subject:"\[ossec\-list\] eventchannel Applications and Services Logs monitoring"

Re: [ossec-list] eventchannel Applications and Services Logs monitoring

2015-12-24 Thread o . verbniak

Santiago, thanks for your help!

среда, 23 декабря 2015 г., 20:26:03 UTC+2 пользователь Santiago Bassett 
написал:
>
> Hi,
>
> Windows informational event rule has level "0", meaning that an alert 
> won't be generated, unless you take down the alert level threshold 
> (log_alert_level, set to "1" by default).
>
> My advice is to create a new rule instead just for events with ID "2005" 
> in order to trigger an alert. I guess something like this would work:
>
>   
>
> 18101
>
> ^2005$
>
> Windows Firewall enabled\disabled
>
>   
>
> Remember to include it in local_rules.xml inside a group section (you can 
> use group="windows,")
>
> On the other hand, try enabling logall option and check if events are 
> written to archives.log
>
> I hope that helps,
>
> Santiago.
>
> On Wed, Dec 23, 2015 at 3:07 AM,  
> wrote:
>
>> Hi.
>> I would like to monitor channel called “*Microsoft-Windows-Windows 
>> Firewall With Advanced Security/Firewall*“
>> For this I added the following lines into shared/agent.conf file  into 
>> Windows agent tag
>>
>>
>>
>>
>> *:   Microsoft-Windows-Windows Firewall With 
>> Advanced Security/Firewall
>> eventchannel  After that I restarted 
>> my OSSEC agent and generated some events in Firewall.(*Enable\disable 
>> firewall rule -- events with ID 2005 appeared in the EventViewer
>> *).There is no reaction from OSSEC server, I waiting default * rule ID 
>> 18101 (“*Windows informational event*“), but there is no events.
>> In ossec log:
>> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
>> 'Application'.
>> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
>> 'Security'.
>> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
>> 'System'.
>> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
>> 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
>> 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848).
>>
>> Could you please tell me what I doing wrong? Can I use evenchannel for 
>> monitor logs from Applications and Services Logs?
>> OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3
>>
>>
>>
>>
>>
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] eventchannel Applications and Services Logs monitoring

2015-12-23 Thread Santiago Bassett

Hi,

Windows informational event rule has level "0", meaning that an alert won't
be generated, unless you take down the alert level threshold
(log_alert_level, set to "1" by default).

My advice is to create a new rule instead just for events with ID "2005" in
order to trigger an alert. I guess something like this would work:

  

18101

^2005$

Windows Firewall enabled\disabled

  

Remember to include it in local_rules.xml inside a group section (you can
use group="windows,")

On the other hand, try enabling logall option and check if events are
written to archives.log

I hope that helps,

Santiago.

On Wed, Dec 23, 2015 at 3:07 AM,  wrote:

> Hi.
> I would like to monitor channel called “*Microsoft-Windows-Windows
> Firewall With Advanced Security/Firewall*“
> For this I added the following lines into shared/agent.conf file  into
> Windows agent tag
>
>
>
>
> *:   Microsoft-Windows-Windows Firewall With
> Advanced Security/Firewall
> eventchannel  After that I restarted
> my OSSEC agent and generated some events in Firewall.(*Enable\disable
> firewall rule -- events with ID 2005 appeared in the EventViewer
> *).There is no reaction from OSSEC server, I waiting default * rule ID
> 18101 (“*Windows informational event*“), but there is no events.
> In ossec log:
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Application'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Security'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'System'.
> 2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log:
> 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
> 2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848).
>
> Could you please tell me what I doing wrong? Can I use evenchannel for
> monitor logs from Applications and Services Logs?
> OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3
>
>
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] eventchannel Applications and Services Logs monitoring

2015-12-23 Thread o . verbniak

Hi.
I would like to monitor channel called “*Microsoft-Windows-Windows Firewall 
With Advanced Security/Firewall*“
For this I added the following lines into shared/agent.conf file  into 
Windows agent tag




*:   Microsoft-Windows-Windows Firewall With 
Advanced Security/Firewall
eventchannel  After that I restarted 
my OSSEC agent and generated some events in Firewall.(*Enable\disable 
firewall rule -- events with ID 2005 appeared in the EventViewer
*).There is no reaction from OSSEC server, I waiting default * rule ID 
18101 (“*Windows informational event*“), but there is no events.
In ossec log:
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'Application'.
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'Security'.
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'System'.
2015/12/23 12:37:11 ossec-logcollector(1951): INFO: Analyzing event log: 
'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
2015/12/23 12:37:11 ossec-logcollector: INFO: Started (pid: 28848).

Could you please tell me what I doing wrong? Can I use evenchannel for 
monitor logs from Applications and Services Logs?
OSSEC agent host: Windows 2012, OSSEC agent - 2.8.3., server -2.8.3







-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] eventchannel Applications and Services Logs monitoring

Re: [ossec-list] eventchannel Applications and Services Logs monitoring

[ossec-list] eventchannel Applications and Services Logs monitoring

3 matches

Site Navigation

Mail list logo

Footer information