Hi,
I have installed the new version of OSSEC v2.8.3. I have a windows ossec
client. I would like to filter Windows event logs
(Applications/Security/System/Application and Services Log) based on the
event ids at ossec client (in order to reduce the logs forwarded to OSSEC
manager).
Ex: EventID=5140 and EventID=5144
I try config:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=5140 && EventID=5144]</query>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=5140 || EventID=5144]</query>
</localfile>
*THIS DOESN'T WORK*
*Am I doing something wrong here. Please advice.*
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
