I’ve had the same challenge in detecting log entries that indicate a system has just recovered from a crash. Several log entries seem to be generated prior to OSSEC agent startup and when using the eventlog method of monitoring, never get sent to the manager. The EventChannel method of monitoring the Windows event logs might help with this. There is rumor <https://groups.google.com/forum/#!topic/ossec-list/mQr3L_sqJ-Q> that EventChannel uses bookmarking to pick up from the last known log entry. This isn’t included in the documentation anywhere, but the feature appears in several commits on github. Unfortunately EventChannel is mostly broken in 2.8, so I haven’t looked into validating this theory. Maybe someone else will know for sure. Either way, the development version out on github should be fixed, if you are interested in testing.
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of remoteph...@gmail.com Sent: Thursday, April 30, 2015 7:59 PM To: ossec-list@googlegroups.com Subject: [ossec-list] Windows Event Log Question - Startup events Howdy, I've had a lot of luck with OSSEC and it's helped immensely to monitor Windows systems, but I've run into a problem trying to capture certain event logs from Windows systems. The event is Windows event 6005, Initialization of audit logs. I believe the problem is this event is happening before the OSSEC Agent is started by Windows, but I'm not even sure how to check if that's true. I have no problems collecting other events from the System event log, but that one never seems to come through. Is there any way for OSSEC To grab historical Windows event logs or am I approaching this incorrectly? Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com <mailto:ossec-list+unsubscr...@googlegroups.com> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
