Hi Brett, here you can find information about the configuration preference: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#precedence
In your case, both configurations are applying. Also, I recommend you to filter other noisy events <https://github.com/wazuh/wazuh/blob/master/src/win32/ossec.conf#L17>. Regards. On Thursday, April 20, 2017 at 6:26:18 PM UTC+2, Brett Simpson wrote: > > I wasn't sure how to do this or if it's possible but I have a large number > of ossec agents where I want to filter out specific Windows Event ID agent > side. If I modify the ossec.conf on the agent and replace the log_format of > my System from eventlog to eventchannel it works however if I leave it to > eventlog and alter the centralized agent config to include that for Windows > OS it doesn't work. I do see it get replicated to the agent under the > shared folder but it looks like eventlog is taking priority. Touching each > agent is not feasible as I just don't have that kind of control, at least I > would have to somehow repackage an ossec install and wrap a new config into > it, then have my IT people reinstall it on hundreds of Windows systems. > Although I'm testing filtering event ID 7000 on a workstation I have many > Windows servers with the windows packet filtering bombarding the event > logs. This ends up saturating my network links from the agent to the > manager which I want to eliminate. > > In ossec.conf > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > In Shared folder as agent.conf > <agent_config os="Windows"> > > <localfile> > <location>System</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID!=7000]</query> > </localfile> > > </agent_config> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.