Hi, EventChannel supports expressions like !=. Set up your local file like this:
<localfile> <location>System</location> <log_format>eventchannel</log_format> <query>Event/System[EventID != 6423 && EventID != 6433]</query></localfile> I just tested it this and it is working: <localfile> > <location>Microsoft-Windows-Windows Firewall With Advanced > Security/Firewall</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID != 2003 && EventID != 2004 && EventID != > 2005 && EventID != 2006]</query> > </localfile> Regards, Pedro S. On Tuesday, February 9, 2016 at 12:52:41 PM UTC+1, Idan Spencer wrote: > > Hello , > I'm trying to make the HIDS agent ( on a windows machine) not to forward > to the ossec server some type of EVENT ID's > I have HiDS agent 2.8.3 on a Windows Machine and I want it *NOT *to send > events from the EVENT viewer that there numbers are 6423,6433 for example, > I don't need this event's in the SIEM and to lower the traffic between them. > I have found in the documentation: > > <localfile> <location>System</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=7040]</query></localfile> > > but in the type it send's Just this type of ID , I want it to send > everything exapet this type of ID. > > Any idea how I can do it? > > Thank you > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
