There a more elegant way: use eventchannel instead of eventlog to collect
Windows logs.
In /var/ossec/etc/agent.conf:
<agent_config name="AgentName">
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
</agent_config>
The event contains textual descriptions of access codes in a
space-separated field (the entire event is on one line) instead of LF CR
then double tab separated %%XXXX entries.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
