On Wed, Jun 22, 2016 at 9:11 PM, Tom ONeil <[email protected]> wrote: > Sorry for the slow response, finally slept for a decent length. > > > > We are getting everything from the Windows Event logs by default just fine > where they should be. > > Logall is grabbing everything else into archives. >
Ok, so Windows event logs aren't an issue. > > > What I need is the contents of the mentioned text files into, especially But you are not getting the log events from the text file in your archives.log? If that's true: Is the configuration snippet you included in your original email present on the agents? Did you restart the OSSEC service after making that change to the config file? Are there any mentions of the log file in the agent's ossec.log file? > changes in role or configuration and the user that made them. > Are these bits of information included in the logs inside that text file? > > > What I cannot get a handle on is why they don't show up at all. > > I have read the docs, and tried to modify local_rules.xml to grab all the > content from those and it fails config check with not enough explanations as > to why. > > > > <group name="QlikSense Roles"> > > <rule id="100001" level="7"> > > <srcip>192.168.2.10</srcip> > > <description>Example of rule that will grab role changes</description> > > <description>Role Change from IP 192.168.2.10</description> > > </rule> > This rule doesn't do very much. It looks for any log message that has decoded the IP "192.168.2.10" from its content. It is not looking at logs from that IP address, just logs caused by that IP address. You also have 2 descriptions, and nothing really limiting what log events this rule would apply to. If you could provide a log sample, it'd be a lot easier to help you create a rule. > > On Wednesday, June 22, 2016 at 7:34:21 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Jun 22, 2016 at 7:42 AM, Tom ONeil <[email protected]> wrote: >> > Just trying to get a simple configuration to pickup the text log files >> > from >> > a Windows 2012R2 server. >> > Been over every doc, reinstalled, worked all night and ZIP. >> > Blood running in my eyes from smashing forehead on keyboard. >> > >> > I have everything going to logall just to see if it's working but I am >> > lost >> > on how to setup the XXXX_rules.xml files >> > Is there some examples or clearer docs on this anywhere? >> > >> >> So what is working? >> Are the logs being shipped to the OSSEC server? >> >> There are plenty of examples of rules in /var/ossec/rules. I believe >> there is a page in the documentation on writing rules (and decoders) >> as well. >> What are you having trouble with specifically? >> >> > Simple config snippet >> > >> >> This is on the Windows agent in its ossec.conf, correct? >> >> > <!-- One entry for each file/Event log to monitor. --> >> > <localfile> >> > >> > >> > >> > <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location> >> > >> > <log_format>syslog</log_format> >> > >> > </localfile> >> > >> > <localfile> >> > >> > >> > >> > <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location> >> > >> > <log_format>syslog</log_format> >> > >> > </localfile> >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
