Hi. I would like to monitor channel called “*Microsoft-Windows-Windows Firewall With Advanced Security/Firewall*“ For this I added the following lines into shared/agent.conf file into Windows agent tag
*: <localfile> <location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location> <log_format>eventchannel</log_format> </localfile>After that I restarted my OSSEC agent and generated some events in Firewall.(*Enable\disable firewall rule -- events with ID 2005 appeared in the EventViewer *).There is no reaction from OSSEC server, I waiting default * rule ID 18101 (“*Windows informational event*“), but there is no events. In ossec log: 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'Application'. 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'Security'. 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'System'. 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'. 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848). Could you please tell me what I doing wrong? Can I use evenchannel for monitor logs from Applications and Services Logs? OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
