Hello Richard You could be able to forward this event channel by XPATH query like this:
<localfile> <location>USB</location> <log_format>eventchannel</log_format> <query> \<QueryList> \<Query Id="0" Path= "Microsoft-Windows-DriverFrameworks-UserMode/Operational"> \<Select Path= "Microsoft-Windows-DriverFrameworks-UserMode/Operational">*\</Select> \</Query> \</QueryList> </query> </localfile> But, unfortunately, Ossec doesn't allow to scape some characters. This is fixed in this commit: https://github.com/ossec/ossec-hids/commit/fa974c48b4cebd33d6c98ae208706b1ae02fe574#diff-5504d83872b136e9721446ad7a7571f9 But is not available in 2.x versions, I think it will be available in 3.x. Best regards, On Friday, April 27, 2018 at 11:35:33 AM UTC+2, Ricard Comas wrote: > > Hi! Mi name is Richard. > > I have a problem on the Ossec Agent. I want to scan USB devices in Windows > 10 and i enable the following register on the event viewer: > > Microsoft-Windows-DriverFrameworks-UserMode/Operational > > Seeing the ossec documentation, in the configuration file i have to add > the following section of localfile to obtain the events: > > <localfile> > *<location>*Microsoft-Windows-DriverFrameworks-UserMode/Operationa*l* > *</location>* > <log_format>eventchannel</log_format> > </localfile> > > This configuration not work. If you have an idea that can help me... > > Tnx! > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.