On Wed, Jun 22, 2016 at 7:42 AM, Tom ONeil <[email protected]> wrote: > Just trying to get a simple configuration to pickup the text log files from > a Windows 2012R2 server. > Been over every doc, reinstalled, worked all night and ZIP. > Blood running in my eyes from smashing forehead on keyboard. > > I have everything going to logall just to see if it's working but I am lost > on how to setup the XXXX_rules.xml files > Is there some examples or clearer docs on this anywhere? >
So what is working? Are the logs being shipped to the OSSEC server? There are plenty of examples of rules in /var/ossec/rules. I believe there is a page in the documentation on writing rules (and decoders) as well. What are you having trouble with specifically? > Simple config snippet > This is on the Windows agent in its ossec.conf, correct? > <!-- One entry for each file/Event log to monitor. --> > <localfile> > > > <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location> > > <log_format>syslog</log_format> > > </localfile> > > <localfile> > > > <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location> > > <log_format>syslog</log_format> > > </localfile> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
