Hi,
Is there any way of configuring Ossec to monitor Windows Defender
Operational logs located in the applications and services group?
I have attempted to use the following permutations on my Windows agents
ossec.conf file (please see attached text file)
But encounter the following error message below in the Ossec Windows agents
logs:
*2019/10/28 16:46:38 ossec-logcollector: ERROR: Could not EvtSubscribe()
for (Microsoft-Windows-Windows Defender) which returned (15007)*
In the location field, I am using the event name outlined in event viewer,
event channel log format as advised for logs located in the applications
and services logs and the event id's defined by Microsoft
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
Kind regards,
Jack Porter
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/ea138dc3-44fc-44c7-bc3b-f57f49fefd1d%40googlegroups.com.
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1151]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1150]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1003]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1005]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1006]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1009]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1013]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1014]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1015]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1116]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1117]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1118]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1119]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1120]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1150]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1151]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2003]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2005]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2006]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2013]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2020]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2021]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2030]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2031]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2040]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2041]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2042]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=3002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=3007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5009]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5100]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5101]</query>
</localfile>
