Try: <id>^19$</id>
On Fri, Jan 6, 2012 at 8:34 AM, banjer <[email protected]> wrote: > Hi, I'm trying to log Windows update events, which in Windows is Event > ID 19. I have had success with this rule: > > > <rule id="100034" level="1"> > <if_sid>18101</if_sid> > <status>^INFORMATION</status> > <id>19</id> > <description>Windows Update successfully installed.</description> > </rule> > > OSSEC will now log typical update events such as this: > > > WinEvtLog: System: INFORMATION(19): Microsoft-Windows- > WindowsUpdateClient: SYSTEM: NT AUTHORITY: myserver.domain.foo.com: > Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista > SP2 and Windows Server 2008 SP2 for x64 (KB2656362) {7ECDE510- > CD10-478B-89EC-1D7B255C3419} 104 > > > However, it also log and informational events with 19 in the event ID, > such as: > > WinEvtLog: Application: INFORMATION(3198): MSSQL$CAST: SYSTEM: NT > AUTHORITY: SEDNA.omni.imsweb.com: I/O was resumed on database > castmain60-vt-report_test_updated. No user action is required. > > > Is it possible to log an event id that is EXACTLY 19? Thanks!
