On Thursday, June 23, 2016 at 6:01:00 AM UTC-5, dan (ddpbsd) wrote: > > On Wed, Jun 22, 2016 at 9:11 PM, Tom ONeil <[email protected] > <javascript:>> wrote: > > Sorry for the slow response, finally slept for a decent length. > > > > > > > > We are getting everything from the Windows Event logs by default just > fine > > where they should be. > > > > Logall is grabbing everything else into archives. > > > > Ok, so Windows event logs aren't an issue. > > > > > > > What I need is the contents of the mentioned text files into, > especially > > > But you are not getting the log events from the text file in your > archives.log? > If that's true: Is the configuration snippet you included in your > original email present on the agents? Did you restart the OSSEC > service after making that change to the config file? > Are there any mentions of the log file in the agent's ossec.log file? > > > changes in role or configuration and the user that made them. > > > > Are these bits of information included in the logs inside that text file? > > > > > > > What I cannot get a handle on is why they don't show up at all. > > > > I have read the docs, and tried to modify local_rules.xml to grab all > the > > content from those and it fails config check with not enough > explanations as > > to why. > > > > > > > > <group name="QlikSense Roles"> > > > > <rule id="100001" level="7"> > > > > <srcip>192.168.2.10</srcip> > > > > <description>Example of rule that will grab role > changes</description> > > > > <description>Role Change from IP 192.168.2.10</description> > > > > </rule> > > > > This rule doesn't do very much. It looks for any log message that has > decoded the IP "192.168.2.10" from its content. > It is not looking at logs from that IP address, just logs caused by > that IP address. > You also have 2 descriptions, and nothing really limiting what log > events this rule would apply to. > If you could provide a log sample, it'd be a lot easier to help you > create a rule. > > > > > > On Wednesday, June 22, 2016 at 7:34:21 AM UTC-5, dan (ddpbsd) wrote: > >> > >> On Wed, Jun 22, 2016 at 7:42 AM, Tom ONeil <[email protected]> > wrote: > >> > Just trying to get a simple configuration to pickup the text log > files > >> > from > >> > a Windows 2012R2 server. > >> > Been over every doc, reinstalled, worked all night and ZIP. > >> > Blood running in my eyes from smashing forehead on keyboard. > >> > > >> > I have everything going to logall just to see if it's working but I > am > >> > lost > >> > on how to setup the XXXX_rules.xml files > >> > Is there some examples or clearer docs on this anywhere? > >> > > >> > >> So what is working? > >> Are the logs being shipped to the OSSEC server? > >> > >> There are plenty of examples of rules in /var/ossec/rules. I believe > >> there is a page in the documentation on writing rules (and decoders) > >> as well. > >> What are you having trouble with specifically? > >> > >> > Simple config snippet > >> > > >> > >> This is on the Windows agent in its ossec.conf, correct? > >> > >> > <!-- One entry for each file/Event log to monitor. --> > >> > <localfile> > >> > > >> > > >> > > >> > > <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location> > > > >> > > >> > <log_format>syslog</log_format> > >> > > >> > </localfile> > >> > > >> > <localfile> > >> > > >> > > >> > > >> > > <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location> > > > >> > > >> > <log_format>syslog</log_format> > >> > > >> > </localfile> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
We are getting everything in archives with logall. The entries I want to catch are User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin (from one logfile) Stream with name 'Test' added by user 'AIPTEST\qssadmin (from another logfile) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
