Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

[dan (ddp)]

On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari  wrote:
> Can you please provide the rule i am also having the same issue i need to
> block the user after failed attempts.
> Please help
>

What is stopping you from creating a rule?
Do you have log samples to help us help you?

> On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote:
>>
>> Hi all,
>>
>> Forgive me if this has been covered somewhere, but I haven't come
>> across it.
>>
>>
>> Is there a way to have OSSEC Active Response block a particular user
>> from logging in? I don't care about thresholds or # of attempts. If I
>> see, 'root' for instance, attempting to logon to a server at all, can
>> OSSEC match on that and drop that username and source IP immediately?
>>
>>
>> Additionally, one question on timeouts. Is the  flag in
>> seconds or in minutes? If so, I tried setting "1"
>> but it took 54 seconds to delete from the firewall-drop.sh script. If
>> it is in fact in minutes, how would I set it up to unblock in seconds?
>> Otherwise, if the flag should be seconds, is there a reason why it
>> would take 54 seconds to respond when I set the timeout to 1 second. I
>> know this doesn't make much sense (in terms of setting to 1 second)
>> but I tested with 5 and even 30 seconds and it still took a minute to
>> unblock.
>>
>> Thanks in advance!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Logging of informational events on OSSIM

[dan (ddp)]

On Thu, Jun 15, 2017 at 3:14 AM, Irshad Rahimbux
 wrote:
> The logs are being pushed to archives.log and not ossec.log
>

Only ossec stuff should be in the ossec.log. Alerts go in alerts.log
and log events go to archives.log (if the logall option is enabled).

> On Thursday, June 15, 2017 at 11:06:58 AM UTC+4, Irshad Rahimbux wrote:
>>
>> Hi,
>>
>> I am using AlienVault OSSIM and would like to be able to read logs from
>> windows besides application, security and system.
>>
>> I have done the following changes in my configuration files as follows:
>>
>>   
>> OAlerts
>> eventchannel
>>   
>>
>> Logs are being pushed to ossec.log on server as follows:
>> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun
>> 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16
>> Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook Everything
>> in the "Junk E-mail" folder will be permanently deleted.  Continue? P1:
>> 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun
>> 14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16
>> Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook Everything
>> in the "Junk E-mail" folder will be permanently deleted.  Continue? P1:
>> 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>>
>> But these are not be logged on the GUI.
>>
>> I have read on the net that these are informational events and not being
>> logged. How to enable those?
>>

You probably need to create rules for the log messages. I don't think
OSSIM takes anything from OSSEC that is not an alert.

>> Grateful to help and provide me the steps in doing so.
>> Thanks,
>> IR
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

[Rahul Tiwari]

Can you please provide the rule i am also having the same issue i need to 
block the user after failed attempts.
Please help

On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote:
>
> Hi all, 
>
> Forgive me if this has been covered somewhere, but I haven't come 
> across it. 
>
>
> Is there a way to have OSSEC Active Response block a particular user 
> from logging in? I don't care about thresholds or # of attempts. If I 
> see, 'root' for instance, attempting to logon to a server at all, can 
> OSSEC match on that and drop that username and source IP immediately? 
>
>
> Additionally, one question on timeouts. Is the  flag in 
> seconds or in minutes? If so, I tried setting "1" 
> but it took 54 seconds to delete from the firewall-drop.sh script. If 
> it is in fact in minutes, how would I set it up to unblock in seconds? 
> Otherwise, if the flag should be seconds, is there a reason why it 
> would take 54 seconds to respond when I set the timeout to 1 second. I 
> know this doesn't make much sense (in terms of setting to 1 second) 
> but I tested with 5 and even 30 seconds and it still took a minute to 
> unblock. 
>
> Thanks in advance! 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Logging of informational events on OSSIM

[alberto . rodriguez]

Hello Irshad

  I think I have replied this on the other thread, isn't it? 

