On Thu, Jan 30, 2014 at 1:07 PM, Doug Kelly <[email protected]> wrote: > I have a Windows client that I want to generate an alert when a certain file > is deleted. I have enabled the Audit File System local group policy. I have > modified the audit policy for that file so that > an event is generated in the Security Event Viewer. My ossec.conf file > contains: > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > which I thought would cause the event to be logged into the ossec.log file
You're confused. Log messages that do nto originate from OSSEC do not go into the ossec.log file. > and sent to the server. I can see the audit success in the Security Event > viewer but I do not see it > in either the ossec.log or the server. Is there a place that I can see Where did you check on the server? > this alert either outgoing from the PC or incoming to the server? Shouldn't > all entries into the security event viewer > show up at the server? What am I doing wrong. > I don't know, but I assume that they should. Have you turned on the log all option on the server? If so, did you check the archives.log for the log message? If not, why not? > Thanks, > Doug > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
