Re: [ossec-list] Re: Monitor Windows Services Shutdown

2015-10-05 Thread Brent Morris
If you have the OSSEC manager installed and running, along with an agent on 
your Windows computer, then the agent should be sending all the event logs 
to the manager and storing them in /var/ossec/logs/archives/archives.log 

This is typically where OSSEC learns about events, and triggers alerts such 
as the one you're describing.  So if you can paste the event as OSSEC sees 
and stores it from archives.log - we can add your rule to our 
local_rules.xml and use tools, such as ossec-logtest to help you with 
writing your rule.

Unless I'm missing something... in which case I apologize :)

On Monday, October 5, 2015 at 10:11:02 AM UTC-7, Daniel Baker wrote:
>
> More Information:  PCI 10.2.6 Initialization, stopping, or pausing of the 
> audit logs
> My focus is on Windows Services Stop events
>
> I do not have any logs in archives.log
>
>
> On Monday, October 5, 2015 at 10:59:25 AM UTC-6, Brent Morris wrote:
>>
>> It's easier for us to test if you can post it from your archives.log on 
>> ossec :)
>>
>> On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote:
>>>
>>> - http://schemas.microsoft.com/win/2004/08/events/event 
>>> *">
>>> - 
>>>
>>>   1100 
>>>   0 
>>>   4 
>>>   103 
>>>   0 
>>>   0x4020 
>>>
>>>   2719810 
>>>
>>>
>>>   Security 
>>>   Security-Test 
>>>
>>>   
>>> - 
>>>   >> xmlns="*http://manifests.microsoft.com/win/2004/08/windows/eventlog 
>>> *" /> 
>>>   
>>>   
>>>
>>> On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote:


 On Oct 5, 2015 12:23 PM, "Daniel Baker"  wrote:
 >
 >
 >
 > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
 >>
 >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service 
 Shutdown in Windows.
 >
 >
 > This is what I'm trying to add to the local_rules.xml file:
 >
 > 
 > 18104
 > ^1100$
 > Windows Service Stopped
 >  
 >

 Do you have a log we can test with?

 > -- 
 >
 > --- 
 > You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 > To unsubscribe from this group and stop receiving emails from it, 
 send an email to ossec-list+...@googlegroups.com.
 > For more options, visit https://groups.google.com/d/optout.

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [ossec-list] Re: Monitor Windows Services Shutdown

2015-10-05 Thread Daniel Baker
More Information:  PCI 10.2.6 Initialization, stopping, or pausing of the 
audit logs
My focus is on Windows Services Stop events

I do not have any logs in archives.log


On Monday, October 5, 2015 at 10:59:25 AM UTC-6, Brent Morris wrote:
>
> It's easier for us to test if you can post it from your archives.log on 
> ossec :)
>
> On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote:
>>
>> - http://schemas.microsoft.com/win/2004/08/events/event 
>> *">
>> - 
>>
>>   1100 
>>   0 
>>   4 
>>   103 
>>   0 
>>   0x4020 
>>
>>   2719810 
>>
>>
>>   Security 
>>   Security-Test 
>>
>>   
>> - 
>>   > xmlns="*http://manifests.microsoft.com/win/2004/08/windows/eventlog 
>> *" /> 
>>   
>>   
>>
>> On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote:
>>>
>>>
>>> On Oct 5, 2015 12:23 PM, "Daniel Baker"  wrote:
>>> >
>>> >
>>> >
>>> > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
>>> >>
>>> >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service 
>>> Shutdown in Windows.
>>> >
>>> >
>>> > This is what I'm trying to add to the local_rules.xml file:
>>> >
>>> > 
>>> > 18104
>>> > ^1100$
>>> > Windows Service Stopped
>>> >  
>>> >
>>>
>>> Do you have a log we can test with?
>>>
>>> > -- 
>>> >
>>> > --- 
>>> > You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [ossec-list] Re: Monitor Windows Services Shutdown

2015-10-05 Thread Brent Morris
It's easier for us to test if you can post it from your archives.log on 
ossec :)

On Monday, October 5, 2015 at 9:52:20 AM UTC-7, Daniel Baker wrote:
>
> - http://schemas.microsoft.com/win/2004/08/events/event 
> *">
> - 
>
>   1100 
>   0 
>   4 
>   103 
>   0 
>   0x4020 
>
>   2719810 
>
>
>   Security 
>   Security-Test 
>
>   
> - 
>xmlns="*http://manifests.microsoft.com/win/2004/08/windows/eventlog 
> *" /> 
>   
>   
>
> On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote:
>>
>>
>> On Oct 5, 2015 12:23 PM, "Daniel Baker"  wrote:
>> >
>> >
>> >
>> > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
>> >>
>> >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service 
>> Shutdown in Windows.
>> >
>> >
>> > This is what I'm trying to add to the local_rules.xml file:
>> >
>> > 
>> > 18104
>> > ^1100$
>> > Windows Service Stopped
>> >  
>> >
>>
>> Do you have a log we can test with?
>>
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [ossec-list] Re: Monitor Windows Services Shutdown

2015-10-05 Thread Daniel Baker
 -  http://schemas.microsoft.com/win/2004/08/events/event*";>
-  
   
  1100 
  0 
  4 
  103 
  0 
  0x4020 
   
  2719810 
   
   
  Security 
  Security-Test 
   
  
-  
  http://manifests.microsoft.com/win/2004/08/windows/eventlog*"; /> 
  
  

On Monday, October 5, 2015 at 10:25:48 AM UTC-6, dan (ddpbsd) wrote:
>
>
> On Oct 5, 2015 12:23 PM, "Daniel Baker" > 
> wrote:
> >
> >
> >
> > On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
> >>
> >> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service 
> Shutdown in Windows.
> >
> >
> > This is what I'm trying to add to the local_rules.xml file:
> >
> > 
> > 18104
> > ^1100$
> > Windows Service Stopped
> >  
> >
>
> Do you have a log we can test with?
>
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [ossec-list] Re: Monitor Windows Services Shutdown

2015-10-05 Thread dan (ddp)
On Oct 5, 2015 12:23 PM, "Daniel Baker"  wrote:
>
>
>
> On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
>>
>> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service
Shutdown in Windows.
>
>
> This is what I'm trying to add to the local_rules.xml file:
>
> 
> 18104
> ^1100$
> Windows Service Stopped
> 
>

Do you have a log we can test with?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[ossec-list] Re: Monitor Windows Services Shutdown

2015-10-05 Thread Daniel Baker


On Monday, October 5, 2015 at 8:38:17 AM UTC-6, Daniel Baker wrote:
>
> I'm looking for a way to have OSSEC trigger on Event ID 1100 Service 
> Shutdown in Windows.
>

This is what I'm trying to add to the local_rules.xml file:


18104
^1100$
Windows Service Stopped
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.