Santiago, thanks for your help! среда, 23 декабря 2015 г., 20:26:03 UTC+2 пользователь Santiago Bassett написал: > > Hi, > > Windows informational event rule has level "0", meaning that an alert > won't be generated, unless you take down the alert level threshold > (log_alert_level, set to "1" by default). > > My advice is to create a new rule instead just for events with ID "2005" > in order to trigger an alert. I guess something like this would work: > > <rule id="XXXX" level="3"> > > <if_sid>18101</if_sid> > > <id>^2005$</id> > > <description>Windows Firewall enabled\disabled</description> > > </rule> > > Remember to include it in local_rules.xml inside a group section (you can > use group="windows,") > > On the other hand, try enabling logall option and check if events are > written to archives.log > > I hope that helps, > > Santiago. > > On Wed, Dec 23, 2015 at 3:07 AM, <[email protected] <javascript:>> > wrote: > >> Hi. >> I would like to monitor channel called “*Microsoft-Windows-Windows >> Firewall With Advanced Security/Firewall*“ >> For this I added the following lines into shared/agent.conf file into >> Windows agent tag >> >> >> >> >> *: <localfile> <location>Microsoft-Windows-Windows Firewall With >> Advanced Security/Firewall</location> >> <log_format>eventchannel</log_format> </localfile>After that I restarted >> my OSSEC agent and generated some events in Firewall.(*Enable\disable >> firewall rule -- events with ID 2005 appeared in the EventViewer >> *).There is no reaction from OSSEC server, I waiting default * rule ID >> 18101 (“*Windows informational event*“), but there is no events. >> In ossec log: >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'Application'. >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'Security'. >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'System'. >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'. >> 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848). >> >> Could you please tell me what I doing wrong? Can I use evenchannel for >> monitor logs from Applications and Services Logs? >> OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3 >> >> >> >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
