On Thu, Sep 8, 2016 at 4:38 AM, 'Stormgamer16' via ossec-list <[email protected]> wrote: > Hi everyone! > > I've installed an ossec agent on a windows server. The server produces audit > success events that look like this in the eventviewer: > > user info1 > ip info2 > domain info3 > access important > > the installed ossec agent parses the events to the archives.log where they > look something like this: > > 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 > 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): > Microsoft-Windows-Security-Auditing: info1: info2: info3: important: > > but what i want the archives.log entry to like is: > > 2016 Sep 06 15:20:02 (Host-xxx-16-11-96) xxx.16.11.96->WinEvtLog 2016 Sep 06 > 15:21:38 WinEvtLog: Security: AUDIT_SUCCESS(5145): > Microsoft-Windows-Security-Auditing: important: info1: info2: info3: > > Is it even possible to do this? If yes, where are the things i have to edit. >
archives.log is supposed to be an archive of the log messages the ossec server receives. Modifying those entries would be strange. I guess you'd have to look at the logcollector daemon to see if you can meddle with the log there. > Thanks in advance. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