https://groups.google.com/forum/#!topic/ossec-list/mDueDPTDFTw

Best regards, 

On Thursday, June 15, 2017 at 9:14:32 AM UTC+2, Irshad Rahimbux wrote:
>
> The logs are being pushed to archives.log and not ossec.log
>
> On Thursday, June 15, 2017 at 11:06:58 AM UTC+4, Irshad Rahimbux wrote:
>>
>> Hi,
>>
>> I am using AlienVault OSSIM and would like to be able to read logs from 
>> windows besides application, security and system.
>>
>> I have done the following changes in my configuration files as follows:
>>
>>   
>> OAlerts
>> eventchannel
>>   
>>
>> Logs are being pushed to ossec.log on server as follows:
>> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
>> 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
>> Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook 
>> Everything in the "Junk E-mail" folder will be permanently deleted. 
>>  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
>> 14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
>> Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook 
>> Everything in the "Junk E-mail" folder will be permanently deleted. 
>>  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>>
>> But these are not be logged on the GUI.
>>
>> I have read on the net that these are informational events and not being 
>> logged. How to enable those?
>>
>> Grateful to help and provide me the steps in doing so.
>> Thanks,
>> IR
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC - windows event

[alberto . rodriguez]

Hello Irshad

  You have configurated your manager in order to recorder all events in 
archives.log. In this file, you have all the events and there is the event 
you want to see on the GUI. But, an event could be or not an alert. And if 
you want to see it on the GUI must be an alert. This is the flow:

An agent send an event to the manager. The manager analyze it against the 
ruleset. If the event match with any ruleset the manager create an alert 
and you could see it on the GUI. 

So create an specific rule and decoder for your event is needed. You could 
follow this link  
in 
order to create your own rules and decoder for your events.

Hope it helps. 

Best regards,



On Thursday, June 15, 2017 at 9:14:42 AM UTC+2, Irshad Rahimbux wrote:
>
> The logs are being pushed to archives.log and not ossec.log
>
> On Thursday, June 15, 2017 at 11:09:01 AM UTC+4, Irshad Rahimbux wrote:
>>
>>
>> Hi,
>>
>> I have done the following changes in my configuration files as follows:
>>
>>   
>> OAlerts
>> eventchannel
>>   
>>
>> Logs are being pushed to ossec.log on server as follows:
>> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
>> 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
>> Alerts: (no user): no domain: IT-IR.Emtel.Org : 
>> Microsoft Outlook Everything in the "Junk E-mail" folder will be 
>> permanently deleted.  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
>> 14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
>> Alerts: (no user): no domain: IT-IR.Emtel.Org : 
>> Microsoft Outlook Everything in the "Junk E-mail" folder will be 
>> permanently deleted.  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>>
>> But these are not be logged on the GUI.
>>
>> I have read on the net that these are informational events and not being 
>> logged. How to enable those?
>>
>> Grateful to help and provide me the steps in doing so.
>> Thanks
>>
>> On Thursday, June 1, 2017 at 1:04:41 PM UTC+4, Jesus Linares wrote:
>>>
>>> Hi Irshad,
>>>
>>> sorry, I thought was the same problem than Akash.
>>>
>>> I would like to be able to retrieve logs from windows machine to my OSSIM
>>>
>>>
>>> Do you meand OSSEC, right?.
>>>
>>> Review the ossec.log of your agent. Maybe the location is wrong or there 
>>> are no events.
>>>
>>> I hope it helps.
>>> Regards.
>>>
>>>
>>> On Thursday, June 1, 2017 at 6:51:14 AM UTC+2, Irshad Rahimbux wrote:

 ANy one can provide some help? @Jesus Linares... the link you provided 
 is not helping much. It's for another issue.

 On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote:
>
> https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo
>
> On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote:
>>
>>
>> Hi All,
>>
>> I am also facing the same problem.I am not getting alert of 
>> creation/deletion of file  from windows agent 
>> to my manager(linux). Agent show connected and active, I only get 
>> alert from agent(win) is agent start/restart/change in ossec.conf(agent).
>> To monitor D:\ drive, I have done the following changes in ossec.conf 
>> on manager:
>>
>>  > check_all="yes">C:.,D:.
>>
>> But i don't get any alerts on my manager.
>>
>> Can you please help me out.
>>
>> Thanks
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC-LOGTEST yet Alert Generated yet: **Alert to be generated

[Irshad Rahimbux]

Hello. This is a very old thread. But I am facing some similar issues.

Can you post your rules that you did for that to work.

