I'm contemplating it but my C is rusty to say the least, I haven't needed to use it for over a decade. I'll have a hack and see what turns up.
Regards, Nick On 23 November 2012 13:15, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Nov 22, 2012 at 11:30 AM, Nick Davies <n...@badhedgehog.co.uk> > wrote: > > AND... > > > > I've downloaded and installed 2.7 but am getting the same results. > Looking > > at read_win_el.c (line 57 this time) it looks to still be using > OpenEventLog > > rather than EvtOpenLo. > > > > Is my diagnosis of the problem correct? If so, are there any plans to > > migrate to the new Windows API? > > > > Not that I know of. Have a patch? > > > Regards, > > > > Nick > > > > > > > > On 22 November 2012 15:42, Nick Davies <n...@badhedgehog.co.uk> wrote: > >> > >> Or maybe I could just read the release notes <sigh> > >> http://www.ossec.net/?p=577 > >> > >> Regards, > >> > >> Nick > >> > >> > >> > >> On 22 November 2012 15:38, Nick Davies <n...@badhedgehog.co.uk> wrote: > >>> > >>> Talking to myself a little it looks like the problem could be due to > >>> read_win_el.c using OpenEventLog (line 56) which is the pre-Vista > flavour. > >>> I'm guessing it's having problems coping with the new format log files > hence > >>> failing with a %4 in the event log name and falling back to monitoring > the > >>> application log (as per > >>> > http://msdn.microsoft.com/en-gb/library/windows/desktop/aa363672%28v=vs.85%29.aspx > ). > >>> > >>> There's a thread on problem (but with python) at > >>> http://mail.python.org/pipermail/python-win32/2012-May/012292.htmlwhich > >>> seems to suggest that EvtOpenLog would be needed > >>> ( > http://msdn.microsoft.com/en-gb/library/windows/desktop/aa385447%28v=vs.85%29.aspx > ) > >>> to cope with the newer event logs. > >>> > >>> Are there any plans to add this to OSSEC? I would try myself but I'm a > >>> read-only 'C' coder. > >>> > >>> Regards, > >>> > >>> Nick > >>> > >>> > >>> > >>> On 22 November 2012 13:28, Nick Davies > >>> <nick.badhedgehog.dav...@gmail.com> wrote: > >>>> > >>>> This appears to be a bit of a FAQ but I can't find anywhere that it's > >>>> been answered. > >>>> > >>>> I want to monitor additional Windows events logs, specifically the > >>>> Windows print operational log. > >>>> > >>>> I've added a new localfile directive: > >>>> > >>>> <localfile> > >>>> <location>Microsoft-Windows-PrintService Operational</location> > >>>> <log_format>eventlog</log_format> > >>>> </localfile> > >>>> > >>>> But don't seem to be getting anything in the archive log (logall being > >>>> enabled). > >>>> > >>>> I've tried a number of things in the <location> tag (restarting the > >>>> agent after each change), including (with results) > >>>> > >>>> Microsoft-Windows-PrintSrvice Operational: > >>>> The ossec agent log entry for this was "2012/11/22 13:09:17 > >>>> ossec-agent(1907): INFO: Non-standard event log set: > >>>> 'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintSrvice > >>>> Operational'." but was followed with a later "2012/11/22 13:09:20 > >>>> ossec-agent(1951): INFO: Analyzing event log: > >>>> 'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintSrvice > >>>> Operational'." > >>>> > >>>> Microsoft-Windows-PrintService%4Operational > >>>> This gave the agent log entry: "2012/11/22 13:23:58 ossec-agent(1906): > >>>> ERROR: Error parsing file: > 'Microsoft-Windows-PrintService%4Operational'." > >>>> > >>>> > >>>> > %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operational > >>>> This gave the agent log entry: "2012/11/22 13:08:13 ossec-agent(1906): > >>>> ERROR: Error parsing file: > >>>> > 'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintService%4Operational'." > >>>> > >>>> %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PrintService > >>>> Operational > >>>> This gave the agent log entry: "2012/11/22 13:17:59 ossec-agent(1907): > >>>> INFO: Non-standard event log set: > >>>> 'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintService > >>>> Operational'." "2012/11/22 13:18:02 ossec-agent(1951): INFO: > Analyzing event > >>>> log: 'C:\windows\System32\Winevt\Logs\Microsoft-Windows-PrintService > >>>> Operational'." > >>>> > >>>> In all cases no archive log entries were seen that matched up with > >>>> entries in the corresponding Windows log (as seen by event view). I > seem to > >>>> be lacking the appropriate incantations to get this working. Has > anyone had > >>>> any joy with this sort of thing? > >>>> > >>>> Regards, > >>>> > >>>> Nick > >>> > >>> > >> > > >
