Re: [ossec-list] eventchannel Applications and Services Logs monitoring
Santiago, thanks for your help! среда, 23 декабря 2015 г., 20:26:03 UTC+2 пользователь Santiago Bassett написал: > > Hi, > > Windows informational event rule has level "0", meaning that an alert > won't be generated, unless you take down the alert level threshold > (log_alert_level, set to "1" by default). > > My advice is to create a new rule instead just for events with ID "2005" > in order to trigger an alert. I guess something like this would work: > > > > 18101 > > ^2005$ > > Windows Firewall enabled\disabled > > > > Remember to include it in local_rules.xml inside a group section (you can > use group="windows,") > > On the other hand, try enabling logall option and check if events are > written to archives.log > > I hope that helps, > > Santiago. > > On Wed, Dec 23, 2015 at 3:07 AM,> wrote: > >> Hi. >> I would like to monitor channel called “*Microsoft-Windows-Windows >> Firewall With Advanced Security/Firewall*“ >> For this I added the following lines into shared/agent.conf file into >> Windows agent tag >> >> >> >> >> *: Microsoft-Windows-Windows Firewall With >> Advanced Security/Firewall >> eventchannel After that I restarted >> my OSSEC agent and generated some events in Firewall.(*Enable\disable >> firewall rule -- events with ID 2005 appeared in the EventViewer >> *).There is no reaction from OSSEC server, I waiting default * rule ID >> 18101 (“*Windows informational event*“), but there is no events. >> In ossec log: >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'Application'. >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'Security'. >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'System'. >> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: >> 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'. >> 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848). >> >> Could you please tell me what I doing wrong? Can I use evenchannel for >> monitor logs from Applications and Services Logs? >> OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3 >> >> >> >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] eventchannel Applications and Services Logs monitoring
Hi, Windows informational event rule has level "0", meaning that an alert won't be generated, unless you take down the alert level threshold (log_alert_level, set to "1" by default). My advice is to create a new rule instead just for events with ID "2005" in order to trigger an alert. I guess something like this would work: 18101 ^2005$ Windows Firewall enabled\disabled Remember to include it in local_rules.xml inside a group section (you can use group="windows,") On the other hand, try enabling logall option and check if events are written to archives.log I hope that helps, Santiago. On Wed, Dec 23, 2015 at 3:07 AM,wrote: > Hi. > I would like to monitor channel called “*Microsoft-Windows-Windows > Firewall With Advanced Security/Firewall*“ > For this I added the following lines into shared/agent.conf file into > Windows agent tag > > > > > *: Microsoft-Windows-Windows Firewall With > Advanced Security/Firewall > eventchannel After that I restarted > my OSSEC agent and generated some events in Firewall.(*Enable\disable > firewall rule -- events with ID 2005 appeared in the EventViewer > *).There is no reaction from OSSEC server, I waiting default * rule ID > 18101 (“*Windows informational event*“), but there is no events. > In ossec log: > 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: > 'Application'. > 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: > 'Security'. > 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: > 'System'. > 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: > 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'. > 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848). > > Could you please tell me what I doing wrong? Can I use evenchannel for > monitor logs from Applications and Services Logs? > OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3 > > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] eventchannel Applications and Services Logs monitoring
Hi. I would like to monitor channel called “*Microsoft-Windows-Windows Firewall With Advanced Security/Firewall*“ For this I added the following lines into shared/agent.conf file into Windows agent tag *: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall eventchannel After that I restarted my OSSEC agent and generated some events in Firewall.(*Enable\disable firewall rule -- events with ID 2005 appeared in the EventViewer *).There is no reaction from OSSEC server, I waiting default * rule ID 18101 (“*Windows informational event*“), but there is no events. In ossec log: 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'Application'. 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'Security'. 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'System'. 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'. 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848). Could you please tell me what I doing wrong? Can I use evenchannel for monitor logs from Applications and Services Logs? OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.