On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs <[email protected]> wrote: > Is the ampersand correctly used at the end of 5142? For other IDs there are > $ sign used. >
Nope, I'm not sure what they were attempting with that. > Ivars > > On Mon, Oct 27, 2014 at 1:51 PM, Brian <[email protected]> wrote: >> >> Hello, I am hopping someone may be able to help.. >> I want to capture Windows Event ID's 5142 5143 5144 5145. I found this >> discussion on how to add it to your ossec.conf file. >> >> https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec >> >> However, the events aren't showing up in ossec. Would this be the correct >> way in configuring OSSEC to capture specific Windows Event ID's ? >> >> I added the following to my ossec,conf file, above 18104 as the above >> article suggested. and then restarted ossec.. >> >> <rule id="19000" level="6"> >> <if_sid>18100</if_sid> >> <id>^5142&|^5143$|^5144$|^5145$</id> >> <status>^AUDIT_SUCCESS|^success</status> >> <description>Windows audit success event.</description> >> </rule> >> >> Thank you for your help. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