Thnaks.

On Friday, April 13, 2012 at 10:04:21 PM UTC+4, tomcelica wrote:
>
> Any Ideas what my next step is?   No Alert logged even though rule 
> tests and seems to work. 
> Can this be a bug? 
>
> Here is a record from the archives.log showing the win7 ossec.conf is 
> sending alerts to the OSSEC HIDS Server, (server configured with 
> logall option) 
>
> 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: 
> OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no 
> domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is 
> incorrect. Word cannot open the document.  (C:\...\PW- 
> linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3:  P4: 
>
> When I paste this log line into ossec-logtest it seems to pass. 
>
>
> [root@it-mgmt bin]# ./ossec-logtest 
> 2012/04/13 10:57:17 ossec-testrule: INFO: Reading local decoder file. 
> 2012/04/13 10:57:17 ossec-testrule: INFO: Started (pid: 3107). 
> ossec-testrule: Type one log per line. 
>
> 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: 
> OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no 
> domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is 
> incorrect. Word cannot open the document.  (C:\...\PW- 
> linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3:  P4: 
>
>
> **Phase 1: Completed pre-decoding. 
>full event: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0- 
> >WinEvtLog WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 
> Alerts: (no user): no domain: tp-e420s-1546.mydomain.net: Microsoft 
> Word The password is incorrect. Word cannot open the document.  (C:\... 
> \PW-linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: 
> P4:' 
>hostname: 'it-mgmt' 
>program_name: '(null)' 
>log: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog 
> WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no 
> user): no domain: tp-e420s-1546.mydomain.net: Microsoft Word The 
> password is incorrect. Word cannot open the document.  (C:\...\PW- 
> linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3:  P4:' 
>
> **Phase 2: Completed decoding. 
>decoder: 'Office-Alerts' 
>dstuser: 'Microsoft Office 14 Alerts: ' 
>status: 'tp-e420s-1546.mydomain.net:' 
>action: 'Microsoft Word The password is incorrect. Word cannot 
> open the document.' 
>
> **Phase 3: Completed filtering (rules). 
>Rule id: '109101' 
>Level: '14' 
>Description: 'Password Protected Document was submitted' 
> **Alert to be generated. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC - windows event

[Irshad Rahimbux]

The logs are being pushed to archives.log and not ossec.log

On Thursday, June 15, 2017 at 11:09:01 AM UTC+4, Irshad Rahimbux wrote:
>
>
> Hi,
>
> I have done the following changes in my configuration files as follows:
>
>   
> OAlerts
> eventchannel
>   
>
> Logs are being pushed to ossec.log on server as follows:
> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
> 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
> Alerts: (no user): no domain: IT-IR.Emtel.Org : 
> Microsoft Outlook Everything in the "Junk E-mail" folder will be 
> permanently deleted.  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
> 14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
> Alerts: (no user): no domain: IT-IR.Emtel.Org : 
> Microsoft Outlook Everything in the "Junk E-mail" folder will be 
> permanently deleted.  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>
> But these are not be logged on the GUI.
>
> I have read on the net that these are informational events and not being 
> logged. How to enable those?
>
> Grateful to help and provide me the steps in doing so.
> Thanks
>
> On Thursday, June 1, 2017 at 1:04:41 PM UTC+4, Jesus Linares wrote:
>>
>> Hi Irshad,
>>
>> sorry, I thought was the same problem than Akash.
>>
>> I would like to be able to retrieve logs from windows machine to my OSSIM
>>
>>
>> Do you meand OSSEC, right?.
>>
>> Review the ossec.log of your agent. Maybe the location is wrong or there 
>> are no events.
>>
>> I hope it helps.
>> Regards.
>>
>>
>> On Thursday, June 1, 2017 at 6:51:14 AM UTC+2, Irshad Rahimbux wrote:
>>>
>>> ANy one can provide some help? @Jesus Linares... the link you provided 
>>> is not helping much. It's for another issue.
>>>
>>> On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote:

 https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo

 On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote:
>
>
> Hi All,
>
> I am also facing the same problem.I am not getting alert of 
> creation/deletion of file  from windows agent 
> to my manager(linux). Agent show connected and active, I only get 
> alert from agent(win) is agent start/restart/change in ossec.conf(agent).
> To monitor D:\ drive, I have done the following changes in ossec.conf 
> on manager:
>
>   check_all="yes">C:.,D:.
>
> But i don't get any alerts on my manager.
>
> Can you please help me out.
>
> Thanks
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Logging of informational events on OSSIM

