Hi,
check out the
documentation:
http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html
It would be something like:
*/var/ossec/etc/shared/agent.conf*:
<agent_config os="Windows">
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!="4648" and EventID!="4656" and
EventID!="4658"]</query>
</localfile>
</agent_config>
Regards.
Jesus Linares.
On Monday, March 7, 2016 at 3:02:49 PM UTC+1, Abdulvehhab Agin wrote:
>
> Hi,
>
>
> We have lots of ossec.agent on Windows system; These ossec's generate too
> much *"Audit Logs"* and we don't want to collects these logs;
>
>
> When i change Ossec.conf on client manually :
>
>
> ## New Ossec.conf
> ------------------------
>
> <localfile>
> <location>Security</location>
> <log_format>eventchannel</log_format>
> <query>Event/System[EventID!="4648" and EventID!="4656" and
> EventID!="4658"]</query>
> </localfile>
>
> ------------------------
>
>
> It works good but, we don't want to change this config manually on each
> computer; Is there a way to deploy this config via OSSEC Server like
> shared/agent.conf
>
>
>
> Thanks for any help.
>
>
>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
