If you have the OSSEC manager installed and running, along with an agent on your Windows computer, then the agent should be sending all the event logs to the manager and storing them in /var/ossec/logs/archives/archives.log
This is typically where OSSEC learns about events, and triggers alerts such as the one you're describing. So if you can paste the event as OSSEC sees and stores it from archives.log - we can add your rule to our local_rules.xml and use tools, such as ossec-logtest to help you with writing your rule. Unless I'm missing something... in which case I apologize :) On Monday, October 5, 2015 at 10:11:02 AM UTC-7, Daniel Baker wrote: > > More Information: PCI 10.2.6 Initialization, stopping, or pausing of the > audit logs > My focus is on Windows Services Stop events > > I do not have any logs in archives.log > > > On Monday, October 5, 2015 at 10:59:25 AM UTC-6, Brent Morris wrote: >> >> It's easier for us to test if you can post it from your archives.log on >> ossec :) >> >> On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote: >>> >>> - <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event >>> <http://schemas.microsoft.com/win/2004/08/events/event>*"> >>> - <System> >>> <Provider Name="*Microsoft-Windows-Eventlog*" Guid=" >>> *{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}*" /> >>> <EventID>1100</EventID> >>> <Version>0</Version> >>> <Level>4</Level> >>> <Task>103</Task> >>> <Opcode>0</Opcode> >>> <Keywords>0x4020000000000000</Keywords> >>> <TimeCreated SystemTime="*2015-10-05T13:44:32.036118000Z*" /> >>> <EventRecordID>2719810</EventRecordID> >>> <Correlation /> >>> <Execution ProcessID="*744*" ThreadID="*11616*" /> >>> <Channel>Security</Channel> >>> <Computer>Security-Test</Computer> >>> <Security /> >>> </System> >>> - <UserData> >>> <ServiceShutdown >>> xmlns="*http://manifests.microsoft.com/win/2004/08/windows/eventlog >>> <http://manifests.microsoft.com/win/2004/08/windows/eventlog>*" /> >>> </UserData> >>> </Event> >>> >>> On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote: >>>> >>>> >>>> On Oct 5, 2015 12:23 PM, "Daniel Baker" <msu.d...@gmail.com> wrote: >>>> > >>>> > >>>> > >>>> > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote: >>>> >> >>>> >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service >>>> Shutdown in Windows. >>>> > >>>> > >>>> > This is what I'm trying to add to the local_rules.xml file: >>>> > >>>> > <rule id="1100000" level="12"> >>>> > <if_sid>18104</id> >>>> > <id>^1100$</id> >>>> > <description>Windows Service Stopped</description> >>>> > </rule> >>>> > >>>> >>>> Do you have a log we can test with? >>>> >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to ossec-list+...@googlegroups.com. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