[Irshad Rahimbux]

The logs are being pushed to archives.log and not ossec.log

On Thursday, June 15, 2017 at 11:06:58 AM UTC+4, Irshad Rahimbux wrote:
>
> Hi,
>
> I am using AlienVault OSSIM and would like to be able to read logs from 
> windows besides application, security and system.
>
> I have done the following changes in my configuration files as follows:
>
>   
> OAlerts
> eventchannel
>   
>
> Logs are being pushed to ossec.log on server as follows:
> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
> 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
> Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook 
> Everything in the "Junk E-mail" folder will be permanently deleted. 
>  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
> 14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
> Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook 
> Everything in the "Junk E-mail" folder will be permanently deleted. 
>  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
>
> But these are not be logged on the GUI.
>
> I have read on the net that these are informational events and not being 
> logged. How to enable those?
>
> Grateful to help and provide me the steps in doing so.
> Thanks,
> IR
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: OSSEC - windows event

[Irshad Rahimbux]

Hi,

I have done the following changes in my configuration files as follows:

  
OAlerts
eventchannel
  

Logs are being pushed to ossec.log on server as follows:
2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
Alerts: (no user): no domain: IT-IR.Emtel.Org : 
Microsoft Outlook Everything in the "Junk E-mail" folder will be 
permanently deleted.  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:
2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
Alerts: (no user): no domain: IT-IR.Emtel.Org : 
Microsoft Outlook Everything in the "Junk E-mail" folder will be 
permanently deleted.  Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4:

But these are not be logged on the GUI.

I have read on the net that these are informational events and not being 
logged. How to enable those?

Grateful to help and provide me the steps in doing so.
Thanks

On Thursday, June 1, 2017 at 1:04:41 PM UTC+4, Jesus Linares wrote:
>
> Hi Irshad,
>
> sorry, I thought was the same problem than Akash.
>
> I would like to be able to retrieve logs from windows machine to my OSSIM
>
>
> Do you meand OSSEC, right?.
>
> Review the ossec.log of your agent. Maybe the location is wrong or there 
> are no events.
>
> I hope it helps.
> Regards.
>
>
> On Thursday, June 1, 2017 at 6:51:14 AM UTC+2, Irshad Rahimbux wrote:
>>
>> ANy one can provide some help? @Jesus Linares... the link you provided is 
>> not helping much. It's for another issue.
>>
>> On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote:
>>>
>>> https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo
>>>
>>> On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote:


 Hi All,

 I am also facing the same problem.I am not getting alert of 
 creation/deletion of file  from windows agent 
 to my manager(linux). Agent show connected and active, I only get alert 
 from agent(win) is agent start/restart/change in ossec.conf(agent).
 To monitor D:\ drive, I have done the following changes in ossec.conf 
 on manager:

  >>> check_all="yes">C:.,D:.

 But i don't get any alerts on my manager.

 Can you please help me out.

 Thanks




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Logging of informational events on OSSIM

[Irshad Rahimbux]

Hi,

I am using AlienVault OSSIM and would like to be able to read logs from 
windows besides application, security and system.

I have done the following changes in my configuration files as follows:

  
OAlerts
eventchannel
  

Logs are being pushed to ossec.log on server as follows:
2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook Everything 
in the "Junk E-mail" folder will be permanently deleted.  Continue? P1: 
300894 P2: 16.0.4534.1001 P3: aldbzP4:
2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun 
14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 
Alerts: (no user): no domain: IT-IR.Emtel.Org: Microsoft Outlook Everything 
in the "Junk E-mail" folder will be permanently deleted.  Continue? P1: 
300894 P2: 16.0.4534.1001 P3: aldbzP4:

But these are not be logged on the GUI.

I have read on the net that these are informational events and not being 
logged. How to enable those?

Grateful to help and provide me the steps in doing so.
Thanks,
IR

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.