Is it possible for OSSEC to monitor logs on a Windows 7 or 2008 R2 in
addition to the standard System, Security, and Application?
Specifically I would like to monitor the AppLocker log - called
Microsoft-Windows-AppLocker - so I added this to the ossec config on a
Windows 7 PC
<localfile>
<location>Microsoft-Windows-AppLocker</location>
<log_format>eventlog</log_format>
</localfile>
I restarted OSSEC on the client and got this in the client log
ossec-agent(1907): INFO: Non-standard event log set: 'Microsoft-
Windows-AppLocker'.
Further down in the log I got this
ossec-agent(1951): INFO: Analyzing event log: 'Application'.
ossec-agent(1951): INFO: Analyzing event log: 'Security'.
ossec-agent(1951): INFO: Analyzing event log: 'System'.
ossec-agent(1951): INFO: Analyzing event log: 'Microsoft-Windows-
AppLocker'.
So I hoped it was going to work, but I'm not getting any logs on the
server from this event log
I enabled <logall>yes</logall> on the server and I see logs from this
client from System, Security, and Application but not from AppLocker
even though I am generating events that I can see in the Event Viewer
(on the client) and via WMI (on the client)
Can OSSEC monitor these logs and what do I need to change in my
configuration?
-Heath
