Sorry for the slow response, finally slept for a decent length.
We are getting everything from the Windows Event logs by default just fine
where they should be.
Logall is grabbing everything else into archives.
What I need is the contents of the mentioned text files into, especially
changes in role or configuration and the user that made them.
What I cannot get a handle on is why they don't show up at all.
I have read the docs, and tried to modify local_rules.xml to grab all the
content from those and it fails config check with not enough explanations
as to why.
<group name="QlikSense Roles">
<rule id="100001" level="7">
<srcip>192.168.2.10</srcip>
<description>Example of rule that will grab role changes</description>
<description>Role Change from IP 192.168.2.10</description>
</rule>
On Wednesday, June 22, 2016 at 7:34:21 AM UTC-5, dan (ddpbsd) wrote:
>
> On Wed, Jun 22, 2016 at 7:42 AM, Tom ONeil <[email protected]
> <javascript:>> wrote:
> > Just trying to get a simple configuration to pickup the text log files
> from
> > a Windows 2012R2 server.
> > Been over every doc, reinstalled, worked all night and ZIP.
> > Blood running in my eyes from smashing forehead on keyboard.
> >
> > I have everything going to logall just to see if it's working but I am
> lost
> > on how to setup the XXXX_rules.xml files
> > Is there some examples or clearer docs on this anywhere?
> >
>
> So what is working?
> Are the logs being shipped to the OSSEC server?
>
> There are plenty of examples of rules in /var/ossec/rules. I believe
> there is a page in the documentation on writing rules (and decoders)
> as well.
> What are you having trouble with specifically?
>
> > Simple config snippet
> >
>
> This is on the Windows agent in its ossec.conf, correct?
>
> > <!-- One entry for each file/Event log to monitor. -->
> > <localfile>
> >
> >
> >
> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location>
>
>
> >
> > <log_format>syslog</log_format>
> >
> > </localfile>
> >
> > <localfile>
> >
> >
> >
> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location>
>
>
> >
> > <log_format>syslog</log_format>
> >
> > </localfile>
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
