More Information: PCI 10.2.6 Initialization, stopping, or pausing of the audit logs My focus is on Windows Services Stop events
I do not have any logs in archives.log On Monday, October 5, 2015 at 10:59:25 AM UTC-6, Brent Morris wrote: > > It's easier for us to test if you can post it from your archives.log on > ossec :) > > On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote: >> >> - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event >> <http://schemas.microsoft.com/win/2004/08/events/event>*"> >> - <System> >> <Provider Name="*Microsoft-Windows-Eventlog*" Guid=" >> *{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}*" /> >> <EventID>1100</EventID> >> <Version>0</Version> >> <Level>4</Level> >> <Task>103</Task> >> <Opcode>0</Opcode> >> <Keywords>0x4020000000000000</Keywords> >> <TimeCreated SystemTime="*2015-10-05T13:44:32.036118000Z*" /> >> <EventRecordID>2719810</EventRecordID> >> <Correlation /> >> <Execution ProcessID="*744*" ThreadID="*11616*" /> >> <Channel>Security</Channel> >> <Computer>Security-Test</Computer> >> <Security /> >> </System> >> - <UserData> >> <ServiceShutdown >> xmlns="*http://manifests.microsoft.com/win/2004/08/windows/eventlog >> <http://manifests.microsoft.com/win/2004/08/windows/eventlog>*" /> >> </UserData> >> </Event> >> >> On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote: >>> >>> >>> On Oct 5, 2015 12:23 PM, "Daniel Baker" <msu.d...@gmail.com> wrote: >>> > >>> > >>> > >>> > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote: >>> >> >>> >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service >>> Shutdown in Windows. >>> > >>> > >>> > This is what I'm trying to add to the local_rules.xml file: >>> > >>> > <rule id="1100000" level="12"> >>> > <if_sid>18104</id> >>> > <id>^1100$</id> >>> > <description>Windows Service Stopped</description> >>> > </rule> >>> > >>> >>> Do you have a log we can test with? >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
