Hello, I am hopping someone may be able to help..
I want to capture Windows Event ID's 5142 5143 5144 5145. I found this
discussion on how to add it to your ossec.conf file.
https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec
However, the events aren't showing up in ossec. Would this be the correct
way in configuring OSSEC to capture specific Windows Event ID's ?
I added the following to my ossec,conf file, above 18104 as the above
article suggested. and then restarted ossec..
<rule id="19000" level="6">
<if_sid>18100</if_sid>
<id>^5142&|^5143$|^5144$|^5145$</id>
<status>^AUDIT_SUCCESS|^success</status>
<description>Windows audit success event.</description>
</rule>
Thank you for your help.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
