Hello Sylvain There is an option in Ossec for that purpose: the <query> label and could be used as follow:
<localfile> <location>System</location> <log_format>eventchannel</log_format> <query>Event/System[EventID=7040]</query> </localfile> You can use EventID=7040 in order to match with a specific event, you can use operators like <, >, <=, >= or !=. Documentation: http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html Example: https://blog.wazuh.com/report-windows-firewall-status-event-channel/ Hope it heps Best Regards, Alberto R. On Thursday, October 26, 2017 at 7:19:50 AM UTC-7, Sylvain Crouet wrote: > > Hello. > > > > I would like to filter out some Windows events before the OSSEC agent > collect them and send them to the server. Is it possible and how? > > > > Cordialement / Kind regards > > > > *Sylvain Crouet* > > Security Officer - *Security is everybody’s responsibility* > > Mobile +33 (0) 7 75 24 10 28 > > > > [image: Logo-Neocase-RGB-TM-TAGLINE-mail-signature] > > > > *Neocase™ Software is a leading provider of integrated HR and Finance > service delivery solutions.* > > www.neocasesoftware.com > > > > [image: workday_azure_partners_300dpi_1cm5] > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
