Is it possible for OSSEC to monitor logs on a Windows 7 or 2008 R2 in addition to the standard System, Security, and Application?
Specifically I would like to monitor the AppLocker log - called Microsoft-Windows-AppLocker - so I added this to the ossec config on a Windows 7 PC <localfile> <location>Microsoft-Windows-AppLocker</location> <log_format>eventlog</log_format> </localfile> I restarted OSSEC on the client and got this in the client log ossec-agent(1907): INFO: Non-standard event log set: 'Microsoft- Windows-AppLocker'. Further down in the log I got this ossec-agent(1951): INFO: Analyzing event log: 'Application'. ossec-agent(1951): INFO: Analyzing event log: 'Security'. ossec-agent(1951): INFO: Analyzing event log: 'System'. ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows- AppLocker'. So I hoped it was going to work, but I'm not getting any logs on the server from this event log I enabled <logall>yes</logall> on the server and I see logs from this client from System, Security, and Application but not from AppLocker even though I am generating events that I can see in the Event Viewer (on the client) and via WMI (on the client) Can OSSEC monitor these logs and what do I need to change in my configuration? -Heath