > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
