Hi,
Windows informational event rule has level "0", meaning that an alert won't
be generated, unless you take down the alert level threshold
(log_alert_level, set to "1" by default).
My advice is to create a new rule instead just for events with ID "2005" in
order to trigger an alert. I guess something like this would work:
<rule id="XXXX" level="3">
<if_sid>18101</if_sid>
<id>^2005$</id>
<description>Windows Firewall enabled\disabled</description>
</rule>
Remember to include it in local_rules.xml inside a group section (you can
use group="windows,")
On the other hand, try enabling logall option and check if events are
written to archives.log
I hope that helps,
Santiago.
On Wed, Dec 23, 2015 at 3:07 AM, <[email protected]> wrote:
> Hi.
> I would like to monitor channel called “*Microsoft-Windows-Windows
> Firewall With Advanced Security/Firewall*“
> For this I added the following lines into shared/agent.conf file into
> Windows agent tag
>
>
>
>
> *: <localfile> <location>Microsoft-Windows-Windows Firewall With
> Advanced Security/Firewall</location>
> <log_format>eventchannel</log_format> </localfile>After that I restarted
> my OSSEC agent and generated some events in Firewall.(*Enable\disable
> firewall rule -- events with ID 2005 appeared in the EventViewer
> *).There is no reaction from OSSEC server, I waiting default * rule ID
> 18101 (“*Windows informational event*“), but there is no events.
> In ossec log:
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Application'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Security'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'System'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
> 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848).
>
> Could you please tell me what I doing wrong? Can I use evenchannel for
> monitor logs from Applications and Services Logs?
> OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
