On Thu, Feb 23, 2017 at 10:30 AM, InfoSec <[email protected]> wrote: > I found how to run the agent in debug mode. It seems like the issue lies > with the agent, and the server is faithfully accepting whatever the agent is > sending across. >
Oh sweet, I didn't know it did that. I guess I should have read further. Are you using the eventlog or eventchannel log format? There shouldn't be anything in the agent that parses and removes information from the events, so I'd guess that the following is what it is actually getting from the log itself.* > Event ID 8002 (AppLocker) from agent debug log: > 2017 Feb 23 16:51:53 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: > INFORMATION(8002): Microsoft-Windows-AppLocker: Username: HOSTNAME: > Hostname: %PROGRAMFILES%\WINDOWS\RESOURCE KITS\TOOLS\TAIL.EXE was allowed to > run. > > Format is identical to what is reported on the ossec-server. > * I know very little about the Windows side of things and avoid it as much as possible. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
