Hello Richard
You could be able to forward this event channel by XPATH query like this:
<localfile>
<location>USB</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList>
\<Query Id="0" Path=
"Microsoft-Windows-DriverFrameworks-UserMode/Operational">
\<Select Path=
"Microsoft-Windows-DriverFrameworks-UserMode/Operational">*\</Select>
\</Query>
\</QueryList>
</query>
</localfile>
But, unfortunately, Ossec doesn't allow to scape some characters. This is
fixed in this commit:
https://github.com/ossec/ossec-hids/commit/fa974c48b4cebd33d6c98ae208706b1ae02fe574#diff-5504d83872b136e9721446ad7a7571f9
But is not available in 2.x versions, I think it will be available in 3.x.
Best regards,
On Friday, April 27, 2018 at 11:35:33 AM UTC+2, Ricard Comas wrote:
>
> Hi! Mi name is Richard.
>
> I have a problem on the Ossec Agent. I want to scan USB devices in Windows
> 10 and i enable the following register on the event viewer:
>
> Microsoft-Windows-DriverFrameworks-UserMode/Operational
>
> Seeing the ossec documentation, in the configuration file i have to add
> the following section of localfile to obtain the events:
>
> <localfile>
> *<location>*Microsoft-Windows-DriverFrameworks-UserMode/Operationa*l*
> *</location>*
> <log_format>eventchannel</log_format>
> </localfile>
>
> This configuration not work. If you have an idea that can help me...
>
> Tnx!
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
