Hi everyone!
I've installed an ossec agent on a windows server. The server produces audit success events that look like this in the eventviewer: user info1 ip info2 domain info3 access important the installed ossec agent parses the events to the archives.log where they look something like this: 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: *info1: info2: info3: important: *but what i want the archives.log entry to like is: 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing:* important:* *info1: info2: info3: *Is it even possible to do this? If yes, where are the things i have to edit. Thanks in advance. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
